Fraud Talk: The Rise of Cybercrime During COVID-19
/In the most recent episode of Fraud Talk, the ACFE’s monthly podcast, Arpinder Singh, CFE, partner and head of India and emerging markets, Forensic & Integrity Services at EY, highlights how cybercrimes like business email compromise (BEC) scams, phishing and account takeover have risen and will continue to rise over the next year.
Below is an excerpt from the full transcript, where Singh shares why the pandemic has created a unique opportunity for cyberfraud. Download the full transcript in PDF form or listen to the episode at the bottom of this post.
Mandy: Let's dig into COVID-19 and the coronavirus and how we've seen fraud change. There is no illusion that fraud has increased. We've done our own surveys here, and I'm sure you've seen it happen as well in what you're dealing with. The fraudsters and people who are out to game the systems use these times, these vulnerable times, to really, really go for it.
One of the areas that's definitely been affected is cybercrime. We know the risk has increased, and the exposure has increased. Why do you think it is increasing now? What are the ways that you're seeing it play out?
Arpinder: I think the first and biggest thing is everybody was unprepared. Let's be honest. I think everybody has business continuity plans, Mandy, but reality is those business continuity plans have never been tested to the extent the pandemic has tested it. None of us, in my life, I've never sat at home for six months, which we've been doing, and working from home for six months. I think when it hit everybody, I don't think any company or corporation was prepared for it.
What I saw in India was a little crazy. You had companies which were sending computers and desktops back to homes in the back of a car. There were trucks being hired, which were uprooting computers and infrastructure and sending it to different employees' homes. No one was fully prepared for this type of a pandemic and how long it's lasted out.
I think, first is the business continuity plans have been fully tested. Obviously, there are large corporations, which may have been slightly better prepared and have better infrastructural resources to deal with it. The mid-cap companies, and the smaller companies obviously would never have dreamed of something like this, and with the infrastructure to support it. That's the first.
Second is…let’s take “work from home.” You have employees who have had to deal with not having great Wi-Fi connections at home, or not having great connectivity. Maybe they were dialing it from their phones. Companies had to open up their firewalls to allow people to work from home. There's always a gap, right? It takes maybe a week to set up a firewall, or let's say employees had Bring Your Own Devices where they were working from home.
Suddenly, the whole system and infrastructure and computer networks that I saw during this pandemic had been fully tested. I don't think companies, as I said, were fully prepared for it.
Let's give an example. You have a large company having a lot of personal, confidential information in the computer. When you're working in office, there are rules which say you cannot take a camera shot, or take a copy of that personal information from the computer. When now the employee has access to their personal information on their screen at home, the only thing which is stopping them from stealing that information or exposing it to a hacker is your personal integrity. There is no way a manager can come to your house and sit on top of you to make sure that you're not taking a snap using your cellphone. That is a risk.
Second is dialing in through Wi-Fi mobile connections onto your computer networks. Hackers are very smart.
They're far ahead of us, which is why they have their cyber cases in the world. They're going to get into your networks. That's the second thing in my mind.
Third is the amount of internet transactions everyone's doing. You can no longer go to a Walmart, for instance, in the U.S., or stores in India. You have to buy online. That means everyone is sharing the credit cards. People aren't just sharing credit cards with reputed companies. You're trying to buy boutique stuff. Someone's trying to say, "Hey, we got this fantastic herbal medicine for COVID. You have this five times as a day and you're going to be all fine." You're going to click on that because you're desperate.
Hackers are working on people's desperation. You can easily send you an email, Mandy. If it's interesting enough, telling you a little bit about COVID, or telling you about a new vaccine which is coming out in a different part of the world, you will click on it. I think hackers have a perfect time. If you ask me, the pandemic has been a perfect environment for them.
When people are desperate, people are emotionally stressed. Everyone's online. People are shopping, maybe 80% more online than they ever did prior to the pandemic. People are logging into networks working from home.
Let’s say now…I'll give you an example. We have an issue with a client with a Bring Your Own Device. The question is, if you have an issue with a Bring Your Own Device, you can no longer have an engineer who goes to a remote location in India and fixes it. Suddenly, this employee has malware on his computer, and he's still logging into your network. It's going to get exposed.
Let's say you have old routers or an old server from an infrastructure perspective. You can't go and change it. It's like doing your renovation in your house. You got to postpone it. You want to say, "When the vaccine comes out next year, we'll get my renovation done then." Same way is with the computer network. Until it doesn't hit you, you're deferring these decisions, and that's exposing you.
I can take the whole session talking about this, but, Mandy, the pandemic has exposed us to risks we could not even imagine.