How to become a digital nomad without compromising on monitoring and early detection
CEO fraud, phishing, email spoofing and other cyberthreats are not the only dangers to working remotely. As the world adapts to contain the fallout from the Covid-19 pandemic, authorities and news outlets have issued plenty of advice on how to protect home offices against cyberthreats. This encompasses everything from keeping your work and private activities on separate machines and accounts to encrypting your data and using 2-factor authentication, as well as using a reliable VPN whenever possible. All of the above are valid tips that will protect your company’s data from external interference.
What this generic advice does not consider, however, is how people with bad intentions can take advantage of the change in routines. Cyber frauds are, of course, a serious and real threat, but we shouldn’t underestimate the increased possibilities that fraudsters will also practise more traditional and old-fashioned fraudulent schemes.
For example, somebody could submit the same invoice twice, and while, in usual circumstances, you could simply turn to a co-worker to ask whether it had already been processed, in the current situation you may be tempted to approve payment without double checking. Another more subtle attempt to defraud would be alteration of payment details on an invoice or in the system, a change which, given the circumstances, could go unnoticed, especially if the payment is urgently requested in an apparently high-priority email from your boss. These are just examples but unfortunately, we have seen some of these happen to clients already.
One obvious consequence of the change in routines is that instead of meeting your usual co-workers, you will probably be assigned new co-workers, i.e., your family. If you have small children, or other relatives who require a lot of attention, you might be under additional stress and easily distracted. Stress, as we know, can cause people to rush and sometimes act in ways that under normal circumstances would be regarded as irrational.
A lot of the ensuing vulnerability will be due to lack of direct and informal communications. The more difficult it is to keep information exchange going among co-workers, the easier the misunderstandings, which offer fertile soil for less-than-honest people to exploit.
Making a phone or a video call if you suspect that something is unusual can effectively counter reduced face-to-face communication; it is better than using emails or instant messaging. Why is your usual IT supplier charging you for late fees when you thought their invoices were being paid automatically? Why do you still seem to be using a certain supplier when the manager of the project they were involved with complained so much about quality that their contract was terminated? And why did you sell again at a discount to that customer with the large unpaid balance? Better to be safe than sorry, better one extra call than second guessing.
It’s not only a case of not being able to communicate with your co-workers in a direct and informal way: since everyone is uncertain about how the authorities will address the crisis going forward, it’s likely that companies could pressure you to get as much as possible done before more severe restrictions are put into place. If you put together the two elements, this starts looking a lot like book-closing season, just out of season and out of office.
Another risk that might be underestimated is linked more directly to offices being empty due to Covid-19. With most white-collar employees working from home, conditions are right for fraudsters to attempt to break in into business premises, sabotage systems and infostructure, install malicious software on servers or computers left at the office, or simply steal and/or damage equipment that is unattended. If practically possible, the recommendation would be to ensure that at least one employee is at the office during working hours to show potential perpetrators that there is still some activity going on. You could establish a shift rotation to minimize the load for each colleague – it can also be a good break from the home office.
Even though remote monitoring might seem challenging in the current situation, we shouldn’t forget that simple and targeted early detection can be done from anywhere and that this has always been the case. With the appropriate security measures in place – to ensure that unauthorized third parties cannot infiltrate your organization’s systems – checking for anomalies in your usual transactions is relatively easy, if you know how to look for the red flags that usually indicate potential fraudulent behaviour. As an example, the cases described at the beginning can be spotted by looking for invoice or purchase order numbers that do not follow a chronological order, invoices with round amounts, sequential invoice numbers or inexplicable high number of credit notes.
Clean and straightforward rules are easy to follow and monitor. Problems arise when, even before the current circumstances, there were already too many deviations from the norm; this makes monitoring and early detection even more challenging in an emergency, and as we said, fraudsters are very good at exploiting any possible weakness. In our experience, customer and supplier databases tend to be quite messy, a situation that often represents the “elephant in the room” when trying to implement effective counter-fraud measures. The challenge is usually that, with everything up and running, nobody seems able to find the time to clean up those databases, remove double entries, and verify that the information is correct and up to date. After the initial chaos, maybe this slowdown could finally offer the opportunity to do some housekeeping? Verifying customer and supplier information is a start, next should come a review of the routines in place. Now that you will be asked to make so many exceptions, maybe it would be a good idea to reconsider not only what the usual procedure was and whether that was good enough, but also whether the deviation from the usual routine is really needed. Usually, common sense and intuition tend to lead to the right decision.
Extraordinary times call for extraordinary measures – but when it comes to monitoring and early detection, ordinary measures still apply: don’t drop your guard to the risk of fraud.
This article was also published on www.counter-fraud.com