The Coronavirus Pandemic and Fraud

By Nick Sabbatini, CPA, Audit Manager

Please be aware of potential fraud schemes related to economic stimulus programs offered by the U.S. Small Business Administration (SBA): https://www.sba.gov/document/report–sba-programs-scams-fraud-alerts


Links in emails and texts. Those few words, in the context of fraud, likely lead you to think of a range of potential threats to your business. If you’ve addressed the risk appropriately, you’ve trained your employees that such communications may even appear to come from management, others within your organization, or from known vendors and customers. However, these types of attacks are likely to increase in times of crisis, when curiosity, empathy, philanthropy, and fear push people to seek new information, help others in need, and find ways to protect themselves.

While email and text communications are still the most likely way fraudsters will trick with a click, attempts to defraud you go beyond emails and text messages. The website or link offering disinfectants, facemasks, toilet paper, products to prevent and treat COVID-19, or applications providing additional information on COVID-19 may be a malicious attempt to defraud you of money or gain access to your IT infrastructure. Malicious actors may also rely on your desire to help others, soliciting donations under the guise of providing aid to those impacted by COVID-19. All of these external fraud attempts are likely to appear as though they are coming from well-known and trusted sources, because the modern fraudster increasingly uses real logos, emails, and is adept at spoofing websites and/or being present within established app stores and online markets.

Internal fraud threats should also be on your radar in these trying times, especially if your business provides a basic good or service, or is otherwise likely to be more important or beneficial during the crisis. Perpetrators of fraud may be hijacking or spoofing your company’s website, logo, and emails to create illegitimate communications to your customers or the general public. This risk of being hijacked or internally compromised is increased if the pandemic has shifted your day-to-day operations from a centralized office to various remote workplaces, where infrastructure and controls may not be in place to secure the inroads to your IT environment. Further, employees’ economic situations and your company’s increasing attention to other business concerns during the pandemic may create pressures and opportunities for fraud within the company.

Unfortunately, attempts at fraud are only expected to increase in volume as stimulus bills are rolled out, and those perpetrating fraud have additional material to use as bait. While ensuring the anti-virus/anti-malware software on your devices are current helps to fight against fraud, it’s important to note that these measures are typically playing catch-up, as they are only able to develop a response to a threat after it has been identified. As such, the onus to avoid the pitfalls of fraud ultimately rely on the knowledge and actions of you and your employees. Companies should reassess risks and ensure proper processes, controls, infrastructure, and training are in place BEFORE fraud occurs, and maintain hyper-vigilance by performing the following suggested actions:

  • Perform general internet searches on your own business, including social media platforms, to determine whether there is any unusual or false activity being generated by outside parties.
  • Continue to monitor internal transactions and maintain integrity of internal controls and processes.
  • Be extremely cautious about providing security answers, such as confirming email addresses, passwords, social security numbers, or any other sensitive information, and only respond if you are absolutely sure the source is legitimate.
  • In regards to solicitations from nonprofit organizations, take time to research the legitimacy of the organization and fundraising program. Guidestar and Charity Navigator are two resources that can be used to verify the validity of a nonprofit organization. Even if confirmed to be an actual nonprofit, go to their website without using links and verify the program and how to donate. Contact information from the legitimate website can also be used to contact the organization and verify legitimacy prior to donating.
  • Maintain awareness regarding emails, texts, and hyperlinks. Ensure senders are known and email addresses and phone numbers match contact information on record. Avoid clicking on links without careful inspection. Hover over a link and review the actual destination to ensure it matches the visible text to determine whether the destination is safe. If determination cannot be made, do not click on the link. Websites can be reached by manually typing a URL in your browser or by copying a link’s text and pasting it in your browser.
  • Train your employees and ensure they are aware of potential fraud techniques and schemes, especially when using company devices or personally owned devices that link to the company’s IT infrastructure.
  • Loop in your IT department or IT guru if you suspect fraud, and have them look at the email, text, link, file, application, etc. prior to taking any action.

We hope you stay safe during this pandemic as does your company. Please reach out to us if you have any questions or concerns.