If you’re not already back in the comfortable confines of your office, chances are you will be in some capacity by early 2022. While companies are pushing dates back with the Delta variant surging, vaccination rates continue to go up and we all need to start thinking about what office life will look like going forward.
Getting back will be a tough thing for everyone—I know I’m going to be practicing small talk in the mirror—and each company will have to navigate that with an eye on who their employees are, what the pandemic picture is in their location, and how remote worked and will continue to work. There is one item every company is sure to grapple with, though, and that’s fraud.
The shift to in-office is going to drive fraudsters to come up with new, imaginative schemes to try to defraud companies. We’re not used to working in the office after a year or more away, and if you think that’s not going to impact your security, think again.
A shifting fraud landscape
During the height of COVID-19, the favored schemes used official-looking, urgent-sounding alerts about the virus and related news. As I wrote in May 2020, these fraudsters used the difficulty of knowing what was real and fake about the spread of the virus to try to crowbar information out of remote workers who were isolated from their office environments. Those workers couldn’t simply walk down the hall and ask a team member whether the email was real or fraudulent, creating a danger of lapsed or mixed communication that led to fraud.
Organizations put a lot of muscle behind improving communications and prevention as the pandemic wore on, with 22% making significant investments in security last year. That preparation will serve them well going forward, but a return to the office means the fraud schemes we all spent the last year preparing for will likely be a thing of the past by the time we get there.
What’s next? As always, it’s about fraudsters adopting to circumstances, and moving away from fear and into hope.
Preying on eagerness and change
Now that there’s some light at the end of the tunnel for the COVID crisis, tactics are shifting in a couple of critical ways. The Federal Trade Commission is warning consumers to look out for scammers pretending to be the government and looking for you to pay or provide sensitive information to gain access to stimulus payments. For businesses, the tactics could focus more on vaccines and company health programs, but also payroll verification, system updates, business continuity efforts and more critical initiatives.
Here are some examples of what we might see:
- Click here to set up your computer protocols in the next 24 hours and verify your updates for the return to work deadline
- Corporate HR is asking all employees to re-validate their contact information as we move back to the office
- Please access and confirm you have read and acknowledged the new corporate COVID-19 in office policies and procedures
- *Insert your own here. Think nefariously, because it will help you be on the lookout for an email that’s similar to the situations above. Think this way as you go back and you’ll find you’re more prepared for the inevitable fraud attempts.
Vigilance, at home and in the office
So how do we stop this from occurring? First, it’s a realization there is no silver bullet. The solution resides in being proactive with training and workplace culture, but critically by also layering in technology solutions to block out and identify suspicious activity before it occurs. Employees need to know where to report a suspicious email, given the confidence to know they are empowered to be diligent and critical when receiving an email, and supported in their decision to verify first, click after.
These may come in the form of requests to confirm usernames and passwords or even bank account information, and any request along those lines should be considered extremely suspect if your company isn’t proactively communicating to you about them. Be wary of anything that asks for credentials or asks you to install software unless you can verify it’s from your IT team, in which case it’s probably being pushed to your machine directly in the first place. Be sure to always hover over the name to make sure it’s legitimate, as sometimes fraudsters are too sloppy to cover their tracks.
It’s worth remembering that some employees who were in-office full-time will now be permanently remote. COVID taught us that our personal and business lives are very intertwined and will always be that way going forward. Securing our personal lives and our business lives independently is critical. As more and more businesses start utilizing Voice over Internet Phones (VoIP) so employees can work from anywhere, fraudsters are going to target online logins to those devices to help them bypass MFA challenges on those phones. This is a relatively new avenue of attack that can only be defeated by connecting a cell phone for an additional layer of challenges.
Twitter is among the companies pushing hard for users to set up two-factor authentication (2FA) or MFA. While just 2.3% of users were making use of it in 2020, that represents a nearly 10% increase over the year before after the social media giant urged its use. The driver is the same as it is for those in-office and working from home: If you’re not securing your phone, you become the weakest link for your company and any platforms you’re using.
Besides simply being appropriately skeptical, ensure your organization is patching systems, especially if your entire team basically went home with their laptops and didn’t come back for a year. If you were lucky enough to avoid fraud in the past year, now’s the time to close their vulnerabilities before they come back to haunt you.
As it the case with basically everything fraud-related, beefing up your systems both at home and at the office and taking a moment to slow down and carefully consider the messages you’re receiving are the smartest way to avoid being the victim of a fraud attempt. No one wants to get back into the office and ruin those good feelings with a fraud incident, so now’s the right time to be hyper-vigilant about the messages you’re receiving and prepare for the future of fraud.