For several weeks we’ve witnessed most of the world paralyzed by Covid-19. Unfortunately, the pandemic has not thwarted efforts by nefarious actors to prey on people’s fears and desperation. Scammers are increasingly targeting financial firms and their employees working from home, finding any opportunity to exploit vulnerabilities in telecommuting applications and platforms to carry out their crimes.
Below are some examples of these schemes, a discussion of the governmental response, and a list of recommended measures that firms can use to guard their compliance programs against them.
The Covid-19 schemes are taking many forms and using various methods—setting up websites, making phone calls, sending emails, and posting misinformation via social media. Regardless of the method, their objectives are the same: Lure individuals to reveal sensitive information or otherwise unwittingly facilitate their illegal activities. Some scammers are audacious enough to impersonate governmental employees to carry out their schemes.
These efforts are reaping some success. The Federal Trade Commission (FTC) has been tracking coronavirus-related complaints since January. As of April 15, the agency had received 18,257 complaints from consumers about coronavirus-related scams, with consumers reporting losing over $13.4 million—a median loss of $557 per person. On the cyber front, the FBI reported a rise in coronavirus-related scams, receiving more than 1,200 complaints by March 30.
Below are some examples.
Imposter Scams. Scammers are sending fake emails claiming to be from the Centers for Disease Control and Prevention and the World Health Organization, encouraging the recipient to download malware or provide sensitive information.
Treatment and Testing Scams. Although the FDA has not approved any cures or home test kits for the virus, that’s not stopping scammers from trying to sell fake cures or unproven treatments that allegedly prevent, detect, or cure Covid-19.
Supply Scams. Scammers are claiming to have critical medical supplies in high demand, such as gloves and masks, through fake sources that never get to their intended buyers.
Phishing Scams. Google reported April 17 that it is blocking more than 18 million hoax emails about Covid-19 every day.
Relief Payment Scams. Scammers are using federal coronavirus government relief plans to obtain personal and banking information, with one falsely claiming to be a “participating lender” for such programs.
The responses from U.S. regulators and law enforcement agencies have been swift, ongoing, and multifaceted.
Agencies are using tips, notices, and alerts to inform investors and financial firms about how they can guard against the Covid-19 scams.
The Department of Health and Human Services Office of Inspector General issued a fraud alert warning about several health-care fraud scams. The Financial Industry Regulatory Authority, Inc.(FINRA), the Securities and Exchange Commission (SEC), and the Financial Crimes Enforcement Network (FinCEN) followed suit, requesting financial institutions to be alert to various scams in the wake of the pandemic on Covid-19 scams. The FTC has been publishing nearly daily blogs on the pandemic in February, March, and April.
Some agencies have established designated hotlines and mailboxes to receive reports of potential or actual Covid-19 scams. The FTC has gotten creative, using a Bingo-card format to solicit information on these scams.
Agencies are also holding Covid-19 fraudsters accountable for their crimes through vigorous investigations and enforcement actions.
The Department of Justice in early March issued a notice about the measures it would take against Covid-19 scams, issued its initial enforcement action, and introduced a dedicated page outlining various measures the agency has instituted to help combat fraud involving the pandemic.
FinCEN issued guidance on potential suspicious activity and to be alert for malicious or fraudulent transactions common to natural disasters. The agency also pointed to its 2017 advisory for descriptions of other types of disaster-related fraud.
There’s also an increasing focus on whether individuals are using access to material, nonpublic coronavirus-related information to engage in insider trading. Beyond the headline-grabbing insider-trading investigation involving U.S. senators selling stocks, the SEC is paying close attention to insider trading involving the pandemic. The agency’s co-directors of enforcement released a statement reminding market participants of their obligations to protect material, nonpublic information. Not long after, the agency suspended trading in the stock of two companies due to concerns about virus-related information.
Agencies expect financial institutions to remain vigilant against efforts by fraudsters and other bad actors to take advantage of the pandemic.
As the number of pandemic-related scams will likely rise in the coming weeks, here are some quick tips to protect your compliance programs during this pandemic.
Ensure ongoing communication between management and employees to keep employees informed of important company developments and policies.
Review company policies to make sure they: 1) apply to work from home, and if they don’t, make the adjustments necessary, and 2) require any interim updates to allow flexibility to address particular challenges your company may be facing. Note: As needed, engage your assigned regulator to talk through these challenges and record any agreement reached on interim relief.
Focus oversight measures on areas that may warrant closer scrutiny in light of remote work arrangements, such as confidentiality, information security, insider trading, anti-money laundering, records management, business continuity, bring-your-own-device (BYOD) plans, and privacy and cybersecurity.
Provide training to your employees to cover new or amended policies, or to serve as a refresher on existing policies.
Issue regular reminders about the importance of keeping company information confidential, and consider issuing a reminder on minimum conduct standards (e.g., codes of conduct), as well as where employees can refer issues, concerns, or questions.
Check remote working arrangements to make sure they are factoring in minimum information security requirements (e.g., access rights, authentication, and transmission and storage of confidential information).
Don’t lose sight of your vendors in terms of what they are able and unable to provide in terms of service, commitments to protect your records and information, and engagement of others through an appropriate vetting process.
Consider special reminders on privacy and cybersecurity requirements in light of online Covid-19 scams, such as: 1) only sending or accessing company information as needed, 2) knowing where and how to report potential cyber events or data breaches, 3) saving business records on company networks, 4) not giving others access to company devices, 5) not using personal cloud storage accounts or email to conduct business, and 6) safeguarding company information at all times.
Monitor the notices from the relevant sources to keep apprised of developments that may impact your operations, or offer guidance on managing them. This table can serve as a useful directory.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.