With over 130,000 complaints of COVID-19 related fraudulent scams filed so far this year, according to the Federal Trade Commission, COVID-19 has certainly contributed to creating heightened levels of fraudulent activity, including schemes to exploit government stimulus and unemployment programs. 

Here, we speak to Pamela Verick, a Director in the Investigations and Fraud Risk Management group at global consulting firm Protiviti, to discuss how organizations across various industries can strengthen their fraud risk assessments from a cyber fraud perspective.

Security magazine: What is your title and background?

Verick: I am a director in Protiviti’s Forensic solution.  I have over 25 years of experience helping organizations create innovative and transformational approaches to combat fraud and misconduct.  Prior to joining Protiviti, I spent over 10 years at a Big Four accounting firm.  I have been evangelizing the connection between ethics, culture, conduct and compliance my entire career.

Security magazine: How has COVID exacerbated fraud? 

Verick: COVID clearly created a breeding ground for fraud and took advantage of gaps in people’s personal and professional fraud hygiene.  For many, the sudden switch to a remote work environment created a reliance on unsecured home networks and public wi-fi hot spots that unwittingly exposed individuals and their organizations to the ecosphere of cybercriminals.  For others, the distractions found in alternative workspaces – barking dogs, ringing doorbell deliveries, and other attention grabbers – resulted in many clicking unintentionally on a phishing link which opened pandora’s box of fraud.

Security magazine: How can CSOs/CISOs strengthen their security practices to mitigate the risks of fraud?

Verick:  It’s important to understand your blind spots and how they can be intentionally exploited by cyber criminals.  Having an open and honest conversation with yourself about core weaknesses – whether those relate to information technology systems or people practices – is an important step in understanding where security needs to be strengthened.  It’s also critical to remember that the durable network security infrastructure is best reinforced with mindful information security practices that personnel can integrate within their daily regime wherever – and whenever – they are working.   

Security magazine: Should CSOs/CISOs revisit their current fraud risk assessment framework and implement new or enhanced procedures and considerations when assessing the risk of fraud?

Verick:  Absolutely!  When CSOs/CISOs build out this year’s fraud risk profile, I encourage them to consider the speed at which IT and information security control activities are evolving (or devolving), along with their trajectory.  It’s unlikely that your IT control framework looks the same now as it did in the pre-COVID environment – neither should your fraud risk assessment.  Re-examine the results of last year’s fraud risk assessment to account for the impact of security controls and monitoring activities arising from shutdown(s), furlough(s) and layoffs; migration to the virtual office environment; adoption of new technologies; and phased reopening across operations and geographies – exposures to fraud risk are dynamic and will vary. 

Security magazine: How can CSOs/CISOs innovate their fraud risk assessment process?

Verick: I find that those who work in the information technology and information security fields are natural problem solvers and design thinkers.  The design thinking process encourages us to adopt a more creative mindset about fraud risk and how it could occur.  In remote and hybrid work environments, virtual fraud design thinking workshops elevate traditional brainstorming concepts and enable teams to come together remotely, dissect and understand potential vulnerabilities arising from common fraud scenarios and fraud risk exposures, consider key preventive and detective controls and align on key priorities and risk ratings quickly and efficiently.  Not only is it a way to make the fraud risk assessment process – dare I say, fun – it’s also a great way for organizations to leverage investments they may have already made in design thinking software tools.