For years, financial institutions have tried to implement different automated solutions, new policies and procedures, callbacks and additional security to mitigate fraud events such as account takeover, email compromise, vendor/employee impersonation and other scams. However, although financial institutions will try to save Originators from themselves due to a lack of resources or fraud awareness, it can be quite a challenge to watch for/identify fraud from many ACH or wire Originators of different shapes, sizes and complexity.
After the 2000s and following the Federal Financial Institutions Examination Council’s (FFIEC’s) guidance on adding layers of security, fraud has primarily been seen through scams tricking people into giving up login credentials, email compromise of either a system hack or spoofed emails or social engineering being performed to imitate someone. Thus, the focus for fraudsters is looking to prey on ACH/wire Originators who may have limited resources, are too reliant on emails for communications or are very trusting of any official-looking documents handed to them to submit a new payment. What many Originators don’t realize is that with just a few tweaks to their office’s operations, they could easily block most fraudulent attempts.
Here are some tips and tricks for financial institutions to suggest to their Originators to help them reduce fraudulent payments:
- Reduce reliance on email. According to the FBI, Business Email Compromise (BEC) scams are one of the top fraud attack methods. It should be your internal policy to never act on email instructions alone and have a second verification process for those payment instructions. Even better, utilize secure or encrypted communication solutions instead of unencrypted or clear text email that fraudsters can easily intercept. Even if an encrypted email is used, still perform a second verification.
- Don’t believe internal email payment requests. Email spoofing of a company’s top executives is extremely common. Have a callback procedure in place for any emailed requests for payments.
- New receiver reviews. Most Originators are sending ACH or wire transfers repeatedly, as you’re paying the same employees and vendors again and again. Create a process where you scrutinize any brand-new account destinations of your payments and question how those payment instructions were obtained.
- Dual control. Limited staff may make it difficult for small organizations to implement dual control (one person entering payment details with another person approving). Yet, that second pair of eyes could not only question the legitimacy of a potentially fraudulent payment, but they could catch errors, as well. Furthermore, having at least two people knowledgeable about processing payments can alleviate any issues with vacations, absences or exits from the company.
- Clean desk policy. No sticky notes with passwords on them and no notebooks full of passwords, ever, and anything confidential should be locked up and secure when you’re not at your desk. Such information could be stolen and used for fraud.
- Review your online platform and statement daily. Originators should log into their online platform repeatedly during the day to not only watch their real-time statement but also their cash management section to monitor originations that are pending or have been submitted.
- Strong credit/debit authorization process. Per the ACH Rules, written or similarly authenticated authorizations are required for debits, but it’s a good recommendation to have a consistent authorization process for credits, too. For example, an HR department is less likely to fall victim to phony emails if signing a written form or logging into an HR system was required for any account information changes for payroll. If you have a strong process in place for obtaining account information, it will create a shield for the various scam attempts by fraudsters.
- Question sudden shifts in business. An example of this is if the receiver’s account information suddenly changes. When a business switches financial institutions, it’s a time-consuming process to move accounts and loans to another institution along with any logins. This isn’t something that happens suddenly. Furthermore, question any receiver’s payment instructions that are suddenly switched from domestic to international. This should be a major red flag.
- Never provide usernames, passwords, token/OoBA codes, card numbers or account numbers to anyone. Fraudsters try to send emails, website links or use the telephone to phish for information. Remind employees to protect their own information, as well as their company’s. That information is private for a reason; it must never be shared.
- Provide training and education. Financial institutions sending communications of security risks or scams to Originators on a regular basis would greatly help them out. If you’re an Originator who is interested in this type of communication, ask your financial institution if this is something they could offer.
What you see above are merely policy and procedure enhancements because, with systems more locked down following the FFIEC’s guidance, fraudsters try to manipulate any company structures and take advantage of blind spots in procedures for processing payments. However, guiding your Originators to improve their procedures could help reduce the incidence of fraud. Ensuring your Originators are well-informed on fraud could equal major cost savings to your financial institution from fewer loss events, time requesting receiving institutions to return funds, and possibly even legal costs.