The document discusses payment fraud risks and protections. It summarizes a survey finding that 74% of organizations were victims of payment fraud in 2016. Checks and wire transfers are most commonly targeted. Business email compromise scams targeting wire transfers are on the rise. The document provides 7 tips for protection, including employing dual control for transactions and monitoring accounts daily.
3. Introduction
2
• Financial scams and fraud is rampant in the United States (and worldwide).
• According to the Federal Trade Commission (primarily consumer-focused):
• More than 3,000,000 complaints/reports were filed in 2016.
• For the 1st time, “imposter” scams surpassed identity theft in the number of complaints.
• Out of the 1.3 million fraud reports we got in 2016, people reported paying $744 million
to scammers – with a median payment of $450.
• Most business-related financial scams and/or fraud is not reported.
4. 2017 Association for Financial Professionals (AFP)
Payments Fraud and Control Survey
3
• 74% of organizations were victims of payment fraud in 2016 (the largest share on record) –
“suggests that fraudsters are continuing to succeed in their attempts to attack organizations’
payment systems.”
• Size matters. Larger companies (based on revenue) with more accounts are more likely to
have been subject to fraud (see graphic).
• Checks continue to be the payment method most often targeted. 75% of organizations were
victims of fraud attempts/attacks (increase from 71% in 2016)
5. 2017 Association for Financial Professionals (AFP)
Payments Fraud and Control Survey
4
6. 2017 Association for Financial Professionals (AFP)
Payments Fraud and Control Survey
5
• Wire transfers were the 2nd most-often targeted payment method; 46% reported this type of
fraud.
• Wire transfer fraud:
• 2016 – 46%
• 2015 – 48%
• 2014 – 27%
• 2013 – 14%
• Finance professionals are increasingly dealing with business email compromise (BEC)
scams; the main target for BEC scams are wire transfers.
7. 2017 Association for Financial Professionals (AFP)
Payments Fraud and Control Survey
6
8. 2017 Association for Financial Professionals (AFP)
Payments Fraud and Control Survey
7
• The rise in wire fraud appears to coincide directly with the rise in BEC scams.
• Fraud via corporate/commercial credit cards accounted for the 3rd largest share of fraud –
32%
• ACH debits accounted for the 4th largest share – 30%
• ACH credits accounted for the 5th largest share – 11%
9. 2017 Association for Financial Professionals (AFP)
Payments Fraud and Control Survey
8
10. 2017 Association for Financial Professionals (AFP)
Payments Fraud and Control Survey
9
Other interesting information
11. 2017 Association for Financial Professionals (AFP)
Payments Fraud and Control Survey
10
Other interesting information
12. 2017 Association for Financial Professionals (AFP)
Payments Fraud and Control Survey
11
Other interesting information
13. 2017 Association for Financial Professionals (AFP)
Payments Fraud and Control Survey
12
Other interesting information
14. Business Email Compromise (BEC)
13
• Since 2014, there has been a sharp uptick in BEC scams.
• “The scam is carried out by compromising legitimate business email accounts through social
engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” –
2016 FBI alert
• The FBI alert also indicates that BEC scams are increasing, evolving, and targeting
businesses regardless of size or geographic location (all 50 states and 79 countries).
• Losses have increased exponentially since January, 2015.
• 74% of finance professionals report that their organizations were victims of BEC in 2016.
16. Business Email Compromise (BEC)
15
• The most common method of fraud through BEC is via wire transfers (60%).
• 81% of organizations have either implemented or are in the process of implementing controls
to guard against BEC.
• 12% of organizations are considering controls implementation.
18. ACH Fraud
17
• 80% of organizations report that the number of ACH fraud attempts is unchanged from 2015
to 2016; 13% report a rise, and 7% report a decrease.
• 16% of larger organizations reported financial losses because of ACH fraud.
• Primary reasons cited for ACH fraud include:
• ACH return not timely (33%)
• Gaps in online security controls/criminal account takeover (29%)
• Did not use ACH debit locks or ACH credit filters (24%)
20. 7 Tips to Protect Yourself & Your Organization
19
#1 Three Cs (for protecting against Business Email Compromise or “BEC”)
1. Compare email addresses; pay special attention to deceptive characters, incorrect
punctuation, and misspelling.
• kwill@truecompany.com vs. kvvill@truecompany.com
• darcy@truecompany.com vs. darcy@true.company.com
• darcy@truecompany.com vs. darcy@truecomany.com
2. Check the language; misspelled words, misused grammar, and unusual language.
"I need this done today but I'm at the doctor's office. You can reach me through email."
3. Call to confirm; Emailing the client to confirm their request is futile, if you are already
communicating with a suspect. *Don’t use a phone number from suspicious email
correspondence. Obtain the client’s phone number
from a verified source.
21. 7 Tips to Protect Yourself & Your Organization
20
#2 Use a Dedicated Computer for Banking
1. The “banking” computer should be used for no other purpose; no checking email, no Internet
browsing, etc.
2. Ask IT to restrict the “banking” computer network connections to only those systems that are
required for operation.
3. Ask IT to “harden” the “banking” computer; this means disabling unnecessary services,
restricting privileged access, regular password changes, etc.
4. Consider using a non-Windows system for the “banking” computer.
The American Bankers Association (ABA) first made this
recommendation in 2010, and it is still valid today.
22. 7 Tips to Protect Yourself & Your Organization
21
#3 Be Wary of Communications You Don’t Initiate
1. Never give sensitive information to a caller who called you; sensitive information should only
be given on calls that you made using known phone numbers.
2. Never give access (to your computer, to your email, to an application, etc.) to a caller who
called you.
3. Validate emails that ask for financial transactions or access to something sensitive. Validate
by calling (see Tip #2).
23. 7 Tips to Protect Yourself & Your Organization
22
#4 Employ Dual Control
1. Consider dual control on all financial transactions (or transactions that exceed certain dollar
amounts).
2. Consider dual control on all changes to payment accounts; or where money goes.
3. Consider dual control on all payment account setups.
4. Consider where other sensitive (or critical) processes may require dual control.
Dual control does not only apply to financial transactions, it can also be used for
other critical processes. Traditionally, dual control is a system where two people
have to sign a check, or validate a transaction, or have keys to a safe, etc.
24. 7 Tips to Protect Yourself & Your Organization
23
#6 Monitor and Balance Financial Accounts Daily
Daily monitoring will not stop fraud and will not identify all fraud; however, it will help identify
signs of fraud. If regular payments are made to certain vendors or customers, use trends in
payment history over long periods of time (if feasible).
#7 Conduct Employee Background Checks
Background checks should be conducted on all personnel; however, this is especially important
for personnel working with financial systems. Background checks should be conducted at time of
hire and periodically thereafter.
25. 7 Tips to Protect Yourself & Your Organization
24
BONUS – Report Events & Incidents Immediately
Report any unusual activity to information security personnel immediately. Things that are out of
the ordinary may be an indication of something more serious.
If you have fallen for a phishing attack or suspect that you may be a victim of an attack, report the
event(s) to information security personnel immediately.
We should always operate with a heightened sense of awareness. Reports events and
incidents right away.
26. Quiz
25
1. The number of financial fraud victims is decreasing (True/False).
2. Most financial fraud happens because of a compromised mobile device (True/False).
3. When I visit the ATM to withdraw cash, I am using strong authentication (True/False).
4. The percentage of organizations experiencing wire transfer fraud has more than tripled since
2014 (True/False).
5. The three Cs will go a long way in protecting against Business Email Compromise (BEC)
(True/False).
27. Quiz
26
6. Actual financial loss resulting from financial fraud can exceed $2,000,000 for an organization
(True/False).
7. ACH debit locks or ACH credit filters are controls that can help protect against financial fraud
(True/False).
8. Using a dedicated computer for online financial transactions will reduce the risk of an online
attack. (True/False).
9. Financial fraud should be reported to the FBI immediately. (True/False).
10. A heightened sense of awareness is often our best defense. (True/False).
28. Information Security – Payment
Risks and Simple Protections
27
The contents for this presentation were written and/or compiled by FRSecure. For more
information about FRSecure or how FRSecure helps 100s of organizations with their information
security challenges (fixing the broken industry), please visit https://frsecure.com.
Contact us with any/all questions, comments, or concerns.
Reference: 2017 Association for Financial Professionals (AFP) Payments Fraud and Control Survey – underwritten by J.P. Morgan;
https://www.afponline.org/publications-data-tools/reports/survey-research-economic-data/Details/payments-fraud-2016