Times of economic struggle are fertile ground for fraudsters, and the coronavirus pandemic is no exception. In fact, according to the Federal Trade Commission, Americans have fallen victim to $13.4 million worth of COVID schemes since the beginning of 2020. To discuss the types of scams that are going on right now and how CPAs can arm both themselves and their clients to avoid the traps, we met with Steven Blum of the compliance, forensics, and intelligence department of Control Risks.
By: Bill Hayes, Pennsylvania CPA Journal Managing Editor
Times of economic struggle are often the times when individuals and businesses are most in need of help. Sadly, that means it is also the time when those parties are most susceptible to fraud. Something that is being borne out during the coronavirus pandemic, with the Federal Trade Commission saying COVID schemes have cost American taxpayers a total of $13.4 million since we moved into the year 2020. Today we are meeting with Steven Blum of the compliance, forensics & intelligence department of Control Risks to discuss why Americans are so susceptible to fraud at times like this, what businesses and individuals can do to shield themselves from schemes, and why it is important to report the scam if you have been victimized.
The Federal Trade Commission says COVID-19 scams of have cost Americans 13.4 million since the beginning of the year. What is it about times like these, maybe economic downturns in general and coronavirus in particular, that makes individuals and small businesses so susceptible to fraud?
[Blum] I think this is somewhat to be expected. I like to say, particularly with respect to businesses, that when the tide goes out, all of the barnacles get exposed. We've seen these upticks in fraud investigations following other types of financial distress. Going back to the dot-com bust, the seizing up of financial markets during 2008, but in this case we have a double whammy.
You've got the first part, which is generally an economic downturn can expose that ongoing fraud as a business contracts. For example, there's some types of frauds that are helped by the fact that business is good, it's increasing, it helps to cover up past occurrences of fraud. For example, if you're lapping receivables to cover up a prior theft. But here, when business takes a downturn, it exposes a lot, so we'll see a lot of that. That's a natural thing in a typical downturn, and it may not be an overall economic downturn. It could be a downturn in a particular business. You see that just in the normal course.
But with respect to this virus, we're seeing this large-scale shutting down of business as well as a relocation of where the business is taking place. It's moving from offices into peoples' bedrooms and home offices and living rooms and things like that. The normal processes and controls that a business might have been relying on in the past get strained and even completely disrupted.
A couple examples that come to mind. You may have various compliance processes and internal controls that a business has, but those were never developed to anticipate that all of the different employees now were going to be dispersed around the country and around the world instead of located in offices. What that does is it takes away the basic supervision, for example, that might exist. If you're working around your colleagues, it's easier to ask questions. It's easier to stay connected. It's easy to know what everyone is doing. Because if you have a real question, you can walk down the hall and you can ask. But now you don't necessarily have that.
In addition, even today, I was reading about the market in personal protective equipment and how this is an example where there's certain emergency purchases that corporations need to make. What it does is they have to circumvent all of their existing controls. They may normally vet vendors out very carefully. They may go through a rigorous procurement process, and that kind of thing isn't happening because the emergency supersedes the need to do that. As a result, there's going to be a lot of fraud that occurs in the marketplace.
What we see in times like these is the general workings of a company's compliance department get distracted because you don't have the day-to-day compliance oversight that occurs. To the extent that you have investigations that are ongoing or may need to occur because you get either through a whistleblower complaint, which are going up and up and up in this type of environment, or just general looking into things, you don't have the same ability to travel and meet with people. Sometimes obtaining information from third parties that you might typically rely on, that gets disrupted. Everything is up in the sort of causing problems. Probably the biggest one I think, or one of the bigger ones, is when you have a lot of remote workers, it creates barriers to communication. We'll talk a little bit more about this and how that can impact and create opportunities for fraud.
From individuals, I think we see a lot more happening or even a lot more that's being exposed where you see it in the news, for example, where people are getting duped into doing various things. There's lots of ammunition for a fraudster. With all these government programs that are out, you can't help but ... you see people getting phone calls where, hey, I get singled out for this where they say, "Hey, if you want your government stimulus check, I need certain information," and people provide the information.
Also the fact that all of those annoying things like telephone scammers and such, look, if you were off working and out of the house or you're just out of the house normally, it's hard to get a hold of people, but now everyone's home. The phone rings, people pick it , and they want to talk to somebody. It means that people are even more accessible to being scammed. Those are, I think, some of the things that are out there, and there's probably lots of others as well that make this environment where people and businesses are more susceptible to fraud than ever before.
What sorts of fraud schemes in particular are being attempted at this point? What do fraudsters think is going to be effective right now?
[Blum] I'll put them in two big buckets. Business-related and individual-related, because I think both are important. From a business perspective, there's a huge uptick in cybercrimes. I'm going to preface this by saying that you think of cybercrimes where people are reaching out and trying to do things and scam people online and things of that nature. It’s sort of very ad hoc where people just reach out and do that without any preparation. It's important to understand that there are a lot of sophisticated actors out there that have been collecting information from various people for quite some time. People that are in public companies or in other businesses, they've gathered information. For example, who are the CFOs, who are the people in charge of various departments, using social phishing and social media to collect information so that when something like this pandemic occurs, and now you've got everyone spread out in the four corners of the world, they take advantage of it.
There's some planning that goes into it for the more sophisticated actors. If we look at some of the cybercrimes and we look at phishing attempts where people are trying to gather information and use that to then further their fraudulent attempts, they're taking advantage of that. Some examples that you might see coming into play is duping employees in some way. So the idea is, if I'm a fraudster, I'm going to pretend to be somebody who's at your organization. I might say to you, "Look, I'll reach out to you." I could reach out via email and I can literally make the email appear as if it's coming from, for example, your boss, your CFO, or what have you, and say, "I need these funds wired right away."
It may be via email. I've seen it in What'sApp messaging, for example. I've even seen where they're like, "Hey, call me, and here's the number I'm at." The stories can be quite convincing because I've been involved in these where I reviewed the transcripts of the conversations and I'm like "This guy is good." If I'm on the finance team and I get a call from this guy who says he's my CFO, he's good. He's talking about, and this is pre-pandemic this particular example, but they're very convincing. Now because of these employees that are in different locations, it's not so easy to say, "Hey, the CFO is reaching out to me. What's this about?" You just do it. We're talking about millions of dollars being lost in this way.
People are actually fooled and it happens on a regular basis. It can happen with sophisticated companies, in larger companies, because you don't have the same knowledge base of who's out there and certain other detail. It can happen, and these fraudsters take advantage of the chaos and the disruption that the virus causes.
Another general thing is that it's easy to get employees that are at the four corners of the world just clicking on email links and installing malware on company servers that give additional access to information. If somebody clicks on a link, the next thing you know, you've given somebody access to personal data of customers, of the business, what have you, and that becomes more prevalent because, again, in this environment you're getting different kinds of messages via email than you've ever gotten before. Companies themselves may not have been prepared from a security standpoint to deal with some of the extra challenges, and it can be difficult. I'm seeing a lot of that as well.
On the individual side, I see that many folks are being scammed into providing their personal banking information and other information, as well as doing things that are active in terms of assistance to these fraudsters to provide funds. Because, again, you have fraudsters calling up about, "Hey, give me your information because I need this for your check." You have other examples where fraudsters call up and say, "Hey, I'm from the IRS and this is what I need." Scaring people. "I'm from the Social Security office and we have a problem with your Social Security."
There's all sorts of scams and ways that they can dupe people into providing information, actively transferring funds, what have you. They're convincing. I'm sure people listening to this and others have gotten phone calls where they know it's a scam and half the time now your phones tell you that this doesn't make sense who's calling. But the caller IDs show somebody calling from the IRS. The scammers can be very sophisticated. Those are examples of things we're seeing and it's because there's more opportunity now than ever before with people at home.
Would you say, from a business side, that small businesses are especially susceptible right now due to the financial peril they're in, or are businesses of all sizes being targeted?
[Blum] It's a little bit of both. I've seen smaller organizations, they have less sophisticated controls and computer systems in place that can leave them more susceptible to outside bad actors. But a lot of times small organizations may have better communication between people, and there's greater knowledge of who in your organization is out there. If you're in a small company, it's more likely that the person who's keeping track of the company's funds could be the CFO, or at least has a very direct ongoing working relationship with the CFO, for example. It's harder to pretend and mimic somebody who you wouldn't really know personally because you tend to know more people in that smaller organization personally. That's a benefit in some ways.
You would think large organizations might have more sophisticated controls and systems in place. They may not. Then they have the additional problem of there's a lot of anonymity between employees of a large organization, which makes it easier for, I'll call it identity fraud, to take place where somebody is pretending to be someone else. It's really a little bit of both. I think everyone's got to be careful and, whether you're a small business or a large business, you really have to get the message out to employees to really be on high alert for this kind of thing because it's now ramped up.
Are there any tips CPA practitioners can use, not only for their clients right now, but really for themselves in their own businesses to maybe more easily spot a fraud or protect against one?
[Blum] I think some training and awareness is key. You've got to, whether you're for yourself, you're your own CPA firm where you may have now practitioners that are off doing things and logging into your environment that you have. Or you have clients that are small, medium-size businesses, as well as individuals. You've got to get the word out and actively communicate about what is happening in the environment and what you need to do to avoid it. In many cases, it may be just being aware of the fact that here are some existing frauds that are out there.
If you don't know the person or if you were asked to click on links or if you're being asked to do something that may appear to be somewhat irregular, you've got to raise things up to the next level and be diligent and confirm with others. Use your common sense and judgment. Because if someone is asking you to do something that they may not normally ask you to do, if this were a normal work day, virus or not, whatever the reason given ... for example, if it's truly your boss who's asking or a senior executive asking to do this, that senior executive is not, no matter what the request is, if he was truly somebody higher up in the organization, they would expect you to run through certain things to make sure that you're actually doing what you're being asked to do. You're not going to get in trouble for it. It's really just using common sense. CPA practitioners need to get that word out and just keep reminding people.
It's also a good reason in this environment to reach out to your clients. It's nice for your clients to know that you are thinking about them and providing something useful to them. Because in this … we've all seen it, we're getting inundated with information from everywhere. Law firms, your accounting firms, businesses. Everyone wants to tell you how they're thinking of you and they love you and they want to take care of you during this pandemic. But it's up to the CPA practitioners to focus, stay in their wheelhouse, focus on the things that their clients expect them to be focused on, and help in that way.
For someone who's been victimized by a fraud scheme, it can be a pretty embarrassing thing. But why is it important that they report that scam, make sure that they tell the authorities about it?
[Blum] It's all too common. People keep it to themselves even when it's occurring. Sometimes they're often coaxed by the fraudster. "Hey, don't tell anybody you're doing this." That, of course, is one of the first things. Look, put aside the fact that you've been fooled. You're not the only one that's been fooled by these. But you may have some ability to recover some of your losses. It's often very hard to, but you're going to get nothing if you don't report it. Then a little more importantly, just from the standpoint of the general public good, is when you publicize what happens, it makes it a lot harder for fraudsters to do it again or fool someone else.
You give law enforcement important information to help track down perpetrators because they can figure out what's happening and how often and get a sense of things. I'll even add this: even if you're not victimized, you get a phone call on your cell phone or on your landline and it's bogus and you just hang up. Quite frankly, it's important to maybe provide that information to the FTC. They have a website that gathers that type of data. I don't know what ultimately happens with that information, but it certainly would seem to be an important thing because if enough people are reporting something and if you have a novel type of fraud that's going around, it gives the FTC an opportunity to at least publicize it because the more you publicize these attempts, that provides greater ammunition, and it helps make the job of the fraudsters a little bit harder.
I'll just add, I've gotten a call, for example, where somebody is calling saying, "You have an issue with your Social Security number. Please call this phone number." It's a recording. I'm like, "Oh, I know this fraud. Let me see what this is about." I call because I had some time. Sometimes I like doing that. For me, it's fun. I got different people on the line that would say, "I'm from the Social Security office." And I'm saying, "Well, where are you located? Tell me about whatever." And they would get irate and I'd say, "How do you feel about cheating senior citizens out of their money?" And some people would curse at me. One guy said, "I'm very poor and this is all I can do." Because they're not in the U.S. oftentimes. They're all around the world.
But some of these people are very convincing and they're very forceful. I think that you have to be very careful and, if you have parents that you feel could be susceptible, you've got to warn them and let them know that this is ongoing and to never provide this information. If somebody contacts you, just hang up and don't engage and so forth because all you can do is you just have to shine a light on all this to make it harder for them to perpetrate that.