CAPITAL PERSPECTIVES
DECEMBER 2012
MITIGATING PAYMENT FRAUD RISK: IT’S A WAR ON TWO FRONTS
Payment fraud continues to be one of the biggest risk management
challenges facing corporate treasury managers today. What
makes it so daunting is that businesses must battle payment
fraud on two fronts. Criminals continue to attack business bank
accounts by targeting paper checks for fraud — as they have for
years — but now, increasingly, they are also looking to initiate
fraudulent electronic payments.
Much of what you read these days about payment fraud relates to
the emergence of technically sophisticated online banking scams.
The rise of such crime is clearly of great concern. But industry
research reveals that check fraud, a longtime nemesis, remains
the top payment fraud threat.
According to the 2012 AFP Payments Fraud and Control Survey
conducted by the Association for Financial Professionals (AFP),
two-thirds of organizations experienced attempted or actual
payments fraud in 2011. AFP reports that checks continued to be
the dominant payment form targeted by fraudsters, with 85% of
affected organizations reporting check fraud attempts.
Meanwhile, fewer than one-quarter of respondents said they
were subjected to attempts at Automated Clearing House (ACH)
debit fraud (23%), commercial card fraud (20%) or wire transfer
fraud (5%), although the potential losses are greater for these
electronic methods.
The typical financial loss due to payment fraud in 2011 was
$19,200, according to the AFP.
In its survey results analysis, the association framed the challenge
for corporate treasury managers: “The vulnerability of all payment
methods — especially checks — to fraud from external and
internal sources demands a range of fraud-fighting tools and the
constant vigilance of those financial and treasury professionals
responsible for protecting the assets of their organizations.”
One factor that can contribute to successful payment fraud is the
mistaken belief by some corporate treasury managers that banks
will necessarily bear liability for fraud losses. When one doesn’t
fear fraud losses, prevention steps don’t seem so critical. But as
this report will discuss, the notion that businesses can never be
liable is simply not true. These days, both banks and their business
clients share responsibility for taking appropriate steps to mitigate
fraud risk, and any failure on the part of a business to take such
steps can lead to it bearing liability for fraud losses.
Prevention efforts then become critical. With that in mind,
this report will offer several important suggestions, tips and best
practices — as well as describe a variety of bank products and
solutions — all aimed at helping businesses protect themselves
against fraud attempts, minimize liability and reduce the
potential for incurring payment fraud losses.
CHECK FRAUD — TAKING ON THE TOP THREAT
Check fraud has been around for a long time. However, in
recent years criminals have become more prolific. The advent of
inexpensive desktop publishing equipment has assisted in their
ability to create incredibly authentic-looking counterfeit checks.
In 2011, AFP’s fraud survey reported on the prevalence of
different methods of check fraud. Counterfeit checks using
an organization’s MICR line data was the most common method
cited. Other popular forms of check fraud were payee name
alteration on checks issued; dollar amount alteration on checks
issued; and loss, theft or counterfeit of employee paychecks.
CHECK FRAUD LIABILITY
The Uniform Commercial Code (UCC) is the legal basis for
determining liability in cases of check fraud losses. Revisions to
the UCC in 1990 increased corporate responsibilities in check
fraud loss situations while softening the burden for banks.
The concept of “ordinary care” in the UCC requires corporate
account holders to follow “reasonable commercial standards”
to prevent check fraud. Another UCC principle, “comparative
fault,” says banks and corporate account holders can share in the
responsibility for a loss based on the extent to which each party’s
failure to meet these standards contributed to the loss.
The potential for corporate liability in check fraud loss situations
was recently confirmed in a legal case, Cincinnati Insurance
Company v. Wachovia Bank. In July 2010, Wachovia won its
lawsuit against a business customer’s insurance company after
the customer failed to implement the bank’s positive pay service.
Products and services offered by the Capital One family of companies, including Capital One, N.A., Member FDIC.
©2012 Capital One. Capital One is a federally registered service mark. All rights reserved.
Positive pay is a reconciliation service in which a bank compares
the check issuance information its client provides — essentially, the
client’s electronic check register — against those checks that are
presented for payment to the bank. Through this matching process,
the bank identifies potentially fraudulent items. Wachovia had
reportedly recommended that its customer use positive pay, but the
customer declined and suffered a $150,000 check fraud loss.
A court determined that the customer was liable due to its deposit
agreement with Wachovia. The agreement included a conditional
release of Wachovia’s liability if the customer failed to use the
bank’s products designed to detect or deter check fraud.*
Additionally, we recommend that businesses adhere to the
following check fraud prevention best practices:
•
egregate disbursement duties — don’t have the people who
S
issue checks at your business also assume responsibility for
reconciling corporate checking accounts
•
aintain strong internal controls over check printing and
M
check stock
•
Destroy unused checks from closed accounts immediately
and thoroughly
•
Use highly secure check stock with multiple security
features, including overt features such as watermarks and
warning bands, and covert features such as microprinting
and multi-chemical sensitivity
A case summary and the court order can be found online at
www.safechecks.com/services/fraudprevention.html
BANK SERVICES THAT COMBAT CHECK FRAUD
Positive pay, the bank service at the heart of the above court
case, is generally considered the most effective check fraud
deterrent available.
In addition to standard positive pay services, many banks offer
a “positive payee” service enhancement to help fight the payee
name alteration form of check fraud. Positive payee requires
businesses to include payee name information in the check
issuance files they regularly send to their banks. In that way, the
bank can red-flag checks presented for payment that have the
correct dollar amount, account number and serial number, but a
different payee name from the one reported in the client’s positive
pay check issuance file.
The bank refers items that have been red-flagged by positive pay
and enhanced positive payee services to its business client. The
client can then investigate to determine if the item is legitimate and
whether or not it wants to direct the bank to pay it.
Other helpful bank services that businesses can use to reduce
exposure to check fraud and monitor for fraud attempts include:
•
Account reconciliation
•
Balance reporting
•
“Post no checks” restrictions on depository accounts
•
Credit- and debit-only restrictions on accounts
•
Check image services
ADDRESSING LOW-TECH ACH FRAUD
ACH fraud can occur in a couple of different forms. One is the kind
of low-tech ACH fraud that has been around for years. In this form,
ACH fraud can begin when a criminal gets hold of one of your
company’s checks.
A criminal can use the routing and bank account numbers on a
stolen check to order goods either online or by phone and have
funds for those purchases debited from your account. In other
cases, a disgruntled or dishonest employee can use the MICR line
information on a paycheck to initiate a fraudulent ACH debit.
To protect your organization against ACH fraud of this nature,
you must operate within the return window established by
NACHA — the Electronic Payments Association. NACHA rules
stipulate that you have only 24 hours to contact your bank to
dispute a fraudulent ACH debit. Failure to initiate a dispute within
the 24-hour window shifts all liability for fraud losses to the
corporate account holder.
Banks offer several solutions to support ACH fraud prevention
efforts:
•
CH debit blocks, which allow you to tell your bank to reject any
A
ACH debits against a particular account or accounts.
•
CH debit filters, which enable you to establish criteria for
A
which ACH debits to your account that your bank should accept.
You can set general parameters — for instance, establish dollar
*Information on this case prepared by Frank Abagnale of Abagnale & Associates and Greg Litster of SafeChecks.
Products and services offered by the Capital One family of companies, including Capital One, N.A., Member FDIC.
©2012 Capital One. Capital One is a federally registered service mark. All rights reserved.
limits for single transactions or provide a list of acceptable
payees. Or you can give the bank detailed criteria for each
authorized payment, such as the approved payee name, exact
dollar amount and payment initiation date. Such detailed filtering
is sometimes referred to as “ACH positive pay.”
•
redit- and debit-only account restrictions are also becoming
C
commonplace in an effort to combat electronic payment
fraud. Banks are recommending that commercial clients
have separate accounts for paper payments (checks) and for
electronic payments.
Further, segregating electronic payments is also becoming more
prevalent, with banks recommending that commercial clients
have credit- and debit-only ACH accounts to further combat
the increasing fraud in the electronic payment space. When a
paper-only account receives an electronic debit or credit, the
payment automatically rejects since the account is set up for paper
items only. The same holds true on the electronic payment-only
accounts. If an ACH debit were initiated on a credit-only account,
the payment would reject.
ONLINE BANKING FRAUD TAKES CENTER STAGE
In recent years, a new type of ACH fraud threat has emerged as
criminals try to take advantage of the corporate world’s adoption of
efficient online banking.
New online banking scams are being introduced almost daily. One
of the earliest was “phishing.” In a phishing attack, a corporate
treasury professional receives an e-mail from what appears to be
a well-known, trusted business such as a bank. Often the e-mail
will ask you to open an attachment or click on a link and go to
what appears to be a legitimate, branded business website, but in
actuality is a counterfeit site.
Once you have been lured to the counterfeit site, you are asked
to divulge information such as bank account numbers and
online banking credentials, including log-in user names and PIN
passwords. With this information in hand, fraudsters can steal from
your company’s accounts.
When phishing, scam artists often send out thousands of e-mails
at a time, hoping for a few nibbles from unsuspecting victims. But
financial managers also need to beware of more targeted attacks.
One type is called “reverse phishing.”
A reverse phishing attack typically begins when you receive an
e-mail falsely purporting to be from one of your vendors. Rather
than asking you for online banking credentials, the e-mailer
requests that you alter existing information such as payment
instructions. For instance, you might be asked to redirect an
electronic trade payment to a different bank account.
If you comply, you may not realize you have been scammed until
weeks later when the actual vendor telephones your company to
ask why you haven’t paid his invoice.
CORPORATE ACCOUNT TAKEOVERS
Many fraudsters today try to trick their victims into installing
malicious, credential-stealing software known as “malware” on
their PCs. In a typical scam, a financial manager receives an
e-mail falsely purporting to be from a credible source such as
the Better Business Bureau. The recipient is directed to view a
document by opening an attachment or clicking on a link, which
installs malware on his computer.
The malware later alerts the fraudster when the victim visits an
online banking site, and the criminal employs keystroke logging
which captures the victim’s log-in and security credentials. The
attacker can then take control of the victim’s online banking
sessions and use the stolen credentials to initiate fraudulent ACH
or wire transactions.
As with our earlier discussion about check fraud liability, treasury
professionals are wrong to assume that banks will be liable for
losses when fraudsters access bank accounts by compromising an
online banking platform. The fact is that businesses are responsible
for protecting their computers against these sorts of attacks.
Businesses need to implement appropriate software protection and
best practices for preventing fraud, such as segregation of duties
and dual control on electronic payment approvals.
Liability is typically outlined in the online services agreement with your
bank. However, in general, companies are liable for payment fraud
losses if they occur because of a failure to protect their systems.
A MULTILAYERED APPROACH TO FRAUD PREVENTION
There is no single solution or practice that will ensure the prevention
of payment fraud. Businesses need to take a multilayered approach
that uses a combination of best practices and bank services
designed to mitigate fraud risk.
Products and services offered by the Capital One family of companies, including Capital One, N.A., Member FDIC.
©2012 Capital One. Capital One is a federally registered service mark. All rights reserved.
An important best practice for protecting online payment and
account data is dual control. Here’s what NACHA recommends in
its “Sound Business Practices for Companies to Mitigate Corporate
Account Takeover” white paper, which you can find in the Corporate
Account Takeover Resource Center at the NACHA website
(www.nacha.org):
“Initiate payments under dual control, with assigned responsibility
for transaction origination and authorization. Dual control involves file
creation by one employee with file approval and release by another
employee on a different computer. Or, require dual use of tokens
where a single employee creates a file, but can only release the same
file by logging in a second time using a new pass code on the token.”
Other best practices include:
•
llowing no Internet browsing or e-mail exchange on computers
A
used for online banking transactions
•
eleting online user IDs as part of the exit procedure when
D
employees leave your company
•
stablishing transaction limits for employees who initiate and
E
approve online payments
•
Using templates to lock in beneficiary and recipient information
•
sing appropriate multifactor authentication tools offered by
U
your bank, such as tokens, or out-of-band options like telephone
applications
MORE BEST PRACTICES FOR ONLINE BANKING SECURITY
Some additional steps you can take to prevent criminals from
accessing your computers and confidential data are:
•
Use strong, complex passwords
•
hange your passwords regularly and use a different password
C
for each website you access
•
ever reveal your confidential login ID, password, PIN or
N
answers to security questions to anyone
•
ever share your security token, and immediately report lost or
N
stolen tokens
•
ever bank online using computers at kiosks, cafes or anywhere
N
in which the computer or wireless network is unsecured
CARDS ARE TARGETS, TOO
Some 87% of respondents to the AFP’s 2012 payment fraud
survey reported that their organizations use commercial cards for
business-to-business payments, and cards are another form of
electronic payment subject to fraud. In fact, of those respondents
reporting that they experienced attempted or actual fraud related
to B2B card transactions in 2011, 55% said it resulted from the
use of their own commercial cards.
About two-thirds of those companies (65%) reported experiencing
commercial card fraud at the hands of an unknown external party.
One common card fraud scam is “vishing.” A cardholder receives
a call from someone who has the cardholder’s card number and
pretends to be reporting a fraudulent transaction when asking for
the cardholder’s CVV2 code over the phone. With the card number
and code, the criminal can successfully make unauthorized
purchases by phone and online.
Meanwhile, nearly two out of five organizations (38%) in the AFP
survey said they were subject to fraud perpetrated by their own
employees. For instance, an employee might use his commercial
card for a non-business-related purchase.
Interestingly, respondents said their organizations were liable for
card fraud losses 34% of the time — equally as often as the cardissuing bank and significantly more often than the merchant (22%).
The key to curtailing card fraud and related losses? “Organizations
need to continue to use the card controls available to them in
managing how, when and where employees (and criminals) can
use their cards,” the AFP suggests in its survey results analysis.
ESTABLISH CARD SPENDING RESTRICTIONS
One of the best ways to assert such control is by imposing
spending restrictions on individual cardholders. Most banks allow
you to establish a variety of such limits. For instance, a commercial
card program administrator might tell the bank that a particular
cardholder can spend no more than $500 per transaction. Or the
administrator could dictate that the cardholder spend no more
than a certain amount each day or each month. If the cardholder
tries to exceed the restriction, the transaction will be declined.
To minimize unauthorized purchases, a card program administrator
can also use merchant category codes to establish that a card
can only be used at certain types of businesses. For example, the
administrator might dictate that a particular employee who never
travels for business not be able to use his card at hotels.
Products and services offered by the Capital One family of companies, including Capital One, N.A., Member FDIC.
©2012 Capital One. Capital One is a federally registered service mark. All rights reserved.
Merchant restrictions can also help in cases of unknown external
party fraud. In cases where a card or card number is stolen and
the card has such restrictions, the thief will only be able to make
purchases from merchants in approved categories.
MONITOR CARD SPENDING ONLINE
Treasury managers and card program administrators can also
use online reporting tools to monitor employee card spending and
detect fraud.
Using such an online tool, a program administrator can establish
and alter spending limits for individual cardholders, and issue and
cancel cards, all in real time.
Online card management tools also typically allow administrators
to generate reports on spending activity by cardholder. They
don’t have to wait until they receive a monthly statement to note
cases where employees have made unauthorized purchases or
purchases that don’t comply with company spending policies.
TIPS TO AVOID PHISHING, SPYWARE AND MALWARE
•
Don’t open e-mail from unknown sources
•
ever respond to a suspicious e-mail or click on
N
any hyperlink embedded in a suspicious e-mail
•
ducate your staff about current scams and
E
loss-prevention steps
•
ake sure all of the computers your staff members
M
use for work-related business — at the office and
at home — have the latest versions and patches of
both anti-virus and anti-spyware software
•
pdate important patches from systems such as
U
Internet Explorer and Adobe Reader that include
security fixes
KEYS TO CURBING PAYMENT FRAUD
In this report, we have looked at how fraudsters are targeting
both paper and electronic payment methods, and we suggested
practices and bank services that treasury managers can use to
thwart such activity. That’s the two-front war on fraud that treasury
professionals face. However, when you analyze recent fraud
activity, it’s clear that protecting checks must remain a major focus
of payment fraud prevention.
In fact, according to the AFP, eliminating checks — and replacing
them with electronic funds transfers — continues to be the single
best way for organizations to combat fraud.
Still, with more criminals eyeing electronic transactions, treasury
managers also must also be vigilant in protecting account access
from hackers, the association notes.
Other keys to effectively managing payment fraud risk and
reducing liability include becoming educated about the wide
range of threats, learning about and adhering to best practices for
managing fraud risk (like positive pay and dual control), and taking
full advantage of the protections that banks offer.
Capital One Bank is well positioned with information and products
to help business clients protect their payments from fraud. To learn
more, contact your Capital One Bank relationship manager
or Treasury Management advisor.
Capital Perspectives is for informational purposes only, does not constitute the rendering of legal, accounting or other professional services by Capital One, N.A., or any of its subsidiaries or
affiliates, and is given without any warranty whatsoever.
Products and services offered by the Capital One family of companies, including Capital One, N.A., Member FDIC.
©2012 Capital One. Capital One is a federally registered service mark. All rights reserved.