How a global pandemic created a breeding ground for wire fraud

February 12, 2021

For many organizations, COVID-19 brought normal operations to a halt last year. The effects are still being felt today, as remote working and online transactions have become a necessary norm. In addition to large-scale economic disruption and concerns over mental health, the pandemic brought with it another unwelcome side effect: a boost in wire fraud.

In some situations, electronic processing of payments through wire or e-transfer became the only available payment method, which was challenging for organizations that relied on making payments through cheque or cash.

But the impact hasn't been felt by those organizations alone. The risk of wire fraud increased across multiple sectors, thanks to a lethal combination of disrupted workforces, economic uncertainty, rapidly changing business processes and controls, and an increase in electronic money transfers.

The situation has only intensified over the long-term, as organizations deal with increased staff turnover, lack of regular face-to-face interaction, and in some cases, the necessary pivoting and transformation of the way they do business.

What is wire fraud?

Wire fraud is a type of scam that involves the transfer of money from an individual or organization to a fraudulent recipient—usually over email or phone.

Emails often appear to be legitimate because they seemingly come from familiar customers or vendors. These emails normally include a request for payment, but the account to which they normally send the money has been altered by the scammer.

Once the funds have been processed, recovery is often very difficult. Consequently, the financial and reputational impact to an organization can be significant..

The faces of fraud and the tactics they use

Early on in the crisis, the Federal Bureau of Investigation (FBI) indicated an expected spike in business email compromise scams related to COVID-19. Of particular concern was the targeting of health care providers and government organizations around the purchase of supplies or personal protective equipment (PPE).

Fraudsters, unfortunately, didn't disappoint. News outlets and organizations such as The Canadian Anti Fraud Centre (CFAC) reported a sharp increase in COVID-related scams. Among the more recent are fraudsters targeting pandemic relief funds, such as the alleged theft of $30 million by an Ontario government employee, or the attempted wire fraud of more than US$550,000 in Seattle.

Others noted by the CFAC include fraudsters pretending to be:

  • Familiar senders offering information on vaccines via email or text message
  • Private companies offering treatments or COVID-19 test kits
  • Cleaning companies providing COVID-19 sanitation services or 'air filters'
  • Charities offering 'free' PPE
  • Local utility companies threatening to disconnect services
  • The World Health Organization (WHO) providing lists of infected people in your community
  • Financial advisors offering lucrative investment opportunities
  • Government agencies requesting personal or health information

Scam tactics such as phishing, vishing, malware, impersonation, or social engineering haven't changed, but COVID-19 has heightened the pace. Fraudsters are capitalizing on the fear and anxiety created the pandemic, as well as well as weaker home security networks and an increased reliance on online transactions, to lure individuals into disclosing confidential information, installing unauthorized software that compromises security, or making payments to financial accounts owned by criminals.

How can your organization protect itself against wire fraud?

From asking the right questions to keeping up-to-date on training and processes, there are steps that you can take to mitigate the risks of wire fraud.

Validation

  • If physical mail is no longer a means to process payments, it's crucial to have strong processes in place for validating payment requests to ensure that they are legitimate.

    Check, validate, and confirm even the slightest change provided by a vendor before processing a payment. This can be as simple as calling the contact name in your files to confirm details.

Be skeptical

  • Exercise healthy skepticism around unusual and/or urgent requests, and ensure these are flagged and reviewed.

Enhance internal controls and protocols

  • Add or modify authorization protocols to your payments process to compensate for the loss of in-person controls.

Review, review, review

  • Be vigilant in reviewing payment requests, including email addresses, remittance accounts, reconciling to purchase orders and so forth.

Training

  • Refresh cybersecurity training for staff, such as phishing awareness and not clicking on links from unknown or unexpected external senders.

Encryption

  • Only allow encrypted connections to company systems (e.g. Virtual Private Network or VPN).

Mind your access

  • Restrict access to financial applications and the ability to perform transactions based on role and responsibility, also known as the principle of least privilege. In addition, ensure that you revoke access from terminated employees in a timely manner.

Consistent monitoring

  • Increase the monitoring and review of unauthorized access attempts, data leakage, email forwarding, and unpatched or outdated systems.

How BDO can help

While different parts of the country are at different stages of recovery, wire fraud continues to be a serious issue—and will remain one long after the pandemic has passed. Having a strong prevention and detection strategy in place is critical, whether your workforce is remote or in person.

Our team can help you understand where your organization's weak points may be, and develop a practical plan to improve security measures. Contact us:

Alan Mak
Partner – National Forensics Practice Leader
amak@bdo.ca

Vivek Gupta
Partner – Cybersecurity & Digital Forensics
vgupta@bdo.ca

This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our privacy statement for more information on the cookies we use and how to delete or block them.