Internal Fraud Surging During COVID-19

With employee ranks thinning due to economic cutbacks stemming from COVID-19, fraud is on the rise. Here’s what to look out for

Companies are scrambling to adjust and protect their businesses during the COVID-19 crisis. Even the largest enterprises that have not had previous work from home practices have had to shutter their buildings and station their thousands of employees at home. If unprepared and unprotected to operate with large distributed teams, they have had to function on trust alone to keep their business systems and assets secure from what has become a growing epidemic itself: insider fraud and data theft.

Today, with a global workforce of approximately 3 billion, we have millions and millions of people in non-essential businesses working remotely from the same number of locations around the world. That’s a lot of risk under the protection of mere trust.

Based on historical data of spikes in fraud, the Association of Certified Fraud Examiners (ACFE) issued its own warning on the increase of fraud during the COVID-19 tragedy and the ensuing economic downturn and recession, calling the current situation the perfect storm.

What Experts Are Saying

Bruce Dorris, president and CEO of the ACFE, stated, “During the recession, we can expect not only more fraud to occur but also more existing fraud to be discovered.” He further warned that this is not a time for companies to let down their guard when it comes to audit, compliance and internal controls. Instead, they should be bolstering those efforts. This is especially true with more remote employees, but also because the motivation to commit fraud rises significantly in periods of economic uncertainty.

An article in The National Law Review backs up the ACFE’s warning, pointing to the 2008 recession as a case in point.

China, first hit with COVID-19, has already experienced major cases of fraud. In the most recent incident, a routine internal audit revealed that one employee conspired with external vendors to wrongly inflate sales by forging contracts and other documentation. Another company in China had a case of fraud involving $300 million this month.

Types of Fraud to Expect

As companies operate on less stable ground and some industries have already suffered more than others, more fraud cases can be expected. It’s speculated that some companies, under the pressure of investors, may be more tempted at this time to manipulate financial and performance data. That type of fraud happens more at the hands of executives and managers, and according to Dorris, is more apt to be financial statement fraud, which also happens to be the costliest.

However, as other employees from all ranks live in a time of financial insecurity or face furloughs and loss of income, theft impulses can rise. One of the major targets is enterprise resource planning (ERP) systems, which employees across the organization access. Incidents of invoice, payroll and accounting fraud; misappropriation of assets; and data theft will increase.

Vendor fraud can also surge during tumultuous economic tumbles. In short, anyone with access to a company’s systems is suspect.

Another Contributing Factor

Relaxed controls during periods of economic confusion and adapting to new ways of work can only exacerbate risk, and if there is a loss of valuable employees who monitor access risks—particularly with manual processes—the door is wide open for more fraud to occur. This results in Dorris’ perfect storm: the escalation of lax controls at the same time motives rise to commit fraudulent acts. Combine this with global remote workers and the storm turns into a catastrophic tsunami.

Prevention Advice

To reiterate, companies should not cut corners or resources when it comes to internal controls, audit and compliance. Rather, they should be especially vigilant now, view compliance and security teams as critical, and not rely on error-prone manual controls. Monitoring of system access and having clear visibility into risks have never been more important.

We are in unprecedented times and must go beyond the bare minimum management of insider threats. When revenues may be adversely affected by COVID-19, no company can afford to subtract the losses and devastating costs of fraud from an already dwindling bottom line.

Avatar photo

Jody Paterson

Jody Paterson is a trusted advisor and security thought leader who is a Certified Information Security Specialist (CISSP), a Certified Information Security Auditor (CISA), a KPMG veteran, and CEO of ERP Maestro — provider of simple, complete, and accurate cybersecurity controls for access risks.

jody-paterson has 3 posts and counting.See all posts by jody-paterson

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)