BLOG: Payment Fraud
Payment Fraud—Pay with Peace of Mind
Shield your business from the ever-changing threat of payment fraud.
For most municipalities, electronic payment systems result in great efficiencies. Unfortunately, these efficiencies set the table for a payment fraud smorgasbord, inviting fare for cyber criminals and the consequences can be devastating for municipalities not diligently monitoring financial accounts.
By definition, payment fraud is “any type of false or illegal transaction completed by a cyber-criminal.” In the last several years, banks have seen payment fraud shift away from large corporate business and target small to medium-sized businesses and municipalities. Why? While the perception is that an unprotected large corporation may yield a one-time bigger windfall to the fraudster, reality is that smaller businesses and municipalities more often lack the controls necessary to prevent fraud. Therefore, while the amount taken each time may be smaller, volume has made it very lucrative for the sophisticated individuals operating these fraud schemes.
The key to outsmarting the fraudsters is to develop a plan for your municipality which includes a layered approach to the security of your financial data. Educating your personnel plays an important role in this process. Sure, we all know employees shouldn’t be “surfing the web” on company time, but are the employees aware this policy is in place for the security of the municipality as much as productivity? Malware spread through a fraudulent website or email attachment opens the door for fraudsters to gain control of your online banking credentials, your bank accounts, and other customer or municipal information stored on your computer system.
Reverting to Paper is Not Necessarily Safer
At first glance, using electronic systems as a method of making payments may seem risky. The common reaction is to stop using the internet and go back to manual processes with paper checks.
However, in contrast, when you write a check and drop it in the mail, where does it go? Many times, checks are stolen out of the mail, duplicated, and then dropped back into the mail so that you don’t even know it was tampered with. Along the check’s path, the information at the bottom – routing number, account number, AND signature – are vulnerable. And while the number of checks being written is decreasing, check fraud remains the most popular vehicle for payment fraud today.
However, a fraudster doesn’t need to go through the hassle of duplicating or altering your check to defraud you. By using the account number and routing number from the stolen check, your account can be electronically debited without your authorization. Legally, unauthorized ACH debits to a business account can only be returned during the 24 hours following posting of the transaction. If you are not regularly reviewing the daily activity in your account, this 24-hour window can come and go quickly. And remember, if you are looking at your account online today, you may be reviewing yesterday’s activity.
Payroll Processing Precautions
Municipalities originating ACH transactions for direct deposit of payroll or vendor payments are at risk of yet another type of threat known as Corporate Account Takeover. Again, by using malware downloaded onto your computer system through an infected link or website, the fraudster can steal your online banking credentials and without any other safeguards, could originate an ACH payment file from your account or manipulate the data within your legitimate file. Token authentication, a security technique that authenticates the users who attempt to log in using a token embedded into an object such as a key fob, as well as dual control go a long way toward prevention, but are not foolproof.
Is That Email Legitimate?
While the previous threats have become commonplace in recent years, one of the fastest growing fraud concerns today is Business Email Compromise or BEC. BEC scams target email systems to fool employees into making payments to fraudulent accounts. Through phishing attempts and other research, criminals obtain the information needed to build profiles of executives, usually the CFO or another person charged with managing the financial duties within the company. The fraudster studies previous email sent by the targeted executive to ensure their fraudulent emails appear authentic and then sends their email request when the executive is out of the office, making it difficult to verify. These emails also typically include language suggesting the transaction is confidential and time sensitive. This false sense of urgency prompts the employee to act quickly, and prevents them from validating the information. Because these emails resemble previous emails sent by the CFO, the employee is easily tricked into making the payment, sending the wire, or fulfilling other requests.
Fraud Prevention Tools and Best Practices
How can you protect your municipality from electronic payment fraud? Unfortunately, there is no silver bullet. The key is to utilize several different methods of protection. If you make it difficult enough for the fraudster, he will find another target. Some of the best practices in fraud prevention today range from the very basic to the more advanced, such as:
- Review your account data daily and verify transactions. Scammers are well known for submitting small dollar “test” transactions as a method of determining how easy it is to access your account.
- Use alerts to notify you of particular transactions on your account, especially debit transactions.
- Utilize a dedicated computer for all financial transactions. Thinking back to the comments regarding malware, if you restrict web browsing and do not receive email on your computer, you greatly reduce the opportunity for the fraudster to successfully download malware on your computer.
- Utilize a business Bill Pay system. If you are not writing checks, there’s nothing to steal, right? Bill Pay either sends your payment electronically to the receiver or, if a paper check is necessary, it is a check drawn on your financial institution. It doesn’t include your routing number, account number or your signature making it a much safer alternative to producing your own checks.
- Finally, consider using the tools offered by your financial institution designed specifically for the prevention of check and electronic fraud. While in most cases there is a monthly cost for Positive Pay and ACH Blocks & Filters, annually it can be equated to that of an insurance policy.
- And while you’re at it, you may want to check out the cyber-insurance policies offered by your insurance company as well.
Payment fraud prevention is a shared responsibility, and a good security plan starts with understanding today’s challenges, then utilizing the tools and best practices available to protect you.