THREATS, VULNERABILITIES AND MITIGATION MEASURES
COVID-19 descended upon the world with very little warning and suddenly, people are combating the pandemic and lives are turned upside down. In Singapore, we have gone through a “circuit breaker” from 7 April to 1 June 2020, and on-off safe distancing controls through “heightened alert” phases. Through it all, professional firms have adjusted their business models to deal with the new uncharted business landscape. This article discusses the money laundering threats and vulnerabilities that are presented due to the pandemic, and what professional firms can do to mitigate these risks.
WHAT ARE THE THREATS?
New typologies to move criminal proceeds
Pandemic lockdowns affect all businesses, including those set up by criminals. As businesses are closed and travel is curtailed, criminal organisations are also finding new ways to carry out their illegal businesses. In April 2020, Interpol issued an alert to member countries to warn that criminal organisations are using food delivery services to transport drugs during lockdowns. Cases have surfaced in Ireland, Malaysia, Spain and the United Kingdom, where delivery riders are used, either knowingly or unwittingly, as couriers to deliver orders for illicit drugs.
Criminal organisations are also exploiting other avenues of laundering proceeds from crime. This is because money laundering through businesses like casinos and real estate is now less obscure due to the falling volume of business as these sectors are affected by the pandemic. Criminals have been known to recruit financially vulnerable persons as money mules to facilitate the transfer of money using their bank accounts. A recent scheme targets jobseekers by promising high-paying jobs to push sales on online platforms by ordering goods. The victims are asked to order goods online and pay for the goods to various bank accounts; they are then reimbursed by the criminal organisation through “commissions”.
Likewise, failing businesses affected by the pandemic are also more vulnerable and are thus more likely to be targeted by criminal organisations for money laundering. For instance, service providers like money changers, who are severely hit by the drop in the number of travellers, may be tempted by criminal organisations to launder money to stay afloat.
Scams which exploit COVID-19 uncertainties
Criminals spare no effort to capitalise on the widespread uncertainties and fear caused by the pandemic. At every stage during the outbreak, there have been scams centred around fake masks, fake personal protective equipment, fake equipment, and fake vaccine. There are also job scams and loan scams which target victims who are financially affected by the pandemic. The Singapore Police Force (SPF), in its mid-year (January to June 2021) crime statistics, reported a 16% rise in scam cases over the same period last year. This was significantly lower than a year before, when SPF announced a 108.8% increase in scam cases in the first half of 2020 compared to the same period in 2019. The top 10 scam types cheated victims of a whopping S$168 million in the first half of 2021.
Besides individuals, there are also scams targeting companies supplying COVID-19-related medical supplies. In February 2021, a Singaporean man was charged for helping a criminal syndicate transfer money believed to be from a scam – a French company was deceived into paying €6.64 million to buy surgical masks and hand sanitisers which it did not receive.
These illegal proceeds from the scams will eventually need to be laundered to be reinjected back into the economy.
New technologies enable creation of fake identities
In 2018, digital media company BuzzFeed teamed up with American actor Jordan Peele to produce a fake video of ex-US President Barrack Obama giving a short speech. The 72-second clip was produced using 14 hours of the ex-President’s real video, and replacing his mouth with Jordan’s mouth using a commercially available software and an open source deepfake artificial intelligence software. The whole process took about 56 hours. While the technology is still not perfect to produce a real-time video to mimic another person, it is good enough for simple fun and pranks. It is a matter of time before deepfakes can be used in real time to impersonate someone else for nefarious purposes.
While deepfake technologies are emerging threats on the horizon, current technologies allow one to create a personality on the Internet using social media platforms like LinkedIn, Instagram and Facebook. With some patience, one can present oneself in the social media as someone else. For instance, one can impersonate another person by using someone else’s photo, associate oneself with reputable organisations, and/or manage the content of the accounts to show interest in certain topics, thus “creating” a whole new persona.
As the pandemic makes face-to-face interactions more difficult, over-relying on technological platforms for non-face-to-face due diligence has its inherent weaknesses when trying to ascertain the identity of a person.
As organisations move their employees to work from home, telecommuting presents a lucrative target not to be missed by cyber criminals. Besides phishing and scams, Interpol, in July 2020, reported that 36% of the COVID-19-inflicted cyber threats arise from malware and ransomware attacks. Such malware and ransomware typically mask themselves in the form of email attachments, and they are deployed when unsuspecting recipients click on them. As work-from-home employees typically have weaker security in their home computers and networks, malware and ransomware can be installed undetected.
Malware, like Emotet, can open doors for cyber criminals to steal personal data, deploy trojans or ransomware. Ransomware, like Ryuk, are specially designed to scan organisations for shared files and encrypting them so they become inaccessible to the users. Only when a ransom is paid to the cyber criminal will the files be decrypted.
WHERE ARE THE VULNERABILITIES?
The bulk of the vulnerabilities relating to anti-money laundering (AML) due diligence that surfaced due to the pandemic arose from the travel restrictions, and from organisations’ transition to telecommuting.
Increase in non-face-to-face customer due diligence checks
The Accounting and Corporate Regulatory Authority (ACRA), in the 6th Corporate Service Providers (CSPs) E-Conference on July 29, revealed that the proportion of CSPs obtaining a “compliant rating” has dropped in 2020/2021 compared to the 2019/2020 period. The key weaknesses observed lay in insufficient due diligence checks on customers due to the difficulties in arranging face-to-face meetings. Understandably, this is due to the travel restrictions which limited face-to-face meetings with customers to obtain proper verification documents. Customers are also facing difficulties in getting their documents certified by the notaries public. The inability to verify the customers’ identities may expose the professional firms to higher money laundering risks as customers themselves may be proxies hired by criminal syndicates to engage the professional firms.
Vulnerabilities due to telecommuting
Over the past year, professional firms have mostly become used to a hybrid model where employees telecommute to comply with the safe distancing measures imposed by the government. However, as the change took place over a very short period, many professional firms may not be adequately prepared for telecommuting, which in turn may expose them to cybersecurity threats. Some vulnerabilities include:
- Weak security in home network and computers
As most employees are now working from home, the home networks have become an extension of the corporate network. Employees are also likely accessing the company resources through their home computers. As most companies would have previously invested in the network and computer security within the company when telecommuting was not commonly practised, the growing use of external networks and computers potentially exposes the business to higher cybersecurity threats.
- Use of cloud-based software services
Cloud-based software services that are hosted by third parties have been widely available since the 2000s, starting with email services. The pandemic has hastened many professional firms to digitalise their operations. Critical information stored with third parties could expose professional firms to data leakage of personal information collected during the customer due diligence process.
WHAT CAN PROFESSIONAL FIRMS DO TO MITIGATE THE RISKS?
Step up supervision of customer onboarding process
Given the increase in non-face-to-face interaction with customers, professional firms should review the onboarding processes, and enhance the processes with additional measures to verify the customers’ identities. For instance, to mitigate the risk of not being able to sight original documents, professional firms could prearrange in-country professional firms to help them verify the documents of their customers. Other measures could include more frequent (and ad hoc) video conferences (and insisting videos be turned on) to “meet” customers or beneficial owners. Red-flag indicators in the AML/CFT Internal Policies, Procedures and Controls document could also be updated, to include a checklist of things to look out for in a fake social media account.
Step up ongoing monitoring of customers
After onboarding, the next line of defence would be in the ongoing monitoring of customers. During the review of customers, re-evaluate the risk of the customers, paying special attention to cash-intensive businesses which are deeply affected by the pandemic – for example, travel-related, retail, and food and beverages businesses – to spot any abnormal business transactions. Even medical supplies companies may now require more scrutiny as they may be abused for COVID-related fraud.
Tighten information security
Professional firms should look at information security to cover home network and computers, to protect the personal data of their customers collected during customer due diligence. Anti-virus software does not address all cybersecurity threats. Products such as endpoint security and Cloud Access Security Broker (CASB) allow companies to restrict access of sensitive information stored in the cloud to only company-issued devices.
Step up training
Employee training needs to be reviewed to cover new money laundering typologies that surfaced due to the pandemic. Training should cover new procedures for mitigating non-face-to-face interactions with customers. Equally important, awareness training on cyberhygiene practices need to be conducted to protect the personal information of the customers. In this respect, a good resource to tap into is the Cyber Security Agency of Singapore.
Just as COVID-19 will not stop because of vaccination, criminal activities will continue to propagate and discover new ways to overcome the anti-money laundering measures. By constantly scanning the money laundering trends, professional firms can at least keep up with the threats and work towards preventing their businesses from being abused by criminal organisations.
Martin Lim is Founder and Director, Ingenique Solutions.