Top tips for protecting your organisation from opportunistic scams

For all of us, the coronavirus (COVID-19) pandemic has been a time of dramatic, unprecedented change to the way we live and work. Sadly, the more things change, the more some things stay the same, and fraudsters have already begun to use the pandemic as an opportunity for new scams.

The threat posed by fraud to charities is not new, and reports of fraud and cyber-attacks on charities were on the increase prior to the pandemic. According to a recent government survey, 26% of charities reported a cyber-security breach or attack in 2019-20, up from 22% in 2018-19. The increase in reports could point to a higher number of incidents or, more positively, to better reporting as charities become more vigilant of scams. Either way, these figures come from a world before COVID-19, and we can see that the risk to charities has increased in the current unusual circumstances.

Fraud and cyber-crime often rely on social engineering, a form of psychological manipulation designed to mislead your people into performing actions or divulging information which allows fraudsters to gather data or access the your computer system. This can take the form of (for example) bogus calls, emails or texts from people claiming to be your bank, your boss, a business partner or some other well-known company, inviting you to pay a bogus invoice, click on a malicious link, or hand over sensitive information. Social engineering communications often seek to create a sense of urgency – for example by claiming that your bank account has been compromised or frozen – to provoke the recipient into acting without considering the authenticity of the message.

Coronavirus scams to watch out for

Because social engineering exploits human error, people are naturally more vulnerable to it at times of stress, uncertainty and anxiety, when they are more likely to panic in response to an unsolicited, and often unwelcome, email or text. With so many of us working from home or adjusting to other changes in our working lives, we may not be well-placed to spot unusual communications or requests, and may be less likely to “sense-check” suspicious messages with others if we are not sharing an office with our colleagues.

During the COVID-19 pandemic, scams employed by fraudsters have included:

• Fraudulent offers of face masks and hand sanitiser for sale, which are paid for but never arrive;
• Text messages, claiming to be from the government, which direct people to an imitation of the government website where they are prompted to enter their personal and card details in order to receive a “COVID-19 relief” payment;
• ‘Good cause’ scams, which seek investment and donations for causes such as the production of sanitiser, manufacture of personal protection equipment or new drugs to treat the virus;
• ‘Clone firms’, which impersonate firms registered to do things like sell, promote, or advise on the sale of insurance products;
• Communications from fraudsters impersonating claims management companies claiming to be able to help recuperate losses caused by (for example) event cancellations;
• Emails, calls and texts from someone claiming to be from your bank, who takes advantage of the financial uncertainty created by the coronavirus to convince you to transfer your money to a new bank or promote non-standard investments;
• Texts offering the opportunity to “make some cash from home” in an attempt to exploit those who may be out of work (temporarily or permanently) as a result of the crisis.

Top tips for coronavirus fraud prevention

In these turbulent times, we are all more vulnerable to fraud, which even ordinarily can often be sophisticated and difficult to spot. This means it is more vital than ever for organisations to take steps to protect themselves. In the case of charities, the recent increase in reports shows a promising increase in vigilance against fraud, and vigilance will continue to be important as the pandemic develops. You can protect your charity against fraud by keeping in mind the following tips:

• Run unfamiliar requests past colleagues for a common-sense check – even if they are not in the room, call or video call them.
• Challenge unusual requests and remind staff of the need to do the same.
• Make sure that your normal processes for fraud prevention, such as dual authorisation and the monitoring of financial transactions, are resilient and can continue to function in the event of disruption. Remind staff of the need to follow these processes, even in unusual working conditions.
• Similarly, make sure security basics such as virus protection, unique user IDs and passwords and restrictions on access to online payment systems and other sensitive information are reliable even if your organisation is largely or wholly working from home.
• If an unfamiliar communication claims to come from a provider of financial services, check their credentials using the Financial Services Register.
• Beware of offers that come out of the blue, do not click links or open emails from senders you don’t already know, and do not give out personal or sensitive information.
• Above all, stay vigilant and stay calm. Do not act if you’re feeling panicked or unsure about an unfamiliar communication, even (and especially) if you’re being told to act urgently.

This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.

All content on this page is correct as of April 6, 2020.