Even though COVID-19 appears to be retreating, working from home will likely remain popular amongst employees and is not going away anytime soon. As such, it makes sense for employers to understand the increased fraud risks associated with working from home and how to best mitigate them.
As seen in the recession of 2008, when the economy tanks, workplace fraud tends to increase. The current economic uncertainty combined with a major shift in the workforce is showing all the signs of increased fraud. Businesses reporting experiences with increased fraud after two years of the pandemic.
The types of fraud that are on the rise due to working from home include theft of data, time theft (no oversight), payroll fraud, hiring scams, fraud, vendor fraud, to name just a few.
Businesses of all sizes need to make sure more than ever that anti-fraud measures are implemented or bolstered rather than reduced. This can be challenging due to a reduced and fluctuating workforce.
Threats
Most people will agree workplace fraud is best explained by the fraud triangle: opportunity, pressure, and rationalization. Because the global pandemic has thrown the world into economic uncertainty, companies are more likely to cut non-revenue producing departments, like compliance and internal audit. Combine that with the reduced oversight inherent with employees working from home; fraudsters now have more opportunity.
Many families have suffered at least some loss as a result of the pandemic. Perhaps a spouse has been laid off or is simply not getting as many work hours pre-pandemic. Prices have risen due to supply chain interruptions. It’s become harder to make ends meet. The second part of the fraud triangle, pressure, is increased due to these factors which are arguably beyond the control of the employee.
Living in uncertain times makes it easier for fraudsters to rationalize committing fraud: “everyone else is doing it,” “times are tough,” “it’s just government money (CERB),” “upper management is so rich, they won’t miss a few dollars here and there,” etc. The increased pressure and concerns brought on by the pandemic makes fraudsters less noticeable as companies scramble to stay afloat. The flip side is companies which are growing at exponential rates without having the time to implement adequate controls.
Email scams (phishing, business email compromise): It’s no secret many security breaches start with a phishing scam. According to the FBI, business email compromise has resulted in losses of more than $26 billion worldwide, between 2016 and 2019. Employees at home are more likely to fall for a phishing attempt simply because they can’t walk around the office and ask other employees if they received the same email.
Mitigations
There is plenty companies can do to reduce the risk of fraud, even when employees are working remotely.
- Do not cut back your internal audit or compliance teams. Maintain anti-fraud resources.
- Always have remote employees connect to a VPN to access the corporate network. Use multi-factor authentication if possible.
- Don’t let employees use their own devices. Issue company laptops and phones.
- Require strong passwords: Implement a program such as Password Manager. Such a program ensures employees don’t need to memorize long, complex passwords, and will generate strong passwords for them. This also takes care of the problem of password reuse. In fact, according to a recent OpenVPN survey, 56 percent of the surveyed companies required the use of a password manager.
- Discourage bring your own device (BYOD) - provide a corporate laptop: As mentioned previously, IT has no control over the security of a personally owned computer and it’s always a bad idea to mix work data with personal data. Make sure IT sets the computer up so that patches and updates are applied automatically.
- Provide cyber security training for all employees (humans are the weakest link) – Training for employees is probably the single most important mitigation tool against phishing. Studies have shown most breaches are caused by employees clicking on a malicious link in a phishing email. Conducting awareness training so employees can recognize when an email is not legitimate will pay big dividends in terms of the number of breaches experienced in a given time period.
- Reporting of incidents: Making it easy for employees to report a suspected incident is important so management can capture as many as possible. Employees should know how to report an incident, and they should feel comfortable doing so. Consider implementing an ethics or whistleblower hotline.