ACH and wire payment fraud is a global and industry-wide issue affecting a growing number of customers of financial institutions around the world. And now, with a rise in fraud being seen due to the COVID-19 crisis, it’s more important than ever for businesses to know what to look for. The fraud attackers are very sophisticated, understand the ACH and wire payment systems and are targeting customers with both small and large account balances. Currently, the most popular fraud tactic is Business Email Compromise (BEC). BEC targets both businesses and individuals who are responsible for making payments. Fraudsters gain access to legitimate business email accounts through social engineering or similar tactics to make unauthorized transfers. The exploitation of valid internet banking credentials belonging to businesses still exists, however it occurs on a much smaller scale.
Fraudsters will use various email schemes to con their victims. By gaining access to legitimate email accounts, fraudsters will impersonate vendors in emails to direct payments (based on valid invoices) to fraudsters’ accounts. They will pretend to be other third parties in an email and request changes in bank account(s) or payment instructions. They will also gain access to employees’ email and will send an email requesting a change in payroll instructions.
BEC falls under the umbrella of a type of fraud scheme known as Executive Impersonation. Another ploy fraudsters use is to spoof email addresses, by changing the email header to disguise the true source and making it look like the email is from a known individual. Fraudsters will typically impersonate a senior level executive via an email to trick a member of a company into sending money via ACH or wire.
Ransomware is another tactic that is frequently being used. Malicious software is downloaded to a computer and then it either encrypts files so they can no longer be accessed or it locks down the operating system entirely so the user can no longer access anything. The software is usually delivered via email and the user unknowingly opens it, allowing it to download to a computer. Fraudsters then reach out to the affected user and ask for payment to release the system, usually requesting payment via Bitcoin.
Phishing is usually the fraudster’s entry point, where a fraudster sends an email which contains either an infected file or a link to an infectious website. The email recipient is generally a person within an organization who can initiate funds transfers or payments on behalf of an organization. Once the email recipient opens the email or clicks on the infectious link, malware is installed on the computer which harvests the user’s logon credentials.
Deepfake is a new impersonation strategy in which fraudsters use software to impersonate the voice of the person who can authorize a payment. While the use of this software is time consuming and far from perfect, one European company did fall for a deepfake scam and sent nearly $250,000.
Be aware that fraudsters may request Personally Identifiable Information, or PII, which is any data that could potentially be used to identify a particular person such as full name, Social Security number, driver’s license number, bank account number, passport number, and email address. For example, fraudsters have been known to use BEC and Executive Impersonation to socially engineer victims into providing employee W2 information, similar to payroll/direct deposit schemes. Another new trend to watch out for is the compromising of employee personal email accounts to change direct deposit information.
The following checklist offers some suggestions on how you can help protect your PC from virus attacks and minimize internet payment fraud. This checklist is general in nature and is not geared toward any client’s particular situation. Please consult with your security officer or other security advisor to ensure you have comprehensive procedures in place appropriate for your particular organization and needs. It is important that your organization perform periodic reviews of your risks and controls with respect to payment fraud.
✔ BE CAREFUL ABOUT ANY PAYMENT INSTRUCTIONS/ACCOUNT CHANGES RECEIVED VIA EMAIL
✔ TIGHTEN YOUR ACH AND WIRE CONTROLS
✔ BE ON ALERT FOR COMPUTER HOAXES AND PHISHING SCAMS
✔ WHAT TO DO IF YOU SUFFER FRAUD OR SUSPECT FRAUD
In the event you become a victim of fraud, help protect your financial interests with the following recommendations:
✔ OTHER BEST PRACTICES:
Why be a victim of fraud and be exposed to potential financial losses? At M&T Bank, we offer several fraud services to help protect your organization from payment fraud and reduce your risk of exposure to attacks on your personal accounts.
ACH MONITOR FRAUD REVIEW helps protect business checking accounts from unauthorized ACH debits. For added security, M&T offers two levels of service: block all ACH debits from your account or authorize only specific debits from select vendors.
ACH ACCOUNT NUMBER MASKING (UPIC) allows you to receive ACH credits without revealing sensitive bank account information. A unique number and routing/transit number are assigned so that you do not need to reveal your confidential account number. The UPIC (Universal Payment Identification Code) cannot be used to debit your account via ACH transactions or used to access your account.
PAYEE POSITIVE PAY compares the payee name, dollar amounts, and serial numbers on checks presented for payment to similar information in a customer-provided check issue file. Variations in payee name, including spelling errors, as well as variations in dollar amounts or serial numbers, are reported so that you can then review the suspect check for a pay or return decision.
REVERSE POSITIVE PAY helps ease the burden of protecting against unauthorized checks, which represent a serious risk of financial loss to your business. This service provides the ability to detect unauthorized checks with a daily paid check review, the ability to review a list of the previous day’s checks and return any fraudulent or counterfeit items, along with access to daily check reports.
CHECK BLOCK can help protect your deposit account from fraudulent or unauthorized check writing activity. This service will automatically return all checks and drafts presented against your account, while allowing you to continue to send and receive electronic payments or deposits.
DUAL APPROVAL can help by requiring two users to initiate and authorize ACH and wire transfers or to confirm decisions to pay suspect checks identified through our positive pay service. Dual Approval can be set up using Treasury CenterSM or Web InfoPLU$, so that one user sends or accepts a payment and a second user approves the payment.
Benefits of dual approval include:
Learn how M&T can partner with you on fraud protection for your business.
IF YOU SUSPECT FRAUD, CONTACT YOUR RELATIONSHIP MANAGER OR TREASURY MANAGEMENT SERVICE AT 1-800-724-2240 IMMEDIATELY.
SEE SOMETHING. SUSPECT SOMETHING. SAY SOMETHING.
Protecting your information is one of our top priorities, which is why we at M&T Bank and Wilmington Trust (part of the M&T family), maintain an Enterprise Information Security Program.
But there are some things you can do to identify and manage cyber risks at home, in the office or on the go.
Disclosures:
All M&T Treasury Management services are subject to M&T’s standard Treasury Management Services Agreement.
This article is for informational purposes only. It is not designed or intended to provide financial, tax, legal, investment, accounting, or other professional advice since such advice always requires consideration of individual circumstances. Please consult with the professionals of your choice to discuss your situation.
What can we help you with today