Though the world is no longer at a standstill due to COVID and our lives have returned to something resembling “normal,” the pandemic forever cemented remote and hybrid work into existence. Indeed, such flexible work arrangements proved to embody the seldom-realized state of “mutually beneficial” for employers and workers.
Reported benefits include positive impacts on organizational culture, work-life balance, the ability to expand the candidate recruiting pool, and reduced real estate needs and related costs. But Sir Isaac Newton reminds us, “Every action has an equal and opposite reaction.” Despite the benefits of remote work, there is an amplification of known risks, and the emergence of new ones.
These preexisting and new risks include:
- Lack of line-of-sight
- Network security
- Amplified opportunity for misconduct
- Training and professional certification fraud
- Increased confidential reporting and associated resource strains
- Investigation limitations
Lack of line-of-sight
One example of a risk that doesn’t have a formal name is the “lack of line-of-sight”. Remote and hybrid work largely nullified the positive impact of leaders and managers putting eyes on their colleagues – the resulting awareness of their presence or absence and productivity (or lack thereof).
Notably, line of sight isn’t just about mitigating risk. It can also promote productivity and a positive culture. People profess to “keep to themselves,” but in practice, most take an active interest in what colleagues are up to. Most of these interactions are inconsequential because the majority of employees have good intentions, want to add value (and be valued), take pride in a job well done, and want to be associated with an organization that is successful and well-regarded. While these dynamics are possible to support in a remote-work environment, line-of-sight makes them easier to achieve for in-person workplaces.
Before the advent of remote workforces, there was plenty of fraud and other categories of misconduct, so what changed? Remote work essentially eliminated the “line of sight” control, and perhaps made failing to detect fraud seem more excusable.
Where lack of line-of-sight collides with remote-work risk is for the outlier workers that might capitalize on the opportunity to behave unethically. The opportunists, the disenfranchised rationalizers, the financial trainwrecks and the new age Charles Ponzis live and work amongst us. They also thrive in a remote work environment, with no one to overhear their conversations, look over their shoulders at their computer screens, or physically observe if they access sensitive information. While the risk of access to confidential information stored on the network or cloud environment is reduced by use of secure technology protocols, it is not reduced to zero.
Before the advent of remote workforces, there was plenty of fraud and other categories of misconduct, so what changed? Remote work essentially eliminated the “line of sight” control, and perhaps made failing to detect fraud seem more excusable.
Network security
Line of sight is not the only control that changed in the remote and hybrid environment – network security is now infinitely more complex.
In an ideal world, network security means only devices configured by the information technology department are granted access to the network. This means access control is maintained by means of virtual private networks, robust firewalls, multi-factor authentication and network monitoring. As organizations work to maintain business agility in remote work environments, these standard controls only become more difficult to maintain.
In addition, there are several known threats that have arguably been exacerbated by remote work. Business email compromise (BEC) schemes are major threats to organizations and continue to evolve as we get more savvy to the specific fraud indicators.
BEC schemes remain the biggest threats perpetrated using phishing attacks. The earliest and still very prevalent type of BEC scheme entails spoofing or hijacking of an executive’s email address which is then used to target individuals who are authorized to send wires or automated clearing house (ACH) payments on behalf of the company. This scheme resulted in billions of dollars in lost revenue, but it has been running for over a decade, and the revenues derived from phishing may be tailing off as awareness grows. However, fraudsters are nothing if not adaptive.
The scheme referenced above is being supplanted by a more sophisticated form of BEC, known as “invoicing schemes.” While there are a few variations, they all revolve around a central theme. Instead of impersonating executives, the threat actors impersonate vendors who interact regularly with the victim company. The fraudsters gather enough information through social engineering and malware to correctly conclude the target company owes a payment to the company they are spoofing, and then impersonate someone from the vendor or supplier and provide new (fraudulent) payment instructions.
Discovery of the fraud usually occurs well after the misdirected payment already occurred, often when the legitimate vendor starts to ask about the status of their past-due receivable.
Organizations are even more susceptible to BEC schemes now than before the pandemic. Prior to widespread remote work, people could physically walk down the hall to the executive from whom the spoofed email appeared to originate and simply ask, “Did you send this?” Similarly, a payables manager who received a call or an email instructing them to change the payment instructions could ask a colleague or their boss, “Is this ok?” without having to call or email someone for advice.
Amplified opportunity
Fraudsters can commit their bad deeds because they are in a position of trust. Occupying a position of trust creates an opportunity to commit fraud. “Opportunity” is an important part of the often cited “Fraud Triangle,” coined by noted criminologist Donald Cressey. Opportunity, along with “rationalization” and “pressure,” make up the three sides of the Fraud Triangle, which represent the perfect storm for fraud.
When working remotely, without colleagues to overhear them or supervisors to observe their behavior, unscrupulous people can fully exploit their position of trust with far less concern of drawing attention. While there are technology tools to monitor email, firewall logs and productivity, the lack of the “neighborhood watch” phenomenon that exists in a traditional work setting serves to amplify fraudsters’ ability to take full advantage of their position of trust without fear of detection.
Opportunity, along with “rationalization” and “pressure,” make up the three sides of the Fraud Triangle, which represent the perfect storm for fraud.
Training and professional certification fraud
At first glance, this category may not seem significant. And yet, falsifying continuing practice education or compliance training can result in serious consequences for organizations and the individuals involved.
Training and ongoing communications are hallmarks of effective compliance programs. Many professional licenses and certifications require a certain amount of training hours each year to maintain credentials and allow the individuals to continue to use their professional certifications and practice in their profession. Having others take exams for people, stealing and distributing copies of exams and otherwise circumventing the continuing practice education requirements of a profession can lead to long-term damage.
Remote work decreases the likelihood of discovery, and may even play into participants’ fraud triangle rationalization because of a belief that no one will ever know, or that faking training is harmless.
Increased confidential reporting and associated resource strains
According to the 2023 NAVEX Hotline & Incident Management Benchmark Report, confidential reporting is at an all-time high. After a brief uptick in reporters’ willingness to identify themselves in confidential reporting during 2021 and the Great Resignation, reporters reverted back to reporting on a confidential basis more frequently, possibly signaling growing concerns over retaliation and general anxiety about remaining employed while still raising red flags.
Another important data point is that employees increasingly are looking at confidential reporting channels as a “lifeline” when dealing with personal struggles that may or may not relate directly to their work lives. Human resources and compliance personnel are increasingly working together to monitor the increased use of confidential reporting channels as unofficial crisis hotlines. As mental health issues stemming from the pandemic, financial uncertainty and feelings of trauma from loss and isolation continue to unfold in the workforce, monitoring the sentiment coming through via hotline reports will remain an important endeavor.
Confidential reporting and investigations are one the hallmarks of an effective compliance program, and organizations must ensure there are sufficient resources allocated to review reports, triage immediate issues, and investigate reports warranting further review. Given the rise of mental health-related reports, this serves as an important reminder about the importance of sufficient resources to perform timely assessments and investigations, and the need to monitor and respond to the emergence of trends in the data.
Investigation limitations
Confidential reporting and investigations are inextricably intertwined. Reporting channels must include the ability to perform appropriate and timely investigations. Traditionally, investigations are conducted covertly until they reach an inflection point when it is time to start interviewing people and widening the circle in terms of who needs to know.
Prior to the advent of remote work, witness interviews were almost always performed in person. Likewise, records review, email collection and the forensic imaging of external storage devices, laptops and phones occurred in person. Remote work caused a tectonic shift in how investigations are conducted, and in-person investigations are no longer the norm.
While many authoritative studies suggest body language is not a reliable predictor of deceptive behavior, most investigators will still tell you in-person interviews are best – particularly when conducting admission-seeking interviews. Physical cues are not as readily noticeable when conducting a virtual interview, and video conference interviews are far more likely to result in an abrupt end. In this case, there is no substitute for being in the same room for this type of conversation.
Despite the less-than-optimal phenomenon of remote investigations, investigators had to adapt – and adapt they have. Interviews performed via video conference are the norm, and the same is true with depositions and other legal and judicial proceedings. Aside from the occasionally hilarious mishap, the world settled into this new two-dimensional paradigm, and it is working well.
A silver lining to this for the investigators themselves and the organizations that must perform them is this: remote investigations are more efficient, less expensive and less resource intensive. They also result in reduced travel costs and freeing up of investigators, who can then carry a higher investigative case load. Even computer forensics can be completed fully remotely. Hard drive contents can be digitally imaged over the network without the need to physically lay hands on the device, and emails can be exfiltrated from the server or cloud storage and transferred utilizing secure file transfer protocols.
2024 prediction
How can we use the past three years to predict the future of matters requiring investigation and investigations themselves?
Progressive organizations will pay close attention to their own data and published trends to proactively address the emergence of increased susceptibility to fraud, new fraud exploits, red flags signaling the erosion of ethical culture, and the uptick in mental health issues. Leadership teams and middle management will be more proactive in seeking to engage remote workers.
Just like CEOs had to move away from fence straddling on social issues and take a stand on the important issues affecting their employees, customers and communities, so will they step forward and acknowledge the challenges of this new paradigm. This re-engagement of the workforce is the most important step of what will likely be a multi-step process, and will also entail empowering everyone to take ownership of creating a safe and ethical workplace.
Indeed, making sure everyone in the organization feels heard, supported and empowered to act ethically could head off at least some of the next round of fraud and misconduct.
Top 10 Trends in Risk & Compliance
For many more insights and guidance, download the full eBook and access to the accompanying webinar featuring analysis and expert insights from Carrie Penman and Kristy Grant-Hart.