Much has been said about the risks to organizations in this current environment. Our intention is to offer some real-world examples and provide tactical and actionable guidance to help prevent damage from being inflicted on businesses and their people.
As we have previously reported, COVID-19 has caused a mass shift in the way organizations are operating. We’ve seen numbers reported that more than 90% of the workforce is now operating remotely. This shift has changed our means of communication, significantly increasing the use of mobile and personal devices for regular business tasks. A confluence of circumstances – including communication interruptions, employee availability, and growing sense of urgency – are creating a target-rich environment for threat actors. We are seeing firsthand the potential effects of these risks on organizations. We anticipate an increase in both the frequency and severity of financial losses as a result of fraud and cyber events.
The controls designed to protect an organization from a financial loss, likely robust and well tested, were almost certainly put in place during more stable times and contemplated a very different operating model. There is a good chance these controls might not be as effective in the current climate. Organizations should therefore revisit these controls to help ensure they are not only designed appropriately but are also operating effectively in this new era of COVID-19.
Questions management should be asking themselves:
- How well can we expect our controls to function with most of our people working remotely?
- Can we afford to trust controls that were designed to function during a normal business environment?
- How well do our controls function given the uncertainty and urgency in the marketplace?
- Are the controls adequately designed to prevent fraud should our vendor’s systems become compromised?
- What tactical steps can we take now to help protect the organization from future financial losses as a result of cyber events?
There are myriad options that can help better protect an organization, many of which often require a significant investment of time, energy and resources. However, at a time when businesses may be struggling to function at below optimal levels, we understand the need for quick and cost-effective solutions.
Business Email Compromise (“BEC”) is by far the costliest form of cybercrime, accounting for $1.7 billion of the total $3.5 billion in losses in 2019, according to the FBI’s 2019 Internet Crime Report. We expect this trend to continue and almost certainly expect to see an increase during this COVID-19 era.
Therefore, organizations should place special emphasis on efforts to help prevent BEC’s and the resulting wire fraud attempts. The implementation of temporary wire transfer protocols is one of the preventative measures an organization can put into place.
We recommend considering a combination of the following temporary wire transfer protocols and for organizations to conduct testing of the effectiveness of these new controls:
- Implement double or triple authorization for all transactions above a certain dollar amount.
- Implement controls to increase scrutiny for all “urgent” payment requests.
- Implement controls to increase scrutiny for all first-time vendor payment requests.
- Verify that the wire transfer destination bank account is the same account previously used. Temporarily block any transactions following an account change.
- Verify the identity of those requesting payment by making a separate outgoing call to the contact at the organization via a verified phone number.
- Implement controls to verify any update requests from vendors, including contact details, payment methods, timing of payments, account details, etc.
- Provide training to relevant employees on the temporary wire transfer protocols and potential fraud schemes they should expect to see.
- These controls can and should be tailored to an organization’s size, complexity and businesses processes.
As the Investigations practice within Cyber Solutions, we help clients prevent, prepare and respond to confirmed or potential financial losses suffered as a result of fraud and financial misconduct, lapses in compliance programs and cyber events.