COVID-19 Related Procurement Fraud is on the Rise

            COVID-19 is wreaking havoc on the supply chain of goods worldwide. This is especially true in the health care sector where there are shortages of medical-related commodities, including personal protective equipment (PPE), ventilators, medical equipment, testing supplies, and pharmaceuticals. The United Nations and the World Health Organization (WHO) have established a Supply Chain Task Force to address the issue of rising demand, panic buying, hoarding and misuse. Based on WHO modeling, an estimated 89 million medical masks, 76 million examination gloves, and 1.6 million goggles are required for the COVID-19 response each month.

            The surge in demand for medical commodities also creates challenges for an organization’s procurement function. Organizations may be required to deviate from their best practices, take shortcuts, and resort to utilizing a sole source or making emergency purchases from unknown vendors. The pressure to meet the urgent demands of health care providers may also result in the organization being defrauded.

            The Federal Bureau of Investigation (FBI) reports that procurement frauds are on the rise and occurring primarily in two different ways. First, fraudsters purport to sell supplies and equipment, for which they do not have access, in what is known by law enforcement as an advance fee scheme. This may also occur with a fraudulent broker that requests wired funds before the purchaser receives product and then delivers nothing in return. The Federal Trade Commission reports one of the most common COVID-19 frauds is the online purchase of goods that never arrive. Secondly, the FBI is also reporting that fraudsters are exploiting the business email compromise (BEC) fraud that has been repurposed for COVID-19.

            In a recent federal prosecution, a Georgia man has been charged with defrauding the Department of Veterans Affairs (VA). He is accused of making a series of fraudulent misrepresentations in an attempt to secure orders from the VA for 125 million face masks and other PPE that would have totaled over $750 million. He was also charged with promising that he could obtain millions of genuine 3M masks from domestic factories when he knew that fulfilling the orders would not be possible. He made similar false representations to other entities in an effort to enter into other fraudulent agreements to sell PPE to state governments.

Advance Fee Scheme Risk Factors

            There are several risk factors a purchasing agent should evaluate before executing a purchase. Because pre-payment for goods is more common in the current environment, it substantially increases the risk of a purchaser being defrauded and eliminates the usual recourse options. The FBI advises the following indicators are warning signs that an offer to sell items may not be legitimate:

• A seller or broker initiates the contact with the buyer, especially from a difficult to verify channel such as telephone or personal email.
• The seller or broker is not an entity with which the buyer has an existing business relationship, or the buyer’s existing business relationships are a matter of public record enabling a fraudster to pose as a legitimate vendor.
• The seller or broker cannot clearly explain the origin of the items or how they are available given current demand.
• The potential buyer cannot verify with the product manufacturer that the seller is a legitimate distributor or vendor of the product, or otherwise verify the supply chain is legitimate.
• An unexplained urgency to transfer funds or a last-minute change in previously established wiring instructions.

Advance Fee Scheme Mitigation Recommendations

            Procurement officials should consider the following FBI recommendations to protect their organization from an advance fee scheme:

• If the seller claims to represent an entity with an existing relationship to the buyer, verify claims through a different known contact—do not contact the vendor through information provided in an email or phone communication.
• If possible, have a trusted independent party verify the items for sale are physically present and of the promised make, model, and quality, and take delivery immediately upon payment.
• If immediate delivery is impossible, route payments to a domestic escrow account to be released to the seller upon receipt of the promised items.
• Verify with the manufacturer or verified distributor that the seller is a legitimate distributor or vendor for the items being offered.
• Be skeptical of last-minute changes in wiring instructions or recipient account information—do not re-route payments without independently verifying the direction came from an authorized party.

The bottom line is that substantial due diligence must be conducted when dealing with a vendor purporting to sell COVID-19 related goods.

The Business Email Compromise

            The BEC fraud was the most devastating fraud worldwide in terms of both prevalence and dollar loss before COVID-19. Fraudsters are now using COVID-19 to target healthcare organizations’ procurement functions. The essence of the BEC is to convince a procurement official to wire transfer funds to the fraudster. The victim may be targeted through spear phishing, social engineering, email spoofing, or the use of malware. Although the techniques vary, the fraudsters want to find a way to communicate with a financial insider via email. The latest twist in the scheme is to advise the victim that the bank commonly used to accept receipt of funds has now changed. The FBI reports that fraudsters explanation for the change of a bank account includes “due to the Coronavirus outbreak and quarantine, our processes have changed” and that “the regular bank accounts were inaccessible due to Corona Virus audits.”

            The BEC scheme often involves the spoofing of a legitimate email address or use of a nearly identical email address to communicate with a victim to redirect legitimate payments to a bank account controlled by the fraudsters. For example, the email address [email protected] has an extra “h” after Smith. Without training and awareness, many employees will simply miss this telltale sign of fraud. A variation on BEC schemes can involve similar social engineering techniques via a phone call.

Business Email Compromise Red Flags

            The FBI advises that the following are red flags for the BEC fraud:

• An unexplained urgency by the seller.
• A last-minute change in the wire instructions or recipient account information.
• A last-minute change in the established communication platforms or email account address.
• Communications occur only through email and the seller refuses to communicate via telephone or online voice or video platforms.
• A seller requests an advanced payment of services when not previously required.
• The seller requests the purchaser to change the direct deposit information.

Business Email Compromise Mitigation Recommendations

            Procurement officials should consider the following recommendations to protect their organization from the business email compromise scheme:

• Verify any changes to the vendor’s contact information or bank routing information on file—do not contact the vendor through the number provided in the email.
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.

            The advance fee scheme and the BEC fraud are not the only frauds related to COVID-19. Unfortunately, the health care industry is also experiencing numerous other frauds. Emerging fraud schemes include the bogus sale of vaccines, COVID-19 tests, and antibody tests. Fraudsters are also gaining access to personally identifiable information (PII) through the promotion of COVID-19 health care products and services. They are then using the PII to commit traditional identity theft frauds including a popular scheme to fraudulently apply for unemployment insurance benefits online.

            As predicted, the largest stimulus package in U.S. history, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), is rife with fraud. Federal prosecutors are rapidly charging businesses that have defrauded both the Paycheck Protection Program (PPP) and the loan program for major industries. The magnitude of CARES act fraud will not be known for years. The defrauding of these federal programs presents excellent opportunities for whistleblowers to obtain substantial rewards under the federal False Claims Act.

            Other COVID-19 frauds are being repurposed to attack unsuspecting victims. Fraudsters are promoting fake charities that purport to provide assistance to COVID-19 victims in the U.S. and worldwide. Phishing schemes are being used to compromise electronic devices or introduce ransomware. In the current environment, individuals naturally have a strong interest to educate themselves about COVID-19 related issues. Fraudsters posing as authorities such as the WHO or the Centers for Disease Control and Prevention are sending unsuspecting emails purporting to contain links to valuable information. One wrong click could compromise a victim’s computer.

            Healthcare organizations must remain vigilant during the COVID-19 pandemic. The pandemic itself is causing purchasing agents, internal auditors and those charged with fighting fraud to work remotely. However, these professionals must inform internal stakeholders about these unique frauds in order to have an effective fraud prevention program. While there are many COVID-19 related frauds, the advance fee scheme is the most prevalent. The best way to prevent this scheme is to have a fraud awareness and prevention program and adequate vendor due diligence controls implemented by the procurement department within the organization.