COVID-19 frauds and scams - KPMG · PM P a Delaware limited liaility partnership and the .S memer...

kpmg.com

April 20, 2020

COVID-19 frauds and scamsProtecting your organization and its employees

April 20, 2020

COVID-19 has created previously unthinkable consequences for our society. In these uncertain and difficult times, fraudsters opportunistically prey on the fear and uncertainty created by a public health emergency, looking to profit from the public’s desire to regain a sense of safety and security. Compliance officers should be looking for ways to protect both their employees and their organization as a whole.

Across the world, we have seen an increasing rise in scams associated with COVID-19. Computer and phone hackers are taking advantage of the pandemic to lure potential victims to download infected files through suspicious links. Fraudsters are establishing fake online shops, investment opportunities, and charitable organizations in order to solicit funds from unsuspecting consumers.

As governments prepare large stimulus packages in response to the pandemic and begin providing fiscal support to their citizens, the risk of being defrauded by COVID-19-related scams, such as fraudulent claims against earmarked funds, will likely continue to rise.

Organizations in the financial services, healthcare and life sciences, and telecom sectors have been forced to quickly respond to unique needs caused by the pandemic, and many of these organizations are simultaneously working through their own business continuity considerations. Particularly within these industries, demand is often outweighing supply, and organizations may not be able to quickly respond to the rapidly changing types of fraud.

Compliance officers should consider informing their employees on the types of frauds and scams that are permeating our society and provide suggestions as to how individuals may best combat these nefarious efforts. They should also consider the impact these fraud schemes may have on their organization and adjust internal controls appropriately.

April 20, 2020

© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDP084788-1A

April 20, 2020

3COVID-19 frauds and scams© 2020 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. NDP084788-1A

April 20, 2020

Technology-driven scams

Phishing scams COVID-19 fraudulent websites

Business and personal email compromise

Imposters claiming to be members of reputed domestic and international health authorities, such as the U.S. Center for Disease Control and Prevention (CDC) or the World Health Organization (WHO), target victims with emails that include malicious attachments, links, or redirects to “updates” regarding the spread of COVID-19, new containment measures, maps of the outbreak, or ways to protect their victims from exposure. Once opened, such attachments or links infect the computer/phone device with malware or expose sensitive personal data, such as credit card numbers, that can be transmitted to the hacker.

There has been a significant rise in the volume of website registrations that contain the word “COVID” in the domain name. These fake websites look like genuine websites but may in fact carry malware that can infect the computers/mobile devices that visit the websites.

Using emails disguised as organization-wide COVID-19 updates, fraudsters attempt to trick employees to hand over their network credentials by requesting they login to a fake internal COVID-19 portal. Once an employee has entered their credentials, the fraudster can have unfettered access to the business accounts and network of the employee’s organization.

April 20, 2020


Ransomware attacks Other mobile app scams

In ransomware attacks, an organization’s critical servers and end points are first compromised and then encrypted. A ransomware attack locks the operating system and end-user files, rendering them inaccessible until some ransom is paid (usually through bitcoins) to the attacker. As remote access to computers is becoming a norm as employees are required to work from home, we expect a spike in ransomware attacks.

Fraudsters are developing or manipulating mobile phone applications to make these applications look as if they track the spread of COVID-19. However, once a user installs one of these manipulated apps, the application infects the user’s device with malware that can be used to obtain personal information, sensitive data, or bank account/credit card details.

******

April 20, 2020


April 20, 2020

Misrepresentation in sales channels

Online education applications: As schools and higher educational institutions are closed, parents are increasingly subscribing to various online educational technology applications for self-learning. Fraudsters connect with their victims by pretending to be a representative of known education applications and offer substantial discounts for registration using the link messaged by them. Fraudsters may then gain access to personal information that parents enter using this link.

Counterfeit drugs: Due to the perceived difference between demand and supply of essential drugs, there is a high possibility of counterfeit drugs being stuffed in the supply chain at pharmacies and through online marketplaces. Consumers usually cannot spot the difference between genuine and potentially fake products.

Healthcare provider scams: Fraudsters may pose as doctors, nurses, paramedics, and/or medical administrators. These individuals may claim to have successfully treated a friend or relative and may lure the victim into paying for “treatment.”

Supply scams: Taking advantage of current supply shortages and public desperation for resources, fraudsters have established fake online shops that sell medical supplies currently in demand, such as surgical masks and hand sanitizers. After payment is made to “purchase” the goods, fraudsters pocket the money and never deliver the supplies.

COVID-19 testing and treatment scams: Rising panic around contracting COVID-19 can mean that individuals are trying to prevent getting sick, are trying to get tested for infection without notice (to avoid being forced to quarantine), or are trying to seek treatment. Using social media and online forums, fraudsters may promote bogus testing kits, prevention and treatment products, vaccines, and cures.


Investments and charity

Investment scams

Fraudsters may run investment scams in which they claim they will generate significant returns by investing in a company that has services or products that can prevent, detect, or cure COVID-19. Those fraudsters may pocket the money they collect as investments or use money collected from one “investor” to pay the returns promised to another “investor.”

Charity scams

In times of crisis, it is not uncommon for individuals to feel a personal sense of responsibility to help reduce the impact on the community. Fraudsters prey on this desire, soliciting donations for nonexistent charities claiming to help individuals, groups, or areas affected by the virus, or claiming to contribute towards the development of a vaccine to fight the virus.

April 20, 2020


April 20, 2020

What can you do to protect yourself?

Be wary of fraudulent emails claiming to be from experts who have vital information regarding the virus. Do not click links or open attachments from unknown or unverified senders, and check email addresses from sources claiming to have information regarding COVID-19 for irregularities, such as spelling errors or miscellaneous symbols. Fraudsters often use addresses that only have a marginal differences from those belonging to the entities they are impersonating.

Be careful of fake online shops that use nontraditional payment methods, such as money orders, funds transfers, gift cards, or cryptocurrency. Don’t use any payment shortcuts given by a representative. Log in to the online shop’s official website to make any payment.

Stay informed of investment scams and trends in relation to COVID-19, including schemes that offer discounts on products like online content streaming or companies that claim to have drugs that prevent, treat, or cure COVID-19. Ensure that you buy drugs from authorized pharmacies or known sellers only. Check product details, including labels, packaging, ingredients, date of manufacture/expiration and location of manufacture.

Check the organization’s background before donating to any charities or crowd-funding campaigns. Be wary of any business, charity, or individual soliciting donations in cash, through the mail, via funds transfer, or through other unusual channels.

Avoid sharing pictures of home desks/workstations on social media, as you may inadvertently share confidential information. Always be mindful of what you share on social media.

1

2

3

4

5

* * * * * * * * *

ALERT


April 20, 2020


April 20, 2020

Preventative technology controls

Protect and control remote access to critical IT infrastructure, and restrict access for user IDs (internal/ external). Revoke all direct connections on your servers from outside of the office premises. Monitor server and network performance, and set alerts.

Limit and log the use of applications that give remote access, enforce forced password resets, and build two-factor authentications on critical IT assets.

Connect to internet using secure Wi-Fi hotspots and broadband connections. It is highly recommended to connect to the internet using a virtual private network.

Avoid using public file-sharing websites unless authorized by your organization’s policies.

Ensure that antimalware, antiransomware, and antivirus software that is installed on devices is kept up-to-date and that operating system patches are timely updated. Avoid installation of freeware on IT systems, as they may have hidden malware.


Detective and investigative controls

There are many ways to help protect yourself, your loved ones, and your business from falling victim to COVID-19 scams. Paramount to reducing vulnerability is ensuring that people remain aware of how criminals are attempting to take advantage of the global health crisis.

1Do not dismiss any breaches or incidents, as they may indicate a bigger problem.

2In case of a cyberattack, investigate the root cause to secure and prevent against further attacks.

April 20, 2020


Contact us

Amanda RigbyU.S. Leader, Forensic ServicesT: 312-665-1953 E: [email protected]

Matthew McFillinInvestigations, Disputes, and Compliance LeaderT: 267-256-2647 E: [email protected]

Guido van DrunenPrincipal, Forensic ServicesT: 408-367-7592 E: [email protected]

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

kpmg.com/socialmedia

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.


http://www.linkedin.com/company/kpmg-us

https://www.facebook.com/KPMGUS/

https://twitter.com/kpmg_us

http://www.youtube.com/user/KPMGMediaChannel

https://instagram.com/kpmgus

COVID-19 frauds and scams - KPMG · PM P a Delaware limited liaility partnership and the .S memer...

Documents

Transcript of COVID-19 frauds and scams - KPMG · PM P a Delaware limited liaility partnership and the .S memer...