PACIFIC
MERCANTILE
BANK
WHITE PAPER: PAYMENT FRAUD
PROTECTING YOUR BOTTOM LINE
BEST PRACTICES FOR PROTECTING AGAINST PAYMENT FRAUD
By Paul Happach, Vice President, e-Channel Product Manager, Pacific Mercantile Bank
Are you spending too much of your valuable time worrying about fraud hitting your
business? Or, worse, not enough time? New technologies in payments have made
payment fraud a moving target. But surprisingly, in spite of evolving payment
technologies and consistent declines in the use of checks, paper checks remain the
single largest source of payment fraud.
Fortunately, you can put best practices and fraud protection tools in place to
minimize the impact of payment fraud on your business. This paper examines the
trends in payment fraud, the types of fraud that businesses are exposed to, and the
practices and services that can be implemented to greatly reduce the likelihood that
your business will fall victim.
TRENDS IN PAYMENT FRAUD
BUSINESSES REPORTING PAYMENT FRAUD
The 2016 Payments Fraud and Control Survey by
the Association for Financial Professionals (AFP)
found that 73% of companies surveyed reported
that in 2015 they were victims of payment fraud.
Almost two-thirds of these businesses reported that
they incurred some cost resulting from the fraudulent
activity, with 16% reporting costs over $25,000.
35%
No Cost
73%
25% incurred cost
under $25,000
Experienced
Fraud
16% incurred cost
over $25,000
PERCENTAGE OF BUSINESSES REPORTING BY FRAUD TYPE
The most common forms of payment fraud involve
Checks, Corporate Credit Cards, Wire Transfers, and
ACH Debits. In the AFP study, 71% of companies who
experienced fraud reported that they were victims
of check fraud, far more than the incidents reported
for any of the other type of payments.
ACH
Credit Card
Wire Transfer
Check
0
10
20
30
40
50
60
70
80
Source: 2016 AFP Payments Fraud and Control Survey
90
100
Check fraud involves altering an existing check or creating a
counterfeit check based on stolen bank information. Once altered
or counterfeited, the check is then introduced into the banking system
or exchanged for other monetary instruments or products and
services. Check fraud requires the least amount of sophistication.
Corporate Credit Cards were also a frequently targeted payment
method, reported by 39% of businesses. Credit Card fraud can
take a variety of forms, ranging from thieves combing through
corporate dumpsters in search of discarded billing information to
high-tech hacking of account information from compromised
retailers. EMV Chip Cards are more secure and much more
difficult to counterfeit than magnetic stripe credit cards. Industry
experts agree that the emergence and adoption of EMV Chip Cards
will cause fraudsters to shift their focus from card fraud to other,
less secure, payment methods.
EMV Chip Cards
should shift fraudsters’
focus to more vulnerable
payment types.
ACH fraud involves accessing a business’s online banking
credentials and creating false ACH origination files. Typically
fraudsters will access a business user’s credentials through malware
installed on the user’s computer or through an accomplice
operating within the business. Infiltrating a business computer
through installed malware requires a great deal of sophistication.
Wire fraud occurs in much the same way as ACH fraud. The
fraudster steals online credentials and creates wire transfers via
the business’s online banking system. Recently fraudsters have
focused their efforts on Whaling or Business Email Compromise,
which involves targeting a specific individual, usually an executive,
PACIFIC
MERCANTILE
BANK
at the business and posing as that person. The fraudster sends an
email to employees that appears to come from the executive,
urgently requesting that funds be wired from the company’s
accounts to an outside account. Since Wire transfers occur in real
time, it is very rare that your financial institution can retrieve the
funds once they have been wired out.
Anti-fraud best
practices prevent
real losses and save
time and expense
spent cleaning up
after a fraud.
CO RP O RAT E CA RD
5533 1234 5678 9012
5533
VALID
THRU
12/18
COMPANY NAME
R.CARDHOLDER
Given the introduction of EMV Chip Cards and the inherent difficulty
and complexity required to perform ACH and Wire fraud, we expect
fraudsters to refocus their efforts on other areas of payment fraud.
Check volume continues to decrease, but check fraud remains the
largest single source of payment fraud.
BEST PRACTICES
Fortunately there are best practices and tools you can employ to mitigate the risk of becoming a victim of payment fraud.
The best way to protect your business against payment fraud is not a single solution, but rather several layers of preventive
measures. Instituting this approach increases the likelihood that even if a fraudster is successful in one area, the activity will
be caught in another layer.
At the core of all ACH and Wire fraud is the introduction of malware onto a computer within the business. Here are best practices to minimize
the likelihood that malware will infect your network.
Use a dedicated computer for banking transactions. If the computer lacks email access and is used only to navigate to known
banking websites, the chances of its becoming infected with malware are extremely low.
Educate all employees regarding safe computing.
Never navigate to unknown websites.
Never open email messages from unknown senders.
Never click on links within email messages unless it is certain they are safe.
Keep operating systems and browsers patched and up-to-date.
Install anti-malware and anti-virus software on all computers.
Structuring and monitoring bank accounts according to industry best practices will add a second layer of defense against payment fraud.
Restrict bank account transactions. Only allow specific transactions that make sense for each account.
Restrict check access for accounts that have no checks.
Place ACH blocks on accounts that should not see ACH activity.
Set limits for accepting large dollar transactions.
Monitor your accounts in real time through online banking. Use the notification channel that will gain your attention most
quickly--text message or email--and setup real time alerts for:
Wire transfer posting to an account
Balance transfer between accounts
Debit transaction over a set amount posting to an account
Debit card or credit card activity
Segregate accounts by the type of transaction that typically will post to that account. For example, establish one account to be
used only for check writing and another to be used only for ACH origination.
Manage Corporate Cards using the online banking site.
Set limits on each card based on expected usage.
Limit spends to specific transaction types, such as travel, food, and gasoline.
Ensure that all cards are enabled with an EMV chip.
Check fraud remains the largest area of vulnerability. Implementing best practices and solutions specific to check fraud will deter fraudsters’
focusing on this payment channel. These steps will prevent fraud from altered physical checks.
Control current check stock. Maintain adequate physical security of checks, deposit slips, and other financial documents.
Utilize blank check stock. This prevents exposure of the MICR line and bank information.
Use a dual-tone true watermark for all check stock. This provides instant authenticity of the check and is virtually impossible to
replicate, copy or scan.
POSITIVE PAY
The single best solution for preventing check fraud is the adoption of a positive pay solution. Positive pay provides your business with the opportunity to approve incoming presented checks before they are paid. There are typically four kinds of positive pay available: (1) standard
positive pay, (2) positive payee, (3) reverse positive pay, and (4) ACH positive pay.
(1) Standard Positive Pay
Using this solution, the business supplies the bank with listings of all checks that have been issued. The listing includes the serial number and
the amount of the check. As checks are presented to the bank for payment, they are compared to the issue listing provided by the business.
If any of the items do not match, they are presented to the business through online banking. The business then decides to pay or return the item.
This version of positive pay is highly effective at deterring most attempts at check fraud, but leaves open the potential for a fraudster to alter
the payee line on a check.
Bank Compares
Incoming Items to Issue Listing
Business Supplies Bank
with Issue Listing
Bank Presents Unmatched
Items to Business
Business Submits
Pay or Return Decision
Bank Pays or Returns
the Item
(2) Positive Payee
This solution uses the same process as standard positive pay. However, the issue file submitted to the bank includes the payee name for
each check issued. The bank matches the serial number, check amount, and payee to the issue file. Any discrepancies are presented to the
business for a pay or return decision through online banking. Positive payee ensures that the payee lines on checks have not been altered.
This is the most effective positive pay solution since it not only prevents counterfeit check fraud, but also protects against alteration of the
payee line on legitimate checks.
(3) Reverse Positive Pay
With this solution, the business does not supply a listing of the checks that have been issued. Instead, every item that is presented for
payment is presented to the business through online banking for a pay or return decision.
Reverse positive pay is most effective for businesses with low check volume, or those who are unable to submit their issue listing to the bank.
It is extremely effective in that every check is reviewed by the businesses before it is paid.
(4) ACH Positive Pay
ACH Positive Pay allows users to view ACH electronic payment exceptions and make pay or return decisions on them. ACH transactions
are compared against preset rules that determine whether a payment is paid or blocked. If a transaction matches the criteria, it processes
normally and posts to the account. If it does not match the criteria, it is presented to the business through online banking for a pay or return
decision. Rules for acceptance are based on the amount and type of the ACH debit. This allows a business to block unwanted ACH types,
such as telephone initiated, internet initiated, or re-presented check entries.
ACH positive pay is extremely effective in preventing fraudulent ACH debits from posting to an account. This solution is often used by
businesses that originate ACH transactions or receive high volumes of incoming ACH debits.
SOLUTIONS TAILORED TO YOUR NEEDS
While payment fraud is a real and growing threat, understanding the threat landscape and incorporating best practices and anti-fraud
tools can substantially limit your risk. With check fraud continuing as the predominant form of payment fraud, it is critical for you to
implement tools to offset the risk of check fraud. Positive Pay is the most effective tool for combating check fraud and can be
customized to fit your business needs.
Don’t let payment fraud eat away at your bottom line. Partner with a bank that has the expertise to tailor solutions to your business
needs, not just their bottom line. At Pacific Mercantile Bank, we have the tools and expertise to evaluate your unique needs and
determine the solutions that will help you avoid costly fraud losses.
The protection of your accounts is a partnership between your company and Pacific Mercantile Bank. Let’s work together to safeguard
your company’s cash assets. Call us today for a review of your cash management needs and account structures, and an overview
of tools available to mitigate fraud risk.
Cindy Verity - 858.320.8419
[email protected]
Shamara Vizcarra - 714.438.2629
[email protected]