Entrepreneurship & Family Business - Complementary Dynamics. 1 st Families in Business Day - November 8, 2013. Fraud Prevention. Keys to Protecting Your Business. Presented by: Amy Mailloux, CTP ACI Vice President, Senior Treasury Advisor KeyBank November 8, 2013.
1st Families in Business Day - November 8, 2013
Keys to Protecting Your Business
Presented by: Amy Mailloux, CTP ACI
Vice President, Senior Treasury Advisor
November 8, 2013
“Armed with just a checking account number and a bank routing number, criminals can create checks at whim, experts and law enforcement authorities say.”
- Bob Sullivan, a Technology Correspondent for MSNBC May, 2005
2.Payments industry fraud threats: Overview
3.Payments industry fraud: A closer look
4.Payments fraud: Knowledge is power
5.Types of fraud and how they originate
6.Types of fraud: Phishing
7.Protect against phishing
8.Types of fraud: Social engineering
9.Protect against social engineering
10.Additional cyber security concerns
11.Fraud prevention: Opportunities
12.How your bank can help
13.Additional bank resources and solutions
14.Positive Pay plan offerings: A closer look
15.Universal Payment Identification Code (UPIC)
16.Dual approvals, security alerts, and email notifications
Amy Mailloux, CTP ACI
Vice President, Senior Treasury Advisor
Amy has experience serving the small business, government, corporate and middle market customers over the past 28 years in banking. She earned the esteemed Certified Treasury Professional designation in 1997, and the Associates in Captive Insurance earlier this year. Her past experience includes relationship management, commercial lending, administration, cash management sales, administration and coaching. For the last couple of years, Amy has served as the Senior Cash Management Advisor for KeyBank working with Business Banking, Middle Markets and Private Banking clients. She is a frequent guest speaker at finance events and regular presenter at the New England conference of the Treasury Management Association on fraud and prevention.
Amy and her husband, Ernie, are also the founders and owners of Amy’s Granola, a small specialty food company founded in 2003. They reside in Ferrisburgh, Vermont with their four children.
Present- and future-day:
Electronic transactions (ACH & wire)
Norton’s 2011 Cybercrime report estimates that cybercrime costs us $388 billion annually.
They claim that cybercrime is approximately $100 billion dollars larger than the global black market in marijuana, cocaine and heroin combined.
According to the 2013 AFP Payments and Fraud Control Survey:
61% experienced attempted or actual payments fraud
27% reported an increase in the number of fraudulent incidents
87% of affected businesses reported that checks were targeted
29% reported that corporate/commercial purchasing cards were targeted
Average loss was $20,300
64% of respondents discussed fraud prevention/security with their bank at least once in 2012
Oftentimes belongs to an organized group
Stalks their victim and knows how to attack weak points
Has access to very sophisticated physical and electronic tools
Outside individual 80%
Organized crime ring 18%
Internal party 10%
Third-party or outsourcer 5%
Account takeover 5%
Lost or stolen laptop 1%
Compromised mobile device <1%
Source of Payments Fraud in 2012, as reported in the 2013 AFP Payments Fraud and Control Survey. (Percent of Organizations Subject to Attempted or Actual Payments Fraud)
When it comes to preventing fraud, we all must take a proactive stance. In some instances, the ability to identify fraud attempts can help stop them, or mitigate the impact they have. Steps you can take include:
Learning about the types of fraud and how they originate
Invest to protect yourself
Educating your employees to be aware of the risks
Your defensive toolkit relies on:
Fake job listings
File sharing or Peer-to-Peer software
Fake job listings
Janitorial services/Building maintenance
Reading Radio Frequency Indentification (RFID)
This list is not comprehensive. Criminals are coming up with new and more efficient methods all of the time.
What it is:
Phishing is a type of Internet fraud that seeks to acquire a user’s credentials by deception.
Oftentimes, it involves the theft of passwords, credit card numbers, bank account details, and other personal, confidential information.
How it works:
Fake notices that appear to be coming from banks, auction sites, e-pay systems, etc. are sent vial email or SMS text messages (Smishing)
Recipient is encouraged to urgently enter or update personal data via a false link
Messages usually contain threats to block accounts or lose access if request is not completed.
Don’t open emails from unknown individuals or organizations.
Be suspicious of any email with an urgent request for personal financial information.
Never click on an embedded link or attachment in an unsolicited email.
Avoid filling out forms in email messages that ask for personal financial information.
Ensure that your browser is up-to-date and security patches are applied.
Run anti-virus software and ensure it’s always updated.
If you receive a suspicious email that appears to come from your bank, do not respond to the message. Instead, forward it to your bank’s fraud prevention department then delete the message from your mailbox.
“The key to social engineering is influencing a person to do something that allows the hacker to gain access to information or your network.”
What it is:
Social engineering is the practice of deceiving someone either in person or via phone or computer, with the express intent of breaching some level of security or obtaining information.
How it works:
The fraudster, pretending to be a trusted party, may attempt via phone (SMS text message), online (email), or in person to:
Secretly install malicious software on your computer
Trick you into divulging your passwords or other sensitive financial or personal information
Direct you to a website to download something malicious
Ask for remote access to your computer
Be suspicious of anyone requesting sensitive information.
Never provide system credentials or any other personal information on an unsolicited inbound call.
Always verify the identity of an unsolicited caller by insisting on calling him or her back at the phone number listed for that company.
Remember that Caller ID is not a foolproof way to verify a caller's identity.
Distributed Denial of Service (DDoS) attacks:
Flooding a website with bad requests
Attempts to make the site “unavailable” to customers
Not hacking, but a way to hide fraud or gain attention for a cause
Visiting an infected website could expose your laptop, PC, or mobile device to malware
Designed to hijack your computer
According to McAfee, 2.7 million new malicious URLs are created per month
“There is no doubt that the Internet brims with spamming, scamming and identity fraud. Having someone wipe out your hard drive or bank account has never been easier, and the tools for committing electronic mischief on your enemies are cheap and widely accessible.”
- Evgeny Morozov
The numerous ways to help protect your business from fraud include:
Deposit accounts/Security features
Written and published policies and procedures
Separation of duties
Internal/External escalation process
One key to preventing fraud is to make it difficult for criminals to make you a victim by working with your bank to help ensure you don’t become a victim. Banks offer great products to help stop or reduce fraud loss such as:
Robust security controls for online and mobile banking
Positive pay systems
ACH and EFT filters and filtering
Client educational materials on fraud prevention
Always be aware!
Evaluate your policies
Review your payment types and methods
Educate your employees
Implement fraud prevention and mitigation solutions
“I am thankful the most important key in history was invented. It’s not the key to your house, your car, your boat, your safety deposit box, your bike lock or your private community. It’s the key to order, sanity and peace of mind. The key is “Delete.”
- Elayne Boosler
Positive Pay plan offerings
Universal Payment Identification Code (UPIC)
Transaction blocks (ACH, wire only) features
Mr. Abagnale believes that punishment for fraud and recovery of stolen funds are so rare, prevention is the only viable course of action…
Client Match aka Reverse Positive Pay
Bank match Positive Pay is where the bank matches the checks presented on the client’s account against the check issue information provided by the client upon check issuance:
Compare & Verify: Check serial number, Amount, Payee name
Review and make a payment decision prior to check posting
Prevent over-funding; for stop payment decisions, the CDA funding requirement may be reduced by the amount of the payment
How it works:
Suspicious payments are reported to client usually via an on-line website, requiring a client decision to Pay or Return.
At setup, you determine the default decision (Pay All or Return All). If no decision is made by the 6:00 p.m. ET deadline, the default decision is submitted.
If your default decision is Pay All, and you are unable to make a decision by the 6:00 p.m. ET deadline, those items will be available to decision with Next Day Positive Pay.
With Client Match Positive Pay aka Reverse Positive Pay, the client matches the information from the checks presented against their Accounts Payable system:
No check issue information is presented to the bank prior to encashment
Used by companies with lower check volume (less than 1,000 items or $100,000 per month)
Access on-line platform to review images of your daily paid items
Contact bank to initiate a return of a suspecious or fraudulent check
Client must access account daily (preferable early in the day)
Daily reconciliation is strongly encouraged
How it works:
You can designate pre-selected features including dollar amount thresholds.
Checks presented over the set dollar amount threshold will be automatically flagged for return.
Use your bank’s Positive Pay or Reverse Positive Pay
Maintain tight check security
Examine new checks when they arrive and keep check boxes sealed until needed
Destroy unused checks from closed accounts
Use highly secure check stock
Avoid multiple colors and sizes of checks
When laser-printing checks, issue passwords
Use check paper with toner anchorage
When typing checks, use a type font of 12 points or larger
Use a fabric, single-strike security ribbon
Reconcile your checking account statement as soon as you receive it
Report losses or suspicious checks to your bank immediately
Separate responsibilities for handling checks
Contact your bank to review your check processes
UPICs are secure bank account identifiers that allow companies to receive electronic credit payments without divulging their routing and bank account numbers.
Receive more payments electronically while protecting accounts:
Since a UPIC is used in place of the client’s actual bank account information, it can be openly shared to promote the receipt of electronic payments (e.g. print on invoices, websites)
UPICs keep bank account information private
UPICs are used for electronic credit payments only and cannot be used to initiate ACH debits
UPICs deliver additional features that:
Reduce the risk of unauthorized debits, demand drafts, and fraudulent checks
Look and act like bank account numbers allowing the UPIC to be used with any cash management or accounts payable system
Apply to a single company bank account, however, one account can have several UPICs
Stay with an organization even if they change banking relationships
Clients are strongly encouraged to set up dual authorization for ACH and wire payments as they;
Allow for separation of duties within your department
Provide an additional layer of protection from potential external fraud by making it more difficult for fraudsters to send an unauthorized payment
Enable entitlements to be customized by user, including settings for dollar thresholds, specific accounts and types of payment (i.e. international, domestic, repetitive, one time, etc.)
Security alerts and email notifications are also important to set up as they:
Alert you when certain activity occurs such as new users being setup, password resets, updating of security questions and changing an email address.
In addition, clients can sign up for security-related email notifications for outgoing wire or ACH payments, wires pending approvals or ACH transactions pending release, or Positive Pay items available for decisioning.
On-line management gives you the ability to:
Decision items online
Pay or reject items
Add pay authorizations for any future transactions
Block all transactions against your checking accounts with a “Block-All”
Allow certain transactions within tolerances to be paid (originator, amounts, date range)
“There’s a way of transferring funds that is even faster than electronic banking. It’s called marriage.
- author unknown