Insight

A year to remember

Written by James Thomas on Tuesday December 29, 2020

2020 has been a year that most of us would gladly forget. Nevertheless, as we look towards 2021, it is worth considering the lessons learned over the last 12 months, assessing the evolving landscape, and (where possible) drawing on any positives that have come to light. This article considers some of the main features of fraud in 2020 and highlights potential trends for the coming year.

Immediate impact: Supply chains

Financial criminals immediately seized on the climate of disruption, fear and uncertainty that characterised the onset of the coronavirus pandemic.

The early stages of the crisis created considerable opportunities for product misrepresentation and overbilling. “The conditions were ripe for vendor fraud,” explains James Wood-Rickett, Global Lead, AML, ICA. “International border restrictions and the associated disruption to global supply chains coincided with a need for organisations and governments to rapidly source PPE, meaning that the usual due diligence checks for new vendor relationships may have been overlooked.”

Naturally, the level of such activities varied across different sectors and supply chains. As Anastasia Savvateeva, Senior Compliance Officer, Pictet Group, explains: “In private banking, invoice and supply chain fraud has been somewhat absent, focusing on the client side. Although there may have been internal employee fraud involving fake invoices or possible collusion with third parties, such as suppliers and vendors, such cases are rare, unless the bank has really poor procurement management. However, for companies that work in the industrial sectors, such as aeronautics, construction or international trade, invoice and supply chain fraud most certainly increased.”

Relief measures

Fraudsters were also quick to exploit opportunities created by the rapid rollout of government relief measures. But while some early prosecutions have been reported in relation to furlough fraud, for example, only time will reveal the full extent to which COVID-related support schemes have been abused.

The UK’s Bounce Back Loan Scheme (BBLS) demonstrates the challenge facing financial institutions with regard to balancing the need for speed of delivery of financial support against requirements for due diligence. Formally launched on 4 May 2020, the BBLS is delivered by the British Business Bank and offers term loans of between £2,000 and £50,000 (or up to a maximum of 25% of a company’s annual turnover). To ensure rapid delivery of funds, lenders relaxed their approach to conducting due diligence to the usual standards. As Wood-Rickett explains: “Some loans have gone through in less than 24 hours, from application to payment in account, because financial institutions do not want to be seen as preventing businesses from succeeding during lockdown.”

WFH: New challenges

As the immediate shock of the early phase of the crisis subsided, it became clear that some element of working from home (WFH) would be retained over the medium to long term for many organisations. WFH has intensified the challenge of fraud prevention and detection, notably in relation to insider threats and cyber threats.

As Andrey Shapoval, Deputy AML Officer, Finance in Motion, suggests: “The COVID crisis has exacerbated fraud risks and showcased the existing weaknesses in internal controls. This was mainly driven by higher detection risk in the context of remote work, as well as the increased burden on organisations’ IT systems and the lack of direct oversight of employees. Overall, the risk-based approach to fraud prevention and detection has been extremely challenged by the crisis.”

According to PwC, “the current environment is ripe for a spike in insider fraud”, while their Global Economic Crime and Fraud Survey 2020 found that “business partners remain a risk and fraud committed by management is trending upward.” Under these circumstances, many have implemented additional measures, as Savvateeva explains: “WFH has seen an intensification in transaction monitoring, including employees’ personal transactions (for possible market abuse).”

The conditions created by lockdown are readily superimposed on the traditional ‘fraud triangle’, as Shirin Rahman, Financial Crime Officer at Optimum Credit Ltd, points out. “The impact on mental wellbeing, the feelings of detachment from work due to furlough, and anxieties due to job security could tip an employee to become an insider threat,” she adds.

The crisis has therefore focused attention on psychological aspects of fraud and fraud prevention, with the suggestion that employee vigilance against threats may be diminished when away from the office environment. As Tim Tyler, Head of Qualifications, ICA, explains: “It may be that when individuals are working in an office, they feel certain constraints on what they can and can’t do, but when they are working from home, some of those constraints are not present and so there may be an increased propensity for fraud.”

Practitioners have highlighted the importance of establishing clear lines of communication with colleagues, and the value of regular face time (including purely social catch-ups via Zoom, Teams etc) in maintaining both team spirit, mental wellbeing and risk awareness. Many have gone further. “We set up an anonymous phone line to offer psychological support,” recalls Adam Rommel, Ethics & Compliance Manager, UGI International. “We also increased communications on ethics and compliance-related topics. If there were cases of fraud in other companies that were made public, we made sure to communicate these for a targeted audience within the business in the form of a newsletter, to keep people aware and for them to be alert. Looking ahead, we will definitely continue having more communication, and are currently working on our first ethics and compliance dedicated newsletter, and on completely renewing our helpline posters, bringing them in line with our new code of conduct. We want people to feel that they can speak up and also reach out to us with questions. ‘Culture’ is the key word of this year: building a culture of support and trust.”

WFH: Training and awareness

Without doubt, the move to homeworking has multiplied external threats to IT security. “Preserving the confidentiality and privacy of client data and ensuring that IT systems are strong enough to rebuke any potential attack is both a huge responsibility and a major challenge,” suggests Savvateeva. “This is especially true with WFH, where employees may have to use their domestic internet. Considering this threat, IT departments have become key players and almost the most important people in every company.”

When targeting their attacks, criminals have “tweaked existing forms of cybercrime to fit the pandemic narrative”. According Europol’s 2020 IOCTA Report, social engineering was a “priority threat” as cybercriminals capitalised upon pandemic-induced fears, insecurities and vulnerabilities. Phishing attacks, in particular, have grown in number and sophistication, with the report noting that:

“cybercriminals are now employing a more holistic strategy by demonstrating a high level of competency when exploiting tools, systems and vulnerabilities, assuming false identities and working in close cooperation with other cybercriminals.”

Further, there has been a heightened incidence of spear phishing, indicating “increased understanding of internal business relationships and processes”.

The growth in phishing in 2020 builds on a pre-existing trend. In the UK, the Information Commissioner’s Office (ICO) reported that phishing was the number one data breach between April 2019 to March 2020, accounting for 28% of cyber-related data breaches.

From a US perspective, the picture is similar. The F5 Labs 2020 Phishing and Fraud Report suggests that “2020 is on target to see a 15% increase in phishing incidents compared with last year” and that “phishing incidents rose by a staggering 220% compared to the yearly average during the height of global pandemic fears” as “fraudsters were quick to seize upon the confusion and we saw large spikes in phishing activities that closely coincide with various lockdown rules and the increase in homeworking.”

With phishing emails and websites becoming more convincing and campaigns more rapid, the need to improve employee awareness of these threats has increased accordingly. As the IOCTA 2020 report suggests: “The majority of social engineering and phishing attacks are successful due to inadequate security measures or insufficient awareness of users”.

For Rommel, training and communication have been fundamental to improving cyber risk awareness. “We experienced phishing attempts, but our IT and cyber security team did a great job of communicating the risks,” he explains. “For example, they sent test emails, which looked like phishing attempts, and any individuals who failed the test had to do additional training on security and phishing risks and other cyber attack risks.”

“There has been a conscious review to update policies in my organisation, especially those focusing on elevated threats and attacks,” concurs Rahman. “Training plans have been developed that challenge employee awareness so they react to signs of improper behaviour, with a lot of emphasis on decision-making exercises to develop self-evaluation skills.”

WFH: Practical challenges and personal development

WFH has resulted in wider practical challenges as well. Investigations, for example, have taken on a new complexion. “We’ve had investigations that we suddenly had to manage remotely,” Rommel recalls. “Whereas in the past we could visit the location, retrieve all the relevant documentation and have an onsite in-person interview with the concerned individuals, we now had to request all the documentation remotely. Interviews, in particular, were challenging, because when you are with someone in a room you can definitely read their body language better.”

Client data confidentiality concerns prevented some compliance teams from working remotely. As Savvateeva explains: “I have not been working from home during the pandemic. Instead, from March to May, my team worked on the premises in shifts (one part of the team worked from 6 am to 1 pm and the other part of the team worked from 2.30 pm to 8.30 pm). This was a huge challenge, in terms of adaptation, not only to the schedule but also to the fact that I didn’t see the other half of the team, including my manager who was on WFH, and all this while I was a new joiner with my current employer. Integration was somewhat strange and was seriously affected by the pandemic.”

However, amidst these difficult circumstances, practitioners have taken opportunities, where available, for personal and professional development. For Savvateeva, her new working arrangements created some free time that enabled her to focus on training. “I’ve chosen to enhance my AFC/compliance skills and have undertaken some related projects such as speaking in webinars, writing articles, giving lectures and mentoring my students,” she reveals.

“As a mum to two young children, working from home has given me the liberty to be more organised,” explains Rahman. “With the constant rush of an office life gone, there is certainly more time to devote for my fraud learning and overall career development. Also, the ease of e-meetings and virtual platforms have certainly boosted my network strength which is a great contributor for any career development.”

Indeed, and paradoxically given the restrictions it has placed on physical movement and contact, lockdown has potentially strengthened networking efforts. “I have always believed, even before the crisis, in helping each other in a network of professionals in the same field, and have always tried to be active in different compliance and ethics-related groups, and to attend industry events,” suggests Rommel. “But to be honest, the fact that we could attend conferences online and from home made it easier to do so, and I have probably attended more events this year than I would have if I had to be physically present.”

Hopes and fears

Many of the changes necessitated by the pandemic look set to remain with us and the associated fraud risks will evolve as we enter 2021. Notably, as lockdown has forced us to live more and more of our lives online, it is worth remembering that the same conditions have applied to criminals. Indeed, we might expect, for example, an increase in the use of virtual currencies in criminal activities given the difficulty of accessing physical networks and the cash economy. Further, as Tyler suggests: “Use of the Darknet is growing and growing all the time and almost certainly the use and abuse of the Darknet will have increased during the pandemic because people are at home more, they are online more and it’s more difficult to physically meet people and exchange.”

WFH is likely to remain a feature of life, and UK Finance therefore expects social engineering to continue as a key driver of fraud:

“criminals will continue to adapt and exploit the impact of coronavirus as we move onto the next stage in this crisis. This could include more social engineering scams exploiting people’s financial insecurities by offering payments related to the pandemic, purchase scams offering bogus products at discounted prices on auction websites and social media posts aimed at recruiting money mules who are looking to make quick and easy money.”

For compliance practitioners, therefore, cybercrime will remain a key risk area as individuals spend increasing amounts of time online, whether for shopping, banking, or socialising.

“2021 will see a continuing growth in cybercrime, and better security is an issue that organisations will need to address as it is now a question of customer retention and loyalty,” suggests Rahman. “As the concept of ‘work from anywhere’ becomes the new norm in 2021, unsupervised conditions will cause a surge in occupational fraud. Organisations’ security efforts will need to operate at peak performance to combat this rise in data breaches. Digital platforms will need to make their channels more secure as virtual consultations and online interactions between brand and consumers will be well established in 2021. The definite emphasis in 2021 should be towards fraud prevention, i.e. detecting fraud before it is even committed by organisations having a Crisis Management Plan in place and tools which are central to anti-fraud programmes, such as advanced analytics.”

Savvateeva also suggests that cyber fraud will “break new ground” with attacks potentially becoming more frequent, more aggressive, or changing their targets.

The implications of these evolving fraud risks may be far-reaching, impacting recovery efforts across the economy. “My biggest concern is that the post-COVID economic recovery measures implemented by governments worldwide will be targeted by fraudsters in 2021, which will diminish the effect of such measures,” says Shapoval.

“This is especially relevant for the developing world, where corruption and financial abuse risk remain elevated, while economies are suffering significant losses due to the pandemic. This concern, however, comes alongside the hope that fraud risk management systems will keep being enhanced in terms of prevention, detection and mitigation. Hopefully we as compliance professionals can take advantage of technology in this regard. It is impossible to eliminate fraud completely, but it is possible to reduce the scale of fraud to a socially acceptable level in current circumstances. That would be my hope for 2021.”