Fraud Prevention Best Practices
advertisement
What’s New in Fraud Latest Threats and Fraud Control Solutions Networking & Education September 27, 2010 Agenda • Fraud History and Trends • Fraud Landscape • Fraud Examples and Best Practices • Employee Best Practices • Fraud Liability Bank of America Merrill Lynch 2 Fraud History and Trends 3 Historical Fraud Activity Client Reported Attempted Fraud in 2008 - Industry Payment Methods All Respondents Revenues over $1B Revenues under $1B Checks 91% 94% 88% ACH Debit 28% 28% 28% Consumer Credit 18% 15% 19% Corporate Card 14% 14% 14% ACH Credit 7% 6% 6% Wire Transfer 6% 4% 5% Source: Association for Financial Professionals - 2009 Payment Fraud Survey - Fraud attempts $11.4Billion in 2008 - 91% of fraud mitigated by prevention efforts (industry estimates in $ millions, 1997-2008) Commercial Card Fraud External Data Compromises • 35% increase in data breaches 2008 to 2009 • 2009 single event included 130 million credit and debit account numbers (Heartland) • Best defense is to reissue account numbers for highest fraud risk accounts 4 Source: 2009 ABA Deposit Account Fraud Survey Report Predicted Top Fraud Trends for 2010 Top 10 Fraud Trends Predicted for 2010 1. ACH/Wire transfer attacking small/medium businesses: Focus more on small- and medium-sized businesses as larger businesses increase security. 2. Attacks via Vendor-managed servers: Businesses that outsource their transactional network servers must ensure those vendors maintain acceptable security levels. 3. ATM skimming: Skimming machines look identical to legitimate ATM/card reader devices 4. First party fraud: Criminals gradually establish good credit using an alias with a card issuer or business and then “bust out,” running up enormous debt and abandoning the credit account. 5. Phishing: Email “phishing” attacks that illegally solicit victims’ personal information with official-looking requests are becoming more sophisticated, and increased 600% during 2009 6. Check fraud: Fraudsters have easy access to paper, printers and scanners to create phony checks. In addition, hackers can obtain detailed personal banking information from online check viewing services. 7. Internal fraud: Employees are increasingly a source of corporate fraud, as are contractors, business partners and suppliers. 8. Mobile phones: Web-enabled mobile phones are vulnerable to the same types of worms and viruses as PCs. 9. Online application fraud: Similar to first party fraud, this involves criminals manipulating multiple online applications using multiple identities from multiple access points. 10. Prepaid cards: Prepaid cards are a popular item for criminals to buy with stolen credit cards or steal and activate to obtain free spending power. Bank of America Merrill Lynch Source: The Fraud Practice, LLC - Predicted Top 10 fraud trends for 2010 in its biweekly newsletter. 5 Fraud Landscape: 6 Social Networking/Susceptibility MySpace, FaceBook, and others have spawned new fraud tactics • 63 percent of administrators worry that employees share too much personal data on social networking sites • Of those companies in this research: Twitter, FaceBook, LinkedIn and MySpace has accounted for one quarter of their malware attacks Examples of direct messaging enticing Twitter members to phishing website (which attempted to steal their username and password) Source: Sophos: Security threat report: July 2009 update Phishing • Sends email with lure of reward or value. • Loads virus on PC and gains access to vital information. • Uses information to commit various types of fraud. Spear Phishing • Targeting high value employees (CFO, Treasurer, Administrators) • Obtain access to critical systems with payment capability Bank of America Merrill Lynch 7 The Man in the Browser Attacks Criminal community focuses attacks on corporate banking clients: • Greater availability of funds • Transaction limits are higher • Access to Wire Transfer and ACH through online channels How it works: Infection Path Infected Download: Phishing email suggesting user visit a site: • • • Breaking news report Free software download Phishing email which looks as if it came from a financial institution Browser or OS Vulnerability • Latest version of OS and browser not updated on user’s computer • • Trojan is silently activated Trojan stores or actively relay’s user’s activities without the user knowing Trojans are coded to watch for one or more online banks Transaction Takeover User launches their browser • Bank of America Merrill Lynch 8 Keyloggers • Keylogger products have been available to purchase for years • Originally developed for legitimate uses but are also used for illicit purposes • Can be a piece of hardware or a thumb-drive that attaches to a computer and records keystrokes • Can also be software that can capture and relay similar information • All of these devices and software applications are readily available for purchase. Hardware keyloggers can be bought on ebay for around 80 dollars. Bank of America Merrill Lynch 9 Fraud Examples and Best Practices 10 Online Banking Fraud 1. Online Banking – ACH & Wire Fraud • Gains Client login credentials for user ID with dual access: Initiate and Release financial transactions. • Perpetrator monitors legitimate user usage for one month prior to executing ACH transactions. • Changes recipient information on existing ACH batch or standing wire template. • Times transfer so that partners at recipient banks are ready to quickly withdrawal funds or further transfer to another bank outside the US. 2. Online Banking – Check Fraud • Gains access to Client’s Online Banking service accessed from a Trojan program. • Looks at check issue patterns, captures check copies with signatures. • Can sell information on the open market or give to their own fraud ring. • Perpetrates fraud against the company with counterfeit checks in a coordinated manner. • Same amount, same serial number/range, at different check cashing points at the same time. 11 Securing Online Banking Interactions The paradox of fraud • Carry out all online banking activities from a stand-alone computer system. • Dedicate one workstation for Payment Initiations and one workstation for Release functions. • Install and maintain anti-virus, anti-malware, spyware applications, and operating system patches. Today companies expect anytime, anywhere banking that integrates efficiently into workflow. The trend is toward real-time communication and Straight Through Processing. Considerations need to be made to balance convenience and security. • Never access online banking via Internet cafes, public libraries or open Wi-Fi hotspots. • Avoid using an automatic login features that save usernames and passwords for online banking. Clear the browser cache prior to initiating an online banking session. • Implement Dual Administration • A single user should never have Initiation and Release capabilities. • Prohibit shared user names and passwords. 10 characters minimum alpha numeric. • Report suspicious transaction activity to the your bank immediately, particularly when Wire or ACH transactions are involved. Response time is critical to minimizing losses. • If Bank of America client, forward “Phishing” emails to abuse@bankofamerica.com • Contact authorities to report any fraud attempts or instances. 12 Check and Deposit Fraud 1. 2. 3. 4. Stolen Check Ring • Fraudster takes checks out of the mail (post office, lockbox, company) • Wash check and change payee information. • “Mule” opens bank account with fraudulent credentials and deposits/cashes the check. Stolen Check – business account • Fraudster takes checks out of the mail (post office, lockbox, company). • Goes to State web site and obtains new business credentials that are the same or similar to the check. • Bank account is opened and checks deposited. • Funds withdrawn via various methods. Business purchase/sale • Fraudster poses as representative of company engaging in a business purchase. • Loads virus on PC and gains access to vital information. • Uses information to commit various types of fraud. Refund scam • Customer makes writes company a check for deposit on a new service. Could include overpayment such as $550 for a $50 deposit fee. • Customer calls up and cancels service or return the “accidental” overpayment • Company gives customer a $500 check for the overpayment • Initial deposit of gets returned days later as counterfeit. 13 Check Fraud Prevention and Best Practices Check Fraud Best Practices • • • • • Reconcile accounts on a daily basis Segregate internal duties for financial activities (Audit/Control) Consider migration from Check Payments to Electronic Payment Products Become fraud focused on inquiries from other banks or institutions regarding legitimacy of checks Separate “Funding Only” Accounts to No Check Activity Status to prevent counterfeit item from clearing • Escalate suspicious activities to client manager team • Safeguard check stock. Use check stock security features. • Consider outsourcing check processing to secured vendor. Check Fraud Prevention Products • • • • • Positive Pay - Automate review of items before decision to Pay or Return Teller Positive Pay - Integrates check decision at the teller in banking centers Payee Positive Pay - Determine if payee names have been altered Reverse Positive Pay - Notify bank of exception items identified on file Maximum Dollar Control - Flag any check over a given dollar amount to decision 14 Employee Best Practices 15 Fraud Prevention Best Practices Employee Education: Best Practices in user Awareness Training There is a direct relationship between the amount of user training and the decreased number of successful fraud attacks. The following list highlights some best practices: • Don’t assume employees understand email and internet risks. The courts appreciate policies based on best practices and supported by mandatory enterprise-wide training and enforcement through disciplinary action. • Don’t rely only on your company’s email or intranet to inform employees of email and internet policies and procedures. Distribute a hard copy of policies to every employee. Require employees to sign and date each policy. • Set rules for personal internet usage. Specify how much web surfing is allowed when and with whom it is permitted, and under what circumstances. • Ensure that employees understand policies toward monitoring their computer activity, and that violations of corporate email and internet policies are enforceable through disciplinary action that may include termination. 16 Fraud Prevention Best Practices Specificity in Employee Training Specificity strengthens the impact of employee training. Simple, straight-forward examples can be the most powerful for employee training. Here are some ways in which you can cite examples or case studies: • Show employees how to recognize threats and convey the consequences of those threats • Be explicit about what to look for to identify a malicious email • Discussion or frequent reports of new threats and statistics of how many viruses have been caught within your organization, can help to raise their security awareness Create explicit instructions for employees, such as: • • • • • • • Never turn off security protection on your computer and stay current with updates Keep passwords in a secure place. Do not share them with coworkers Do not use your personal computer for company business Do not connect to the internet through suspect wireless networks (e.g., WiFi from a café) Forward suspicious emails to the company’s designated email account (include the email address) Never give your business email address to a website Open only identifiable attachments from known sources. Financial institutions and government agencies never ask you to enter personal data, such as passwords, SSN, account numbers, etc Bank of America Merrill Lynch 17 Fraud Prevention Best Practices Two Minute Self-Assessment on Best Practices Front-Door Security • Do you or your team use workarounds to streamline access to your bank’s portal or online applications (e.g., group sign-on with shared passwords)? Or leave passwords lying around, like a set of keys to your office? • Do you have an IT department or outsource your security to a firm that ensures all PC’s engaged in your cash management activities have all the security basics deployed, and those PC’s are not operating in unprotected networks and used by other individuals? Transactional Controls • Does your company use dual administration and mandate dual approval and segregation of responsibilities for payment activities, including template creation? • Does your organization use all authentication tools offered (e.g., tokens, digital certificates and encourage your employees to register their computers)? Back-Door Security • Is a review of audit logs and bank account activity part of your department’s daily routine? • Does your user administrator immediately respond to changes in an employee’s job requirements by making necessary changes to user entitlements? Employee Education • Do you have a formal employee education process — with user awareness training designed for specificity — for online security and fraud prevention? • Do all employees receive hard copies of all internet policies and procedures? Are they required to sign and date each policy? 18 Fraud Liability 19 Fraud Liability Regulation E: The Electronic Funds Transfer Act (EFT), also known as Regulation E, was implemented in the U.S. in 1978 to establish the rights and liabilities of consumers as well as the responsibilities of the financial institution in EFT activities. • Regulation E covers a consumer under certain conditions, limiting loss to $50 if the institution is notified within two business days. • Reg E Purpose: Consumer Protection • There currently are no similar loss protections for commercial customers that limits the amount of fraud losses a business could bear from fraudulent ACH or wire transfers. Security is a shared responsibility between the business, consumer, and financial institution. Fraud Liability Regulation CC: Current UCC Codes outline specific check fraud responsibilities for banks and corporations. Court decisions have already established guidelines for legal responsibilities, and failure to meet these guidelines can cause a bank or company to experience financial loss. UCC Revisions now define responsibilities for check issuers and paying banks under the term ordinary care. Under Sections 3-403(a) and 4-401(a), a bank can charge items against a customer's account only if they are "properly payable" and the check is signed by an authorized individual. However, if a signature is forged, the corporate account may be liable if one of the following exceptions applies: • Ordinary care requires account holders to follow "reasonable commercial standards" prevailing in the area for their industry or business. failure to exercise ordinary care, may restrict restitution from the payee bank if their own failures contributed to a forged check signature or an alteration - (for example, raising a check amount from $50 to $5000). • Requires customers to reconcile their bank statements within a reasonable time to detect unauthorized checks. • Comparative fault can shift liability to the check issuer. If both the bank and corporate account holder have failed to exercise ordinary care, a loss can be allocated based upon the extent that each party's failure contributed to the loss. Since banks are not required to physically examine every check, companies may be held liable for all or a substantial portion of any given loss - even if the bank did not verify the signature on a fraudulent check. • Liability for counterfeits that are virtually identical to originals will be examined on a case-by-case basis. 21 Questions? This presentation is for informational purposes only. It does not constitute an offer or commitment to buy or sell or a solicitation of an offer to buy or sell a security or any financial instrument, or a commitment to enter into a transaction, of the type generally described herein. The information contained herein, and any other communications or information provided by Bank of America, is not intended to be, and shall not be regarded or construed as, a recommendation for transactions or tax, business, legal, or investment advice, and Bank of America shall not be relied upon for the same without a specific, written agreement between us. The information contained herein has been obtained or derived from sources believed to be reliable, but we do not represent that it is 100% accurate or complete and it should not be solely relied upon. The information contained in this presentation is not legal advice. Thank you! 22
