5 Low-tech Ways to Protect your Business from Cyber Fraud

The stories about cyber fraud that once seemed mind-boggling are now relentless and long ago lost their ability to surprise and shock us.

Consider these:

Thirty-two people are charged in an international scheme to hack into business newswires and steal yet-to-be published press releases containing non-public financial information in order to make stock trades ahead of the news. The ring stole more than 100,000 corporate earnings reports and collected an estimated $100 million in nefarious gains before they were caught.

After a two-and-a-half year search, the FBI captures a notorious computer criminal, finding him with hundreds of cloned cell phones, more than 100 cell phone codes, and multiple false IDs. He’s charged with stealing more than $1 million worth of software and inflicting $4 million worth of damage to various corporations.

Five Russian and Ukrainian cyber criminals are charged by authorities with stealing hundreds of credit card numbers from Visa, J.C. Penney Co., JetBlue Airways Corp. and others, racking up more than $300 million from the targeted companies before they are caught.

The scope and projected losses grab headlines and—along with tales about huge identity theft rings, computer counterfeiting, and high technology schemes—helped create a sense that financial fraud is mostly the province of huge sophisticated criminals employing the latest in high-tech gadgetry.

Maybe that’s true in some context, but corporate security officers, law enforcement officials, and fraud investigators say that by far, the single biggest target of fraudulent attacks is still the good old-fashioned paper check. It continues to lead as the payment type most susceptible to fraudulent attacks even as its overall use has declined, according to a 2015 Association for Financial Professionals Payment and Fraud Control Survey.

That survey found that 62 percent of U.S. companies were targets of payment fraud in 2014, and 77 percent of the companies that reported they were victimized said the fraud involved paper checks. Checks also continue to account for the largest dollar amount of loss due to payments fraud.

“There are two primary reasons why checks continue to be the payment method of choice,” the survey concluded. “One, organizations’ business partners are hesitant to switch to electronic payments. Secondly, those partners are often unwilling to share their bank information.”

Pulling it off

Fraudsters often try to attack companies to identify those whose payment methods can be most easily breached, the survey said. If they find that an attack attempt faces security obstacles, they move on. When they do succeed, they will keep targeting an organization until security measures are put in place.

Statistically, the number of payment fraud attacks is up only slightly over the previous two years and down significantly from a peak in 2009. But anecdotally, financial officials say, the level of fraud attempts is higher than they’ve ever seen.

“In the last two years, I’ve seen more fraud attempts than I had seen in my previous 20-plus year career in banking,” said Stacey Coyne, vice president for cash management at Rockland Trust, who coordinates the bank's fraud seminars.

Interestingly, Coyne attributes some of the blame on the fraud increase to computer technology—not as a vehicle for committing fraud, but as an obstacle for preventing it.

“Too many people are too busy and they’re using computers and email as their primary source of communication,” she said. “Unfortunately, that leaves them vulnerable in many situations when they could simply call someone on the phone to verify and substantiate any financial transaction.”

For example, Coyne said, an ever-increasing scheme involves fake emails sent to persons in a corporation responsible for payments. The email looks legitimate and appears to be from a superior officer of the company directing the person to issue a check for a seemingly bona fide vendor.

“This fraud could easily be thwarted by simply calling the person to make sure they did indeed send the email,” Coyne said. “But it’s surprising how many times people will simply do what the email directs them to do without confirming.”

Last month the FBI warned of a recent increase in email scams.

“The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor,” the FBI release said. “They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.”

Another typical check scam, Coyne said, occurs when a company receives a payment for goods or services that is almost immediately followed up with a letter or email saying the check amount was in error and requests a refund for the difference. The scam works when the company issues the refund—usually in the tens of thousands of dollars range—before realizing the original check for payment was bogus.

“Again, these scams in retrospect seem so unlikely but they are happening at an alarming rate,” Coyne said.

Other check scams involve decidedly old and low-tech methods of fake or forged checks, paperhanging (writing checks on closed accounts) and check kiting, which involves opening accounts at two or more institutions and using the float time of available funds to create fraudulent balances. This fraud has actually become easier in recent years thanks to new regulations requiring banks to make funds available sooner.

How to protect your company

The good news, said Coyne and others, is there are many low and no-cost steps companies can and should take to guard against fraud. They can be boiled down to a Top 5 list

1. Establish a clean desk policy.

Banks and other regulated financial institutions are required to implement a policy that specifies how employees should leave their working space when they depart office. Most CDPs require employees to clear their desks of all papers at the end of the day. This helps prevent cleaning people and others who may have access to the building at night from obtaining sensitive customer or financial information that can be used in payment frauds. “It’s such a simple thing that can really impact fraud attempts,” Coyne said. “Just lock it up.”

2. Reconcile or check balances every day.

Most companies still reconcile their accounts every 30 days, a practice that has been in place for decades. But in the 21st century, accounts could and should be reconciled every day to make sure no suspicious transactions have occurred. “There are even computerized tools to alert you every day what your balances are and if you see wild swings, you would know something is up,” said Coyne.

3. Segregate financial duties. 

Segregation of duties is critical to effective internal controls because it reduces the risk of both erroneous and inappropriate actions. In general, the approval function, the accounting/reconciling function, and the asset custody function should be separated among employees. When these functions cannot be separated, a detailed supervisory review of related activities is required as a compensating control activity. Segregation of duties is a deterrent to fraud because it requires collusion with another person to perpetrate a fraudulent act. Moreover, requiring more than one signature on large dollar amount checks will limit potential fraud losses to small amounts. 

4. Establish vendor policies.

Require due diligence of all vendors and customers to verify how they treat financial information and how they handle checks. “You may be doing all you can to secure your financial information and protect your identities and so forth, but what are your vendors doing,” asked Coyne. “When you issue them a check, are they adhering to the same policies?” 

5. Verify all requests to transfer funds. 

All email requests to transfer funds, especially urgent requests, should be confirmed via a phone call or in-person meeting.

Most banks and financial institutions offer customers a number of tools to prevent and discourage fraud. Among them is one called Positive Pay. This type of payment system records pertinent information about each check, such as the amount, the check number, bank information and date, and then transmits it to the bank to be verified before the check can be paid.

Another tool is an Automated Clearing House (ACH) debit blocker, which allows businesses to block all electronic drafts or specify which companies are authorized to post debits to their accounts while automatically blocking those that are not authorized. Some ACH blockers will also provide daily reports of all transactions.

“The biggest anti-fraud prevention methods are ‘Take care and use common sense,’” Coyne advised. “You don’t want to be saying ‘How did I fall for this?’ the day after you transferred money to a scammer.”