The potential for fraud fueled by the coronavirus pandemic, coupled with the anticipation of a $2 trillion stimulus, is creating such a lucrative opportunity for scammers that Visa and the Secret Service are predicting a wave of unprecedented levels of fraud.
Three factors could play a role in creating a new fraud opportunity for scammers: the scope of change in the daily lives for consumers and businesses; the $2 trillion stimulus; and the fact that the financial services industry is shifting how it serves its customers.
“We are seeing public health scams. Official looking emails from the CDC and WHO to solicit donations and phish people. This was the first wave," said Thomas C. Edwards, Special Agent in Charge of the San Francisco regional office for the U.S. Secret Service.
"The second wave are business email scams," Edwards said. "It’s a perfect time for this to go up a level since people are working from homes. We’ve lost the office hallway social interaction where we can double check if the CEO really wants to send money to a new vendor. Finally, the third wave are government check scams that come through as robo calls that offer checks from the government asking first for money or personal information from consumers.”
The third wave has already begun, as the IRS issued a coronavirus scam alert on April 2 that “urged taxpayers to be on the lookout for a surge of calls and email phishing attempts about the coronavirus, or COVID-19," Edwards said. "These contacts can lead to tax-related fraud and identity theft.”
Based on data from the FBI’s Internet Crime Complaint Center (IC3) 2019 report business email compromise losses amounted to $1.78 billion which was roughly half of the year’s total reported fraud losses of about $3.5 billion. It should be noted that actual fraud losses tend to be higher as consumers and businesses are often reluctant to report crimes, especially if they felt that they should have been more careful.
Fraudsters are more sophisticated than ever as a result of the data and experience they gained from Equifax, Marriott and other breaches in recent years. They know a great number of details about a consumer such as their primary bank, bank account number and sometimes even their Social Security number. This allows fraudsters to call consumers, spoofing their bank’s name on caller ID, send official emails and engage them with simulated verification tactics.
“What we are seeing with fraudsters’ recent attacks has grown by leaps and bounds," said Lori Hodges, vice president of North America risk for Visa. "There is an excessive profile on U.S. consumers where they know which consumers bank with a specific financial institution. Fraudsters spoof the bank and consumers fall for it as it appears legitimate, especially when they already have the 16-digit bank account number. They send a one-time passcode to make it appear even more real.”
Accountants and tax professionals have been helping their small business clients deal with the economic fallout from the COVID-19 pandemic, shifting away from their routine compliance work after the end of the prolonged tax season.
Auditors should take stock of the lessons learned from the first phase of remote auditing.
The Internal Revenue Service is giving taxpayers until the end of the year before it stops its temporary procedures for faxing in Forms 1045 and 1139 for claiming tentative tax refunds.
The changes to consumers’ and businesses’ daily lives have undermined many of the normal defensive skepticisms that have been developed over the past few years, making everyone more vulnerable.
Making matters worse is the immediate economic impact of the coronavirus with jobless claims soaring and businesses shuttering or in the case of restaurants going into a delivery/takeout-only mode. NPD reported that full-service restaurant chains have seen a 71% drop in revenue, and total restaurant sales have fallen by 36% for the week ending March 22, 2020 compared to the same week one year ago as a result of coronavirus-mandated restrictions.
“We need to flatten the curve on scams before it spikes," Edwards said. "Right now there is a lot of ambiguity in consumers’ minds [and] they are easily being fooled. Fraudsters have become so sophisticated that they have done things such as record the hold music from different banks to make a consumer believe its their institution is calling them."
As consumers and small business owners become more desperate to access emergency stimulus funding, it is opening up new vectors of attack for fraudsters. Take for example consumers who typically ask for a check from the Treasury when they file for their tax refund. Unlike consumers who get direct deposit, their stimulus check will take much longer to arrive.
The vast net of individuals, businesses and governments covered by the stimulus means that no matter how effective law enforcement is able to mitigate one area of the economy, fraudsters can easily move to target another sector.
The stimulus from the CARES Act is paying over $600 billion to consumers, including $300 billion in cash payments and $260 billion in enhanced unemployment benefits. There is also $377 billion for small businesses, including $350 billion in forgivable loans. The stimulus also provides $339 billion to state and local governments and $500 billion to large corporations, according to a breakdown by Visual Capitalist.
“There are still a good portion of folks that have never registered their banking credentials with the IRS. They represent an extremely vulnerable population,” said Richard Crone, principal at Crone Consulting LLC.
Edwards noted that the Secret Service works in coordination with other agencies to mitigate fraud, and one of their most effective tools is the National Center for Disaster Fraud, which is a hotline that was created specifically for law enforcement agencies to help consumers and businesses being scammed during disasters and other crises.
“Businesses and consumers need to remember that your bank or credit union will not call you to ask for your PIN or mother’s maiden name, as they already have that," Hodges said. "The level of comfort in giving this information away is high because the attack is so tailored. It’s also a desperate time for many that they will give the information just to get faster access to money which is literally a lifeline."