| Keys to preventing payments fraud: vigilance, adopting best practices and risk mitigation services |
Payments fraud continues at disturbing levels — with 62 percent of companies responding to the Association for Financial Professionals’ 2015 Payments Fraud and Control Survey that they were targeted in the last year.
“This annual survey is notable in its consistent message that fraud remains a crime of opportunity, and plenty of opportunities continue to exist for both internal and external parties to commit fraud against businesses large and small,” says Steve Helgen, vice president, risk management in Global Treasury Management at U.S. Bank.
Email spoofing scams
Helgen points to a heightened threat from social engineering and email spoofing. “This is a relatively low frequency but high impact fraud scheme, where a business’s email system is either compromised or a criminal is able to make it appear as if the email is coming from a key officer of the company,” he explains. “The email directs an employee to wire funds immediately to a specific account, often overseas.”
With this type of scam, which is sometimes referred to as “masquerading” or “impostor fraud,” there is also frequently a request of confidentiality on behalf of the key officer (CEO or CFO), which helps the criminal evade some controls.
Cyber fraud prevention strategies
The AFP study highlights a number of strategies that companies are using to thwart cyber fraud, including:
| • |
Daily reconciliation of transaction activity |
| • |
Adopting a stronger form of authentication or added layers of security for access to bank services |
| • |
Implementing systems to ensure that disaster recovery plans include the ability to continue with strong controls and maintain in-office compliance when enacting in a disaster recovery |
| • |
Upgrading authentication procedures and devices used to access their networks |
| • |
Requiring use of company-issued laptops when initiating payments through company networks |
| • |
Dedicating a PC for payment origination (with no links to email, web browsing or social networks) |
“Dual control, where one individual initiates the transaction or batch and another approves it, remains a key control strategy, and it is surprising that companies still balk at using it,” Helgen adds. “It’s also critical that the second person actually verifies the transaction rather than assuming that if the other individual created the transaction it must be okay.”
Malware continues to be a problem, he says, but criminals have discovered that many banks and their customers have bolstered their ability to detect malware, so they are switching their approach. Nevertheless, Helgen strongly recommends that business customers take advantage of the IBM® Security Trusteer Rapport™ anti-malware software
|
 |
that the bank makes available to them, at no cost, via SinglePoint®, the bank’s Internet treasury portal. “This software is easy to download directly from SinglePoint and should be installed by all SinglePoint users,” he suggests. “It can disable malware on a user’s computer — offering much stronger fraud prevention than anti-virus software.”
Check fraud still the top threat
The AFP survey confirmed once again that checks remain by far the most targeted payment method.
The “gold standard defense” against check fraud continues to be Positive Pay with Payee Verification. U.S. Bank’s most recent enhancement to this service is a virtually “continuous/immediate” update capability for issue maintenance on SinglePoint. “Customers can upload newly issued checks through SinglePoint and be assured that the payee will be able to cash the check at a U.S. Bank branch without being concerned about being turned away,” Helgen says.
Another service that is very effective is the check block or filter. Most customers use this as an actual check block, but it can be used as a filter as well, so that a check over a pre-set amount is automatically returned. “This is a terrific fraud prevention tool that can be used on deposit-only or rebate accounts, where the dollar size of the checks is predetermined, as well as on accounts where no check disbursements are planned,” he advises.
U.S. Bank strongly endorses the use of daily reconciliation as a fraud detection measure, although this practice typically only detects fraud after it has occurred rather than before it happens — as can be accomplished by Positive Pay and check filters. “Nevertheless, daily reconciliation can be an effective tool to use on accounts where very low volumes of checks are written each day,” Helgen says. “The downside is that this process does not provide protection at the teller line.”
Constant vigilance is needed
“These are all important tools and strategies,” Helgen says, “but the biggest challenge is complacency — the idea that what we’re doing is enough. It’s important to remember that the perpetrators of fraud are adapting their tactics on a regular basis, and vigilance is desperately needed.”
|
 |
|
