Fraud Awareness: Common Scams & Techniques to Mitigate Your Risk
Fraud is an increasing concern for businesses. According to a recent industry survey, 82% of companies were exposed to actual or attempted payments fraud, up from 60% just five years ago.1 Yet, 77% of companies still don’t have a formal cyber security response plan in place.2 And not only is fraud becoming more common, how it occurs is constantly changing. In addition to hacking into electronic systems, online criminals are relying on human error to convince businesses to transmit false payment instructions to them.
Business Email Compromise (BEC) is one of the most common scams today. According to financial professionals, it is the second most common source of fraud attempts, behind only external sources (i.e.: forging a check or stealing a credit card). This email scam targets both businesses and individuals who are responsible for payments by using social engineering and other techniques to make unauthorized transfers of funds into a fraudulent account.
BEC commonly requests transfers of money into a fraudulent account via a wire transfer. A prevalent example is when a fraudster creates a fake email account, looking almost identical to the company’s CEO email. The hacker then sends an email to the controller, or other finance professional at the company, from this account stating an urgent wire needs to be sent. A series of missteps that prey on the human element in the company’s security procedures allow the wire transfer to take place, typically to an overseas account.
BEC doesn’t just involve creating look-alike emails either, internal company emails can be hacked. In the example above, the email could be coming from the CEO’s actual email address. It is important to be aware of wire requests no matter the exact email address.
But BEC has evolved beyond just requesting a transfer of funds. Criminals also compromise legitimate email accounts to trick employees to share their online account passwords or other personally identifiable information. First Midwest Bank will never ask for a password. Businesses must be vigilant as to why a password is being requested.
Another common scam is corporate account takeover. This happens when a criminal gains unauthorized access to a business account and makes transactions, changes contact information and takes the accounts history to commit more crimes. It is frequently done by stealing employee’s online credentials or hacking an online session.
Business of all sizes and in all industries can be prime suspects for this scam. And phishing attacks and social engineering are two of the most prevalent ways the criminals attempt to gain access.
It’s important to note that the business is liable for the losses since the transfers were authorized by the company. Banks are not responsible or obligated to cover the losses. And in many instances, insurance policies may not cover it either.
Basic internal controls to mitigate against these types of fraud attempts include procedures such as verbal confirmation of email requests and wire transfer instructions, daily account monitoring for suspicious activity in order to act quickly, and regular updates of antivirus programs. It is also extremely important that you make all your employees aware of the different types of scams so they do not fall victim to them.
In July of 2018, the FBI announced that business losses due to BEC had reached $12.5 billion worldwide. And this has seen a rapid rise, as there was a 136% increase from December 2016 to May 2018. In the US alone there have been over 41,000 victims, totaling more than $2.9 billion, and hitting all 50 states.3
The average loss from just one incident is about $23,000, an amount no business wants to lose, particularly if the incidents multiply. And in recent years the real estate sector has been heavily targeted, with more than a 1,100% rise in victims and over a 2,200% in actual dollar loss from calendar year 2015 to calendar year 2017.3
While larger organizations have a higher prevalence of attempted fraud, smaller companies and nonprofit organizations are most susceptible to fraud losses due to a lack of controls. The most vulnerable account is payroll. And checks are the most targeted instrument by far, with 70% of organizations who have experienced fraud, reporting checks as the source. However, in recent years fraudsters have drastically increased their attempts on wire transfers, with the aforementioned BEC as the most frequent attempt. Wire transfers were reported by 45% of organizations in 2018, up from only 14% five years ago.1 It is important to be vigilant with all forms of payment.
The good news is the majority of companies who have experienced fraud attempts and had controls in place, saw no financial loss. The goal is to build risk and fraud mitigation into a disaster recovery plan, which we will discuss more in the next section.
Fraud Protection and Detection 4
- Educate employees on different scams
- Increase computer security and anti-virus software
- Enhance the security of corporate banking processes and protocols
- Monitor and reconcile your accounts daily
- Note any significant changes in your computer’s performance
- Be aware of emails from suspicious sources
In response to the ever-increasing attempts of fraud, First Midwest Bank provides tools and best practices to help businesses prevent and mitigate fraud. We work hand-in-hand as a trusted advisor with our business clients to structure and implement proactive safeguards.
Positive pay. A list of each individual check issued is uploaded to the bank; which is then matched to the payment before it clears. The business is alerted if the payment does not match in order for them to decision to pay or return.
ACH Positive pay. This service allows you to establish payment rules to systematically pay ACH debit transactions. You will be alerted when an unauthorized transaction requires review.
Per a recent survey of finance professionals, Positive Pay was the number one product or service used by companies to protect against check fraud.1
A healthcare client of First Midwest added Positive pay and ACH Positive pay to their suite of products, to mitigate check and ACH fraud on its accounts. Over the course of a six-month period they had almost 50 incidents of potential fraud, which they were able to identity as payments that did not match or unauthorized transactions. This resulted in the potential for tens of thousands of dollars saved by the company.
Account structure. An account only for deposits eliminates debit transactions from occurring. Isolating transactions by type can also help reconcile accounts and flag anomalies. Consider ACH Universal Debit Block or a Post No Checks service.
Electronic payments. Since traditional checks are the most vulnerable to fraud, moving to only electronic payments such as ACH, wire transfers and commercial card* helps to reduce risk.
Storage of sensitive account information. When using remote deposit capture, it is important to secure all check stock, not only your own but also your clients. Checks are shredded 14-30 days after deposit via scanner and are locked prior to shredding. Other safety alternatives include the use of cloud-based storage.
Disaster recovery plan. Within your company’s disaster recovery plan, you should build a risk and fraud section by working with all your trusted advisors: attorney, accountant, bank relationship manager, insurance professional and key leadership of your company. The plan should be tested annually to ensure all policies, procedures and personnel are up-to-date.
Response plan if you become a victim
When a fraudulent attempt is identified, or if the fraud occurs, you will need to jump into action:
- Implement your risk and fraud disaster recovery plan as quickly as possible.
- Contact your bank relationship manager and/or treasury management professional.
- Reach out to your other trusted advisors. Law enforcement may be called after consultation with attorney.
- Preserve digital evidence with the assistance of an IT professional. Do not attempt to investigate on your own.
- Introduce new controls, both internal and external.
Let’s get started
An effective plan includes controls to mitigate fraud and a response plan when incidents occur. The best place to start is with a call to the professionals at First Midwest Bank. As your trusted advisors, we can help implement a workable plan that can be tested annually to reduce risk.
Head of Treasury Management
First Midwest Bank
Visit our video series on fraud mitigation at FirstMidwest.com/ProtectAgainstFraud.
*Subject to credit approval
1 2019 AFP Payments Fraud and control survey report, underwritten by JP Morgan.
2 Ponemon Institute’s Third Annual Study on the Cyber Resilient Organization sponsored by IBM Resilient.
3 FBI Public Service Announcement July 12, 2018: Business E-Mail Compromise The 12 Billion Dollar Scam.
4 Joint effort between the US Secret Service, the FBI, the IC3 and the FS‐ISAC: Fraud Advisory for Businesses: Corporate Account Takeover.