As if sheltering in place during a pandemic wasn't bad enough, criminals are using the coronavirus (COVID-19) crisis to target people who are working from home, the
U.S. Federal Bureau of Investigation (FBI) warns. According to the FBI's Internet Crime Complaint Center, these attacks are using email on two fronts.
First, attackers are sending email pretending to come from the U.S. Centers for Disease Control and Prevention (CDC), offering information on COVID-19. Instead, the links and attachments contain malware that steals personal information or ransomware that locks the user's computer until the person makes a payment.
Second, criminals are using phishing email to request personal information, claiming it is necessary for receiving a government economic stimulus check. Other phishing scams include requests for charitable contributions and offers for financial relief, airline refunds, and fake virus cures and testing kits.
Whenever an extraordinary event occurs that forces people to rapidly modify their behaviors from their normal routines, fraudsters exploit the situation. As the COVID-19 pandemic unfolds, the FBI's warning about fraud schemes is both timely and helpful.
Internal auditors should watch out for additional fraud threats not mentioned by the FBI. Inevitably, while the current pandemic is unique, as it progresses through its various stages of impact and ultimately fades, new forms of fraud will be on the march. Here, auditors can learn from what happened during the 2009 H1N1 swine flu pandemic.
During the H1N1 outbreak, the CDC had to address fraud related to falsification of testing, certification, distribution, and marketing irregularities involving influenza vaccines and related supplies. Some of the fraud and abuse schemes that are likely to arise once COVID-19 vaccines or treatments become available include:
Investment scams and false claims about supposed COVID-19 vaccines and treatments. Already, authorities have arrested an individual in California who
allegedly had solicited investments for a COVID-19 "miracle cure." Criminals are likely to market and advertise fraudulent product claims, bogus products, and implied endorsements by government agencies — including agency logos — through websites, email, and social media. Regulators, investors, and auditors need to be vigilant, do their investment research, and avoid being panicked or swayed by the current pandemic.
Health-care provider schemes. Likewise, internal auditors should watch out for schemes in which doctors, pharmacists, and other medical professionals collude to make false claims, get kickbacks, and seek reimbursement for unnecessary tests from Medicaid, Medicare, and insurance providers. Such fraud already is common, but may grow as the scope and scale of COVID-19 treatment activities expands. For example, the FBI recently charged a marketing company executive in Georgia with
allegedly receiving kickback payments for steering patients to providers for COVID-19 testing and defrauding Medicare.
False or inflated billing for a COVID-19
vaccine. Governments have not determined how they will deal with the costs and pricing of a potential COVID-19 vaccine. In the U.S., the federal government provided H1N1 vaccine doses and related supplies at no cost to patients, although it charged administrative fees. Regardless of who pays for doses of a vaccine, authorities should be wary of schemes in which health-care providers seek an out-of-pocket fee directly from the patient that is above the maximum allowable charge from insurance or government-provided coverage.
Illegal or false manipulation of COVID-19 vaccine supplies. Given the global nature of this pandemic and of worldwide supply chains, fraudulent diversion schemes are likely. One example is selling or diverting vaccines or related supplies provided by the federal government. This activity may occur in combination with counterfeiting, adulterating, theft, or other consumer fraud schemes.
Diversion schemes may include situations where criminals move legitimate prescription drugs or vaccines into illegal channels, such as the black market, illegal Internet sales, and sales without prescription. These treatments also may be acquired illegally through smuggling or via cargo, wholesale, manufacturer, and distributor theft.
Exploiting control weaknesses. Governments and health-care agencies have emphasized using computer-based modeling and analysis to, for example, attempt to predict the path of COVID-19 impacts, with and without mitigation strategies. This analysis was not as advanced in the era of H1N1. However, it could assist in identifying control weaknesses in regulatory, benefits delivery, and program management systems that are being developed and deployed rapidly to address COVID-19. Internal auditors should focus on ways to help identify these weaknesses and reduce the organization's susceptibility to fraud threats.
The CDC's website has much good
information to educate the public about pandemic fraud. It should add information about where and how to report suspected COVID-19 fraud, including a hotline.