Payments fraud: Is your business protected?
Despite the shift to more secure electronic payments in the past few years, fraudsters continue attacking business accounts, filching account numbers, hacking databases, capturing keystrokes and even shadowing people as they log into their bank portals.
Unfortunately, no payment method including ACH, wire transfers and especially checks is immune to the threat of fraud.
The good news? As the threat of fraud continues and evolves, so do the defenses that can help identify and mitigate companies' exposure to risk.
Where Is the Risk?
The incidence of fraud has not measurably declined in recent years according to the 2011 AFP Payments Fraud and Control Survey. Blame it on the economy, opportunity or lack of companies' internal controls, but 71 percent of organizations reported being targets of fraud in 2011, down just two percent from 2010-and commensurate with results in 2007 and 2008.
Checks continue to take the brunt of fraud's attacks: 93 percent of organizations reporting attacks said their checks were involved. Fraudsters alter payee names, create fraudulent checks by pinching MICR data (bank account and routing number listed on the bottom of checks) or use stolen checks.
Although they are more secure, electronic payments are also susceptible to fraud. In 2011, ACH debit claimed 25 percent of fraud's targets; commercial cards, 15 percent; and ACH credits and wire transfers, each four percent.
Within the ACH network, unauthorized debits are the largest source of fraud because ACH debit can post to accounts without a company's authorization. It is worthwhile to note ACH fraud attempts typically begin with MICR data taken from paper checks.
How Can Companies Reduce their Exposure to Fraud?
Stop writing checks? While this may be a first assumption as the numbers point to checks as the most prevalent weak link in companies' defenses, there are more business-friendly ways to protect against fraud.
Step up internal controls.
Once upon a time, fraud was thought to be the sole purview of the financial institution that processed checks and electronic payments. However, recent legal findings have underscored that this is a shared responsibility and companies are also responsible for safeguarding their own accounts.
Under the Uniform Commercial Code, the laws governing checks, companies are responsible for safeguarding checks from forgery or alteration by "reasonable commercial standards" and must exercise "reasonable promptness" in notifying their bank when an unauthorized payment is discovered.
The advice here: companies should review their account statements regularly - daily, weekly and at the very least monthly - and improve internal controls.
One way companies can do that is by instituting dual control over their banking transactions, a trend that more and more banks are demanding of their corporate clients. The idea of dual control is simple and logical: whoever is running payables should not be the same person who is reconciling accounts at month's end.
Fortify online banking security.
To access online accounts, banks require authentication, often with established tokens or temporary passwords. Most of online banking's vulnerability actually comes from the business' exposure to hackers and malware.
To mitigate that risk, companies should consider fortifying their firewalls to prevent outsiders from tracking or shadowing their online transactions. Restricting banking transactions to one computer that is not used for other functions and does not surf the web further limits the opportunity for malware to be downloaded and installed.
Subscribe to antifraud services.
Every time a company writes a check, there is exposure to fraud simply because account information is printed on the check. Most banks offer anti-fraud options to control that risk.
Positive Pay and Payee Positive Pay are two such services offered by many commercial banks. They protect companies against altered checks and counterfeit check fraud.
Here is how they work: when a company issues checks, a file is sent to its bank with the check number, date and dollar amount. When the checks are presented to the bank, the bank matches them against the company's list. If an item doesn't match, the bank flags it for the company's review.
The Payee Positive Pay service also adds another layer of protection by matching checks by payee names, in addition to the check number, date and dollar amount.
ACH debit block/filter is yet another tool designed to protect company accounts against unauthorized electronic transactions. Companies can structure this tool to block all ACH entries and only allow credit or debit entries, or only transactions with preapproved company identification numbers.
Fraud is adapting and advancing. However, with a combination of internal controls, protection services and a reliable banking partnership, companies can evolve with the changing landscape to minimize fraud risks and protect their business.