The Association for Financial Professionals’ 2018 Payments Fraud and Control Survey offers both comfort and concern for U.S. businesses. The good news is that corporate leaders have made fraud protection a priority, implementing controls and systems to keep their organizations and bank accounts safe.
The bad news? Despite this vigilance, 2017 was the worst year for business payment fraud on record, with a mind-boggling 78 percent of executives reporting that their organization had been hit.
North Shore Bank encourages large, mid-sized and small companies and organizations to consider these survey results a loud wake-up call. Payments fraud can and does happen every day, to companies of all sizes and across all industries. As fraudsters become more sophisticated and realize larger companies have implemented fraud-protection controls, they are now targeting more middle and small-sized businesses and nonprofit organization that may not consider themselves potential victims because “it’s never happened before.”
Every company can benefit from taking proactive steps to mitigate risk and protect itself from fraud.
Here are some best practices that are well worth the investment of time and money.
Protect your checks with Positive Pay. It’s an all-too-common scenario – a company writes a check to a vendor for $500, but the check is stolen by a fraudster who adds a zero and tries to cash it for $5,000. U.S. businesses fall victim to check fraud more than any other type of fraud, with three out of four AFP survey respondents saying their company’s check payments to employees, suppliers or others had been targeted.
With Positive Pay, your bank can check the account number, check number and dollar amount of each check presented for payment against a list of actual checks authorized and issued by your company, stopping check fraud in its tracks.
Extend Positive Pay protection to ACH debit transactions, too. As more and more businesses use ACH debit transactions to pay utility bills, supply costs, tax payments, loan payments and other recurring costs, the ACH debit filter piece of Positive Pay is critical. This service lets your company filter in trusted vendors and partners who are authorized to debit your business electronically. If someone tries to pull a payment electronically and they are not on the authorized list, Positive Pay sends an alert and asks you to authorize or deny the debit transaction.
Many companies don’t realize that “Regulation E,” the Federal Reserve regulation that outlines rules and procedures for electronic fund transfers, does not protect business users – only consumers. Where a consumer usually has 45 to 60 days to report suspicious or fraudulent activity, businesses only have 24 hours to act on certain ACH payment types before it becomes a loss. Protecting debit transactions is critical for any business, big or small.
Lock account access with stronger authentication requirements. The American Bankers Association recommends that businesses use restricted computers or networks to access payment tools like online banking or bill pay and even then, it should take more than a six-character password with a mix of upper- and lower-case letters, a number and a symbol to access your business bank accounts. Services like out-of-band authentication or security tokens – where a one-time, secure password is sent to you by text or via special pager-like digital token or key fob – help thwart fraudsters because they use a 3G or 4G wireless network in addition to the internet. Also, that special authentication is required at the time a user authorizes a payment, not just at login, provided an extra layer of protection against “man in the middle” attacks where a fraudster essentially takes over an internet payment session without the user’s knowledge.
Stay vigilant by reconciling accounts daily. According to the 2017 AFP Fraud Survey, 60 percent of companies reconcile accounts daily to identify and return unauthorized debits. Daily vs. monthly reconciliation may be a bigger drain on staff time, but the sooner you can find any fraudulent or unauthorized transaction and report it to your financial institution, the more likely your business is to reduce the risk of loss.
Keep a close eye on email to protect your company’s data systems: That email from the CEO may not really be from the CEO. Today’s fraudsters are shifting their focus to accounts payable departments, researching company executives and then sending emails that look like they’re from the CEO or CFO directing a payment or wire transfer. If a payment request seems unusual for any reason, or the email address seems to be altered at all, double-check before making a move.
Not all of these steps are new ideas; for example, Positive Pay has been in existence (but underused) for decades. But as payment fraud reaches record levels, it’s time for companies and organizations to take a fresh look at how they can protect themselves. Anyone can be a victim of fraud – ask your bank how it can help protect you and your business.