Preparing for a post-pandemic fraud landscape

The COVID-19 pandemic has created a host of public health crises — and unearthed more opportunities for fraud. Scammers and fraudsters are waiting in the wings to capitalize on lax controls and vulnerable public assistance programs. Here the authors cover ways to enrich and strengthen your organization’s fraud risk management program to reduce threats from bad actors and to help spot the red flags of criminal activity.

Russian mobsters, Chinese hackers and Nigerian scammers have found a common victim: pandemic aid organizations. In June, the FBI obtained a warrant to hunt through the Google accounts of Abedemi Rufai, a Nigerian state government official. According to an affidavit, they found “ingredients” for a massive cyberfraud scheme targeting U.S. government benefits, which included stolen bank, credit card and tax information, as well as emails showing dozens of false unemployment claims in seven states. Rufai was arrested in May at John F. Kennedy International Airport in New York as he prepared to fly first class back to Nigeria. His case offers a small window into how foreign criminals have fleeced the country’s COVID relief packages. (See “‘Easy money’: How international scam artists pulled off an epic theft of Covid benefits,” by Ken Dilanian, Kit Ramgopal and Chloe Atkins, NBC News, Aug. 15, 2021.)

According to the NBC News article, foreign entities have used stolen identities to plunder tens of billions of dollars in COVID relief benefits, spiriting the money overseas in a massive transfer of wealth from U.S. taxpayers. Jobless programs have been among the ripest targets for cybertheft. It’s still unclear how much of the federal government’s more than $900 billion in pandemic-related unemployment relief fraudsters have robbed. The Pandemic Response Accountability Committee (PRAC), one of several independent bodies created in the U.S. to oversee the emergency spending bills, estimates about $87 billion in pandemic-related unemployment payments will be fraudulent or improper by the time the program expires this year. But that’s the lower end of the $87 billion to $400 billion range that the NBC News article cites, with at least half of that amount going to foreign criminals. (See “Lessons Learned in Oversight of Pandemic Relief Funds,” PRAC, Aug. 31, 2021.)

Cases like Rufai’s highlight how the COVID-19 pandemic has produced both health-related and fraud-related threats. Organizations have had to modify work procedures to accommodate remote work and introduce contactless payments and new forms of customer, vendor and contractor interactions. This new activity has increased fraud risks by broadening the attack surface and hampering traditional anti-fraud controls. Older technology systems — which are often difficult, costly and time-consuming to modify — can limit government agencies struggling to address pandemic-related risks.

At the same time, the urgency of transferring aid money to the general populace has opened opportunities for fraudsters. The pandemic stimulus program modified the eligibility criteria to make benefits more accessible to an American public suffering from the economic fallout brought on by the pandemic. But tight timelines established by relief legislation forced some states to dramatically curtail or entirely circumvent traditional controls to distribute pandemic assistance funds as quickly as possible. The combination of fewer guardrails and more cash simply made benefit programs soft targets for organized crime rings and would-be fraud actors.

The focus on the lucrative and easier-to-target pandemic stimulus programs might explain why fraudsters have been less active in some of their traditional stomping grounds. Some banks and financial services companies, for instance, have reported a decrease in fraud attempts over the last several months. However, fraud actors are likely to start stealing again from more traditional targets once the robbing of funds from the Payroll Protection Program, unemployment assistance and other stimulus programs runs its course. And they’re expected to bring a legion of newly minted fraudsters who’ve learned their trade on the easy-to-scam relief packages that Congress has recently approved.

Respondents to the ACFE and Grant Thornton benchmarking survey report on fraud post-COVID only confirm such concerns. The report shows that 71% of respondent organizations believe that fraud will increase over the next year. (See The Next Normal: Preparing for a Post-Pandemic Fraud Landscape.)

The ACFE and Grant Thornton report shows that 71% of respondent organizations believe that fraud will increase over the next year.

Whenever there’s a major shift in a business or operations, it’s advisable to reevaluate your organization’s fraud risk management (FRM) program. While it’s important to respond to tactical needs in real time, it’s also useful to take a step back and strategically plan for the future of your FRM program. The COVID-19 pandemic has created an onslaught of new fraud activity during a time of significant operational change, so now’s the time to revisit your organization’s strategy and determine the changes you need to make.

Strategic planning for an FRM program

Organizations can minimize the current impact of fraud and prepare for a post-pandemic fraud landscape by implementing strategic planning for their FRM programs. Treat your FRM program like any other aspect of your organization’s strategy — take the time to define the mission, vision and goals for the program with an actionable roadmap for how to get there. This type of strategy and underlying roadmap acts as the main driver that supports overarching business decisions related to the FRM program, like prioritizing process changes and improvements or technology investments.

Strategic planning for your FRM program will help you:

• Strengthen the control ecosystem to address anticipated upticks in fraud activity.
• Be more proactive in your anti-fraud posture.
• Benchmark your FRM program to peer organizations and industry-recognized best practices to highlight key opportunities for improvement.
• Focus limited resources in areas of highest priority and impact, leveraging your strategy as the basis for decision-making.

Know where you are and where you want to be

Recognize the current state of your FRM program and then identify your long-term goals when deciding whether to enhance what you already have or to begin building a new anti-fraud strategy from scratch. Allocate your FRM program with an appropriate set of resources, tailored for the unique needs of each organization and aligned with its fraud risk tolerance. The process of evaluating your FRM program and organizational goals will allow you to develop a roadmap for the future and focus improvements on the most critical areas that need to be addressed to achieve your goals. Doing this ensures that you’re investing in the right level of FRM for your organization’s unique threat landscape.

The COVID-19 pandemic has created an onslaught of new fraud activity during a time of significant operational change, so now's the time to revisit your organization's strategy and determine the changes you need to make.

Luckily, when you’re benchmarking your FRM program, you don’t always need to create a framework from scratch. You can use existing industry frameworks to provide a starting place and tailor the program for your organization. If you do need to build a program from scratch, the existing industry frameworks are valuable references in helping you design a new FRM program from the ground up.

Start by considering peer practices and fraud risk drivers. A fraud risk driver is something that influences your overall inherent fraud risk. For example, a change in circumstances — like employees moving to remote work — might inadvertently open new threat vectors that influence your fraud risk. Changes in the regulatory or legal environment might deter, or incentivize fraud actors. Even implementing stronger fraud controls can influence fraud risk drivers. For example, when the banking industry rolled out more secure chip-enabled credit cards, the sector dramatically decreased the fraud risk associated with counterfeit cards. But fraud actors quickly changed tactics and financial institutions experienced a major uptick in identity crime and application fraud.

Your controls today might fit your current goals, but fast-paced changes in technology, regulation, the political landscape and business processes could quickly make those guardrails obsolete. During the evaluation consider the following: Where do we stand today and where do we expect to stand a year or two from now based on how our peers and industry practices may evolve? How do we expect the fraud risk drivers to change and influence our inherent fraud risk?

The Enterprise Anti-Fraud Maturity Assessment Model below shows an approach that you can use to benchmark your program and outlines through each of the five FRM principles included in the ACFE and Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Fraud Risk Management Guide. (See ACFE.com/fraudrisktools.)

Figure 1: Grant Thornton's Enterprise Anti-Fraud Maturity Assessment Model

Assess your overall program and across each principle to see where it sits along the scale set out by the Anti-Fraud Maturity Assessment Model. To measure your program, look at each principle — fraud risk governance, fraud risk assessment, fraud control activities, fraud investigation and corrective action, and fraud-monitoring activities — and assess where your organization stands today in levels one to five. Some of your principles might be in the ad hoc stage while others could be more advanced in the managed stage. Either way, it’s key to assess where your organization stands with each principle and whether changes are required to achieve your goals.

Not every organization needs to achieve level five leadership in every area — it’s more important to focus on finding the right level of sophistication to match your fraud-risk tolerance and organizational culture. Focus on making incremental progress toward your goals and track your progress as you adjust your FRM program.

What to include in your anti-fraud strategy

Like most aspects of FRM, anti-fraud strategy is an art, not a science. Tailor it to your organization’s unique needs based on your current assessment because it might take on multiple forms. Your organization might have a broad anti-fraud strategy but include targeted strategic planning efforts for certain fraud threats, like fraud-related initiatives within a bank’s digital authentication roadmap. Either way, you’ll want to ensure your strategy answers the following key questions.

As you consider your current and emerging fraud threats also examine those facets of your business that are driving these risks to better target mitigating actions at the source. For example, if you want to reduce your reliance on manual controls that are prone to error, implementing automated alerts for key red flags could be a vital mitigating action. This would help avoid the risks of human error when trying to detect red flags.

The process of evaluating your FRM program and organizational goals will allow you to focus improvements on the most critical areas that need to be addressed to achieve your goals.

It's time to be productive

As you begin to either enhance your anti-fraud strategy or build one from scratch, here are key takeaways for effective strategic planning for FRM programs:

• Revisit your governance structure with a focus on establishing clearly defined roles and responsibilities across the program.
• Outline the key questions — who, what, when, where and why — in your overarching FRM program strategy.
• Communicate the strategy to employees and key stakeholders by outlining their roles in the FRM program and in the successful strategy implementation.
• Define how the FRM program links to other risk management activities and how you’ll communicate outcomes from your FRM program strategically with those groups.
• Continue to improve and refine your FRM program strategy by leveraging the results of FRM activities, including outputs from fraud risk assessments, fraud-awareness trainings, etc.
• Remember to consider fraud risk drivers, not just fraud threats.
• Evaluate how your business has had to change or adapt to address the shifts in your fraud risk landscape because of the pandemic — and how it might evolve over the coming year — and incorporate these considerations into your strategy.
• Line up the right partners to support your anti-fraud strategy, such as business-line or front-line leadership, other risk-function teams and external partners who might have specialized expertise not otherwise available in-house.

Now’s the time to update your fraud risk management strategy to properly protect your organization thanks to the looming threat of increasing fraud risk and a cadre of fraud actors recently emboldened by their successful theft of stimulus funds. Use the Anti-Fraud Playbook as a resource to help your organization combat fraud. It contains references to the assessment model and other guidance and templates for enhancing your fraud-risk management program across all five principles of the COSO fraud-risk management guidance. Doing so can give your business, your employees and your stakeholders the security they need.

Linda Miller is a principal and leader of the fraud and financial crimes practice at Grant Thornton, LLP. Contact her at Linda.Miller@us.gt.com.

James Ruotolo, CFE, is a senior manager in the fraud and financial crimes practice at Grant Thornton, LLP. Contact him at James.Ruotolo@us.gt.com.