Payments fraud remains a persistent problem for banks and it grows more challenging as fraudsters get more sophisticated.
Some things never go out of fashion and one of them is fraud. Nowhere is this truer than in the finance industry. And why not? That’s where the money is after all. And this is why banks continue to invest heavily in fraud prevention programs.
One area that gets particular attention and investment is payments fraud prevention (see related story here). That’s because as quickly as a threat is mitigated, new threats surface. According to a 2011 Association of Finance Professionals (AFP) survey, although there has been a “dramatic shift toward electronic B2B payments and the adoption of preventative techniques, payments fraud has remained persistent.” The AFP reported that checks were the payment format most frequently targeted for fraud, with 93 percent of attacked organizations reporting that checks were involved.
New complexities. While checks remain the favorite target of payment fraudsters, electronic and card payments have added complexity. Electronic and card payments present a new variety of ways to steal funds via corporate payment systems, such as false vendors and data breaches. And with the card industry growing and mobile banking on the verge of becoming an accepted way of doing treasury business, banks are keenly aware of these additional security threats.
ACH payments growth has seen security breaches partly as a result of malware. Phishing schemes, sending fraudulent emails, which aim to obtain confidential information or disrupt operations, are also prevalent. Your treasury staff may have experienced these phishing emails, which “pretend” to be generated by your bank or other financial institutions with which you do business. Theft or other criminal activity follows if the company unknowingly provides sensitive data in reply or downloads an application. This problem was the feature of a Wall Street Journal article in September entitled, “What’s a Company’s Biggest Security Risk? You.” The article went on to note that most hacks these days are via employees, not some hole in the company’s firewall. And as if there isn’t enough to worry about, security vendors tend to believe that there will be an increase in malware targeting mobile users with the devices’ increased market visibility.
New ways in. New and related schemes, “vishing”, via telephone contact, and “smishing”, via texting to a mobile device all shoot for the same result. “Spear phishing” targets top executives for information. We could benefit from a fraudster’s dictionary to keep the new terminology straight and to properly identify the particular breach in question. Essentially, the attackers need information and/or access in order to be successful.
What is being done proactively by our banking partners and other financial institutions trying to protect the payments field that we operate in? As mentioned, banks are continuing to spend investment dollars in this area but, as one banker admitted, often it is a defensive strategy against fraud attacks that have already happened. In other words, banks are more reactionary as they wait to see how security is breached and then devise additional tools to protect against similar attacks. Fraudsters are adept at getting through existing protection measures, hence the positive pays evolution to payee positive pay (when payee name was changed) and no post pay (protects attempts to clear checks on non- checking accounts).
Challenge your banks. While the amount of bank-offered fraud-prevention tools for paper checks, ACH, payment cards and even mobile apps is too exhaustive to list here, corporates should constantly talk to their banks to make sure they have the latest information on fraud practices and identify what other toold are available to them.
Additionally, treasury groups would benefit by enacting these internal policies within their organizations:
- All bank systems and applications should be accessed through an encrypted connection. Additionally, secure access mechanisms, such as smart cards and tokens, should be used to enhance security and provide additional authentication.
- Centrally manage all system users, and as they depart the company, all IDs and access immediately eliminated.
- Educate and train all personnel on fraud schemes, creating secure passwords and other fraud prevention measures backed up by policy and procedures. Raise awareness on how to identify and report suspected fraud, including a private communications channel for reporting internal suspicions of theft.
- Segregate bank accounts (controlled disbursement, receivables, wire transfers, ACH) for easier identification of issues and faster reconciliations.
Segregate duties and approvals for all payment types. - Centrally manage payment card program and have dedicated staff responsible.
- For paper checks, continue to move to electronic payments while having your bank print your checks for you.
Look to outsource your payables operation if feasible. - Challenge your banks and be ready to adjust and add to your tool set as security breaches arise to ensure your protection methods are not antiquated..
Payment systems are changing and so too are the types of threats that are surfacing. Multiple devices and payment methods, and on-the-go transactions make the business of payment fraud protection much more challenging today in the electronic world we work in. Knowledge is the key and with up-to-date information of fraudster practices, proper internal processes and the array of bank tools designed to fight fraud, you will find your firm on the winning side in the war against payments fraud.