Cyber criminals and online fraudsters have been around since the internet began, and cybercrime is now a mature, underground, international business. Well-organised syndicates sell customised malware and out-of-the box hacking tools to novice, would-be cyber thieves, enabling them to join the cybercrime business.
Mobile banking (m-banking) is the newest frontier in the ‘Wild West’ of cyber banking fraud. Individuals must vigilantly guard against these exploits. There are several new apps to help protect mobile devices. Some of them can be found here and here.
Mobile Remote Deposit Capture
Not so long ago, many banks mocked the idea of consumers depositing cheques via cell phones. Now, mobile remote deposit capture (MRDC) is one of their hottest products, with the majority of large banks already offering or planning to offer this new capability to their smart phone-equipped customers. While financial institutions are aware of the risks of m-banking, they have little control over how their customers use and protect their mobile devices, or the new technological threats being developed by criminals to exploit those devices.
MRDC has opened the door to new opportunities for fraud. Consider this scenario: John Doe picks up a cheque from company ABC. He walks outside and deposits the cheque into his bank account via his smart phone app. Minutes later he walks back inside and tells the person who gave him the cheque that it should have been made to John or Jane Doe. He hands the person the first cheque, receives a replacement cheque and then immediately goes to the paying bank to cash this second cheque.
Because the person at company ABC has the first cheque in their possession, they do not think to place a stop payment on it. The next morning both cheques are paid. The bank of first deposit (the scammer’s bank) is a ‘holder in due course’, and is not obligated to return the funds to the company.
The solution? If a cheque leaves the office for even one minute and is then returned for a replacement, place a stop payment on that cheque before issuing a replacement cheque. While ‘holder in due course’ trumps a stop payment, most banks would co-operate and return the funds if the midnight deadline has not passed. Requiring John Doe to sign an affidavit stating that he did not deposit the cheque image remotely and will be liable for all expenses incurred in recovering stolen funds may be a deterrent, but an affidavit is only a right to sue for recovery. It does not protect you from the fraudster’s illicit activity.
Account Takeovers and ACH Fraud
A review of cybercrime in general shows that, although the number of incidents and amount of losses have dropped over the past few years, there were still over four million records compromised during 2011, with an average loss of US$100,000 per victim organisation. Two of the growing cyber threats are account takeovers and automated clearing house (ACH) fraud.
Hackers steal passwords and bank logins by infecting computers with keystroke logger viruses. Then, they log into the bank and send out wires and ACH credits. The fix for this is very simple, and only requires three things:
- A change of internal procedures.
- A new computer, which does not need to be powerful or expensive.
- A conversation with your banker.
Tell your bank that you require two different authorisations to move money out of the bank. Ensure that this request is documented in writing, and confirm the change is made with your bank.
In the office, set up one or more computers or users that will be authorised to originate a wire transfer or ACH. A second computer and password is required to release the wire transfer or ACH transfer. The second computer must only be used for interfacing with the bank. It must not be used for any other purpose, including email, web searches and Facebook. This computer is used only to log into the bank, making it extremely unlikely it will be infected with a keystroke logger virus. The computer does not need to be powerful – a ‘netbook’ will do. The second computer could even be disconnected from the network when it is not in use. A netbook could be locked up in the vault.
On the network, don’t identify that computer as used only for the bank, just in case a hacker gets into the company network.
ACH fraud is definitely on the rise. Positive Pay is not equipped to stop ACH fraud because ACH debits bypass Positive Pay. Companies should implement ACH blocks or filters to prevent unauthorised ACH debits. An ACH block prevents all ACH debits from posting. An ACH filter allows debits from pre-authorised originators that you select, including pre-authorised amounts.
A review of all instances of cybercrime reveals that the vast majority of attacks are not sophisticated, and 96% of the breaches could have been prevented by simple or intermediate-level controls. These controls include installing a properly configured firewall with the factory default password changed, and up-to-date anti-virus and anti-spyware software on your computer. The latest patches from Microsoft or Apple should be installed on a weekly basis.
Vigilance includes being very cautious when opening emails from unknown parties, or clicking on embedded links, even from people you know. Millions of computers are infected with viruses that can take control of a computer and turn it into a bot. It can send emails infected with viruses to receipients in the entire address book.
Old-Fashioned, but Effective Tactics
Fraudsters continue to enjoy great success using old-fashioned fraud tactics, and payment fraud tops the list. According to the Association for Financial Professionals (AFP) Payments Fraud and Control Survey, 71% of respondents confirmed that they had been a victim of payment fraud. This is up from 55% in 2005.
The vast majority (93%) of those victims of payment fraud experienced cheque fraud attempts. In fact, the growth in cheque fraud attempts has been greater than the growth in electronic payment (e-payment) fraud attempts.
The AFP survey stated: “Despite advances in fraud protection and prevention in recent years, the rate of payment fraud attacks remains stubbornly high…. Notwithstanding the precipitous drop in cheque volume of the last several years, cheques continue to be widely used and abused, and fraud via cheque payments remains the overwhelming threat faced by companies.”
Cheque fraud generates more dollar losses than all other payment fraud methods combined. There are many best practices and internal protocols that can prevent most cheque fraud, but, amazingly, the simplest, easiest and least expensive prevention is often completely overlooked: use better checks.
High security checks are the first line of defence against cheque fraud, and should always be combined with Positive Pay. Positive Pay is an automatic cheque matching service offered by most banks, and can often catch altered or counterfeit cheques. Payee Positive Pay is offered by many banks to catch alterations of the payee name. (Positive Pay and Payee Positive Pay services are now being circumvented by adding a new payee name two lines above the original name.)
High security checks and Positive Pay have unequivocally been proven to prevent cheque fraud by discouraging criminals from making fraud attempts in the first place, and by thwarting the ill-advised attempts that are made. Properly designed high security checks can also help protect an organisation from ‘holder in due course’ claims.
Strong internal controls should also be implemented to prevent cheque fraud. One of the most important measures is to separate financial duties. The person issuing the cheques should not also be the person reconciling the account. If staffing cuts have reduced the ability to have a separation of duties, outsource the bank reconciliation to your accountant. Having incoming receipts go directly to your bank’s lockbox is another great way to avoid embezzlement via diversion of receipts.
Monthly statements should be reconciled promptly, and always within the timeframe designated by your bank. Different banks have different time frames within which to report discrepancies. Cheques should be kept in a locked closet or location, with limited access to the key. Immediately after printing cheques, any leftover cheques should be immediately removed from the printer tray and locked up again.
Ethics: The Ultimate Cure
While all of these crime prevention ideas are important to implement, the fundamental root of the problem lies with the increasing dishonesty plaguing our nation. In Abagnale’s 35 years on the right side of the law, he has only witnessed crime becoming easier. There will never be a reduction in white collar crime until character and ethics are brought back into homes, schools, universities and workplace.
Technology breeds crime. Some individuals and groups will always find nefarious means to use technology in a self-serving way. Those lacking moral training or moral fibre will slip from being merely self-serving to being outright dishonest.
Unfortunately, in too many homes, ethics are not exemplified, taught nor insisted upon. Although still on the private school curriculum, the public school system is almost bereft of teaching ethics, because teachers would be accused of teaching morality. Very few colleges offer a course in ethics, and even fewer require a completed course for graduation. Few companies offer on-the-job training sessions in ethics. Most regrettably, we find too many instances of corruption at the political level as well.
Because future technology will only make it easier steal, it is important to swiftly discipline those who cheat and to always emphasise acting in an ethical and responsible way. This will strike at the root of the problem, and bring about the changes truly needed in our society.
Greg Litster will be part of a panel presenting ‘Fast, Furious, Gone: The New Faces of Fraud and How to Thwart Them’ at the 2012 AFP Conference on Monday 15 October at 10:30am in the JR Ballroom.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.