Embed Size (px)
Citation preview
A CHASE THOUGHT LEADERSHIP INITIATIVE
DETERRING PAYMENTS FRAUD IN THE WORKPLACE
EXECUTIVE SUMMARY:• Payments Fraud Grows More Sophisticated
• Common Cyber Fraud Threats
• Strategic Solutions for Taking the Offensive
• Best Practices for Risk Mitigation
Assess the Threats. Manage the Risks.
Page 2
PAYMENTS FRAUD GROWS MORE SOPHISTICATEDPayments fraud, whether initiated externally by cyber criminals or internally by employees behaving badly, continues to soar, according to the 2019 AFP Payments Fraud and Control Survey Report published by the Association for Financial Professionals (AFP).
The survey showed that a record 82% of companies were targets of payments fraud last year, demonstrating the crucial need for cybersecurity protocols and strict control governance. Survey results were sobering and indicated that in 2018:
• 80% of organizations experienced Business Email Compromise (BEC) – 54% of organizations reported financial losses as a result of BEC– 70% of BEC scams targeted checks, followed by wires at 43%
• 70% of organizations experienced check fraud, a slight decrease from 2017
• 64% of attempted or actual payments fraud resulted from actions of an individual outside the organization
• One-fourth of organizations indicated they have not received any advice from their banks regarding mitigating potential additional risks with same-day ACH operational for both credit and debit transactions
This white paper will provide strategies and best practices to help organizations of all sizes protect against the risks and potential financial loss resulting from payments fraud. These steps include educating employees on current payments fraud practices, and implementing the products and processes necessary to safeguard their assets and data.
It is equally important to consider the non-financial implications of payments fraud. Should a breach expose personal or confidential information, businesses stand to suffer reputational risk, which can be severe, costly, and require significant effort to restore brand credibility.
BEST PRACTICE:
Raise security awareness among employees through training and timed communications so they are conditioned to recognize potential threats, scams, and data breaches. Vigilance is key, so if you see something, say something.
PAYMENT METHODS SUBJECT TO ATTEMPTED OR ACTUAL PAYMENTS FRAUD
Checks Wire Corporate/commercial ACH debits ACH credits transfers credit cards
74%
48%
30% 28%
13%
80%
70%
60%
50%
40%
30%
20%
10%
0
Lorem ipsum
Source: 2018 AFP Payments Fraud and Control Survey Report, Association for Financial Professionals®, 2018.
Page 3
Targeting Checks and Wire Transfers
Checks are still the most commonly used payment method, and consequently remain the target of choice for fraudsters as “70% of finance professionals report their organizations’ check payments were subject to fraud attempts or attacks in 2018 – down from 74% in 2017.”1 Technology advances, including imaging, have actually fed the growth of payments fraud. Despite current check fraud deterrence efforts, criminals have been able to outsmart the prevailing security measures, forge checks rather easily, and make them appear authentic.
Wire transfers ranked as the second most popular target in 2017 as “Nearly half (48%) of financial professionals whose organizations were exposed to payments fraud in 2018 report that such attacks were via wire transfers.”2
ACH fraud, according to recently released data from the AFP, saw “33% of organizations experience ACH debit fraud (up from 28% in 2017) while 20% were subject to ACH credit fraud – up from 13% in 2017.”3 To reduce these occurrences, companies are initiating various countermeasures:
• Daily account reconciliations to identify and return unauthorized ACH debits
• Blocking all ACH debits except on a single account set up with ACH debit filter/ACH positive pay
• Blocking ACH debits on all accounts
Despite the increase in 2018, ACH fraud is still relatively in check according to NACHA, the ACH network’s governing body. “ACH fraud remains low on an absolute basis, and low in relation to other payment methods,”4 says Victoria Day, NACHA’s senior director and group manager.
Corporate/commercial credit/debit card fraud “Affected 30% of organizations in 2017, and represents a decline from 39% in 2015.”5 The decrease is attributed to pro-active retailers who implemented controls to minimize point-of-sale fraud following the high-scale hacking of major retailers a few years back. That victimization resulted in financial losses as well as loss of confidential information with the impact extending to customer confidence and brand loyalty. Banks have also stepped up their game to minimize credit card fraud by using preventive measures such as behind-the-scenes algorithms to track spend patterns.
COMMON CYBER FRAUD THREATSStatistics gathered by the FBI’s Internet Crime Complaint Center for 2018 show that “Internet-enabled theft, fraud, and exploitation remain pervasive and were responsible for a staggering $2.7 billion in financial losses in 2018.”6 Some of the leading threats include:
Business Email Compromise (BEC): A sophisticated scam targeting organizations that regularly make wire transfer payments. Criminals may compromise individual email accounts, spoof or mask email headers, or create fictitious email accounts to direct you to send money to fraudulent beneficiaries. These emails might appear as authentic payment instructions, but might include a fraudulent invoice from staff, vendors, or third parties with whom you do business. Be suspicious of payment instructions from personal email accounts (e.g. Gmail), and know that character substitution is also a common trick.
BEST PRACTICE:
Increase scrutiny of third-party providers. Specify your security requirements and standards you expect from them and clearly establish that understanding up front. Then ratchet up the oversight to ensure that they’re performing in compliance.
1. 2019 AFP Payments Fraud and Control Survey Report Summary, Association for Financial Professionals.2. 2018 AFP Payments Fraud and Control Survey Report, Association for Financial Professionals.3. Ibid. 2.4. Stewart, John, The Latest AFP Fraud Study Unveils a Surprising Jump in the ACH, digitaltransactions.net, April 10, 2019.5. Ibid. 2.6. 2018 Internet Crime Report, Federal Bureau of Investigation Internet Crime Complaint Center, 2018.
Page 4
Eighty percent of companies reported BEC fraud in 2018, with more than half (54%) experiencing financial loss as a result. To secure your operation, adopt stronger internal controls that prohibit payment initiation based on emails or other, less secure messaging systems.
2015 2016 2017 2018
64%
74%77%
80%80%
70%
60%
50%
Source: 2018 AFP Payments Fraud and Control Survey Report, Association for Financial Professionals, 2018.
PERCENT OF ORGANIZATIONS THAT EXPERIENCED BUSINESS EMAIL COMPROMISE
Phishing: An email technique used to ensure bigger paydays by hooking and using an organization’s proprietary financial information. Messages may direct you to a website that appears legitimate, or to a phone number purporting to be real. These sites are phony and exist to trick you into providing proprietary information so the operators can breach your financial accounts and steal your data.
Be cautious and protect the confidentiality of your financial information and other sensitive files by never revealing passwords or usernames or falling victim to clever or compelling language requesting the urgent request to update account data.
Social Engineering: Fraudsters will often pose as an impatient client or colleague to extract proprietary information. According to former hacking legend and current computer security consultant Kevin Mitnick, social engineering “Uses manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker.”
Be aware of emails that try to rush you through security verification or questioning in order to acquire passwords, bank balances, and other criteria. Through impersonation or social network squatting, the hacker tweets you, friends you, or otherwise contacts you online using the name of someone you know. Then asks you for a favor, such as sharing data or business files. Finally, stay alert for deceptive tactics on social networking sites that attempt to con users into clicking on malicious links or filling out scam surveys.
Malware: Short for malicious software, it is often installed without the target ever knowing it. Since people tend to not install applications if they know they will disrupt their working environment and compromise their privacy, malware – Ransomware, viruses, worms, Trojan horses, spyware, and other unwanted software – deceives users, either by piggybacking on a piece of desirable software or by tricking them into installing it.
Criminals create appealing websites, desirable downloads, and compelling stories to lure you to links that will download malware – especially on computers or devices that don’t use adequate security software. Invest in anti-malware software and online tools to reduce your vulnerability.
BEST PRACTICE:
Engage senior management for support and oversight of data security. Their taking ownership sets the tone and ensures that the threats of payments fraud are dealt with swiftly, and that protective measures are in place and fully operational.
Page 5
STRATEGIC SOLUTIONS FOR GOING ON THE OFFENSIVE Organizations are best served when they combine the features and functionality of best-in-class products with the expertise of a strong financial partner with success working across all business sectors. That relationship is the gateway to a suite of fraud protection solutions that can help secure the integrity of proprietary financial data and improve cash flow management and oversight:
Positive Pay: The number one solution for combating check fraud, Positive Pay is designed for businesses that want Chase to help monitor their commercial transactions against suspicious check activity. Available in both no-cost and low-cost options based on need, Positive Pay electronically matches all checks presented for settlement with all checks issued by the user, including account number, serial number and dollar amount.
When bundled with Payee Name Verification, Positive Pay becomes more robust, enabling verification of payee name on the check with the payee name provided on the issue file by the user. Best suited for businesses with volume of >200 checks per month, Positive Pay enables you to enter information about checks written on Chase.com. All checks presented for payment are compared against the details provided and when checks presented for payment don’t match, unauthorized checks are displayed as exceptions.
Reverse Positive Pay: Enables organizations that want to monitor check activity on their own to engage Chase to provide the necessary tools, functionality, and support. Recommended for organizations with a volume of >50 but <200 checks per month, it delivers check images to users who control the matching of checks presented to checks issued so that only authorized items are paid. Along with flexible viewing options, users can set a dollar amount threshold so all checks below the set amount are paid without the need to review.
Paperless Statements: Electronic statements improve security by reducing the risk of paper statements getting lost or stolen, allow you to review and print up to seven years of statements, and accelerate data access. You’ll receive an email when your statement is ready.
ACH Debit Block: Specify which companies are and are not authorized to post ACH debits to their accounts, automatically blocking those that are not approved. ACH Debit Block immediately compares incoming ACH debits against a range of user-defined criteria, including account number, transaction code, check amount (dollar amount ceilings can be applied), effective date, and identity of company sending the check.
ACH Transaction Review: Users can review, confirm, and render decisions on whether transactions that posted to their account the prior day are authorized or not on a case-by-case basis. Transactions that require review can be filtered by any combination of debits and credits, company IDs, dollar amount/range, and transaction type. It enables users to return their unauthorized ACH transactions on a timely basis, increases visibility into ACH activity, and expedites pay/return decision making for each item matching their filter criteria.
BEST PRACTICE:
Be vigilant and crisis ready. Have a response plan in place that roadmaps the immediate action steps to take in the event of a payments fraud incident or other data breach.
Page 6
ELECTRONICALERTS
IP SECURITY TELEPHONEBANKING SHARED SECRETS
RSA TOKEN/SECURID
DUALCONTROL
ACCESSMANAGERSM
Immediate updates help manage �nances and keep accounts safe.
Delivers total control of online cash management without compromising on security.
Requires a second authorized user’s approval before �nalizing certain transactions.
Prohibits users from logging into Chase OnlineSM for Business from non-authorized IP addresses.
Requires Token code entry when logging on, and when completing high-risk activities.
Increases security for high-risk transactions using customized passwords with shared secrets.
DIGITAL DETERRENCE FOR SECURE ONLINE CASH MANAGEMENT
Electronic Alerts: These immediate updates help manage your finances while keeping your accounts safe. Three types of alerts are offered based on specific needs:
• Security Alerts: Set dollar limits for different transactions, including ATM withdrawals, debit card activity, money transfers, and online bill payments. You’ll be contacted when transactions exceed your specified amounts.
• Daily Alerts: Choose the Alerts you want, set your dollar or other activity thresholds, and we’ll notify you by the method you select, including email or text, when your account alerts thresholds are met.
• Chase Instant Action AlertsSM: Receive a text if you overdraw your business account, or your balance dips below your preset limit. Quickly send back a text to transfer funds.
Access and Security ManagerSM: Helps delegate how you manage cash online, saves you time, and maintains total control, without compromising security. Set up multiple business account users, such as your accountant or bookkeeper, with unique user IDs and passwords. Employees can also be set up as authorized users instead of designating them as signers on accounts. Since signers can enroll in online services and access accounts directly, Access Manager can help reduce the risk of fraud. You’ll have the option of setting up authorized users where the payments they submit require approval for all or above a certain dollar amount.
Dual Control: Improves your Internet controls, reduces errors, and may help protect your organization from cyber fraud. When Chase Dual Control is activated, certain transactions such as wire transfers, bill payment, ACH collections and payments, and basic payroll and tax payments will require a second authorized user’s approval before they’re finalized.
IP Security: Prohibits users from logging into Chase OnlineSM for Business from any IP address other than those designated. IP Security is a requirement for wire limits greater than $500,000, and cannot be turned off until your wire limit is reduced below $500,000.
RSA Token/SecurID: Ratchet up online transaction security. Customers who sign up for Tokens will be required to enter their Token code when logging on, and when completing other high-risk activities such as adding payees and authorized users. For organizations who need a wire limit greater than $500,000, Tokens are required.
BEST PRACTICE:
Communication is essential for a successful security strategy, so eliminate departmental silos and develop cross-organizational teams that meet regularly to review, assess, and coordinate protective measures against potential threats and vulnerabilities.
BEST PRACTICES FOR RISK MITIGATIONThe following strategies and tactics can be implemented without significant business disruption to help protect against the threat of cyberattack:
Use email and the Internet safely. Ignore unsolicited emails and be wary of attachments, links, and forms in suspicious emails; avoid untrustworthy (often free) downloads from freeware or shareware sites; never read an unsolicited email, and delete spam immediately; don’t click on links in email messages unless you are sure the link will take you to a safe website. Remember to never use your work email for personal reasons or your personal email for work reasons.
Never share your user ID or password with others. Create “strong” passwords that include a combination of mixed-case letters and numbers; always remember to log out of any accounts and browser sessions you use; change passwords at least every 90 days; avoid using personal information for your username or password. Conduct frequent checks of financial and other proprietary accounts for suspicious or unknown transactions, and report them immediately.
Monitor account log-in alerts. Cybersecurity relies on observing basic rules. Take advantage of – and regularly view – system alerts, such as ACH Alerts, Wire Alerts, and Password Change Alerts.
Follow basic browser safety. Cyber criminals are adept at compromising computers and other devices through vulnerable browsers. Spyware can be installed on your computer or device without your knowledge if your browser is not secure. Once compromised, attackers can take control of your computer, steal your information, or use your computer to attack others. Keep your browser up to date and set it to not store passwords, and use ad/pop-up blockers to prevent malicious pop-ups or ads from appearing during use.
HOW CHASE CAN HELP The growing threat of payments fraud and other crimes in the workplace has more organizations re-examining their crime prevention and deterrence policies. Fraudsters, in particular, have displayed sophistication in designing their plans of attack, and determination in executing them. To meet this threat, the banking industry has worked diligently to adopt and deploy tough anti-fraud solutions to defeat them.
For insight and perspective on how to create an effective fraud protection strategy, speak with your Chase Banker. Learn how Positive Pay, Reverse Positive Pay, Paperless Statements, Account Alerts, Access ManagerSM, and other Chase anti-fraud countermeasures can be seamlessly integrated with your operating accounts. These tools can help your organization mitigate the risk and potential financial loss associated with payments fraud.
We offer a wide range of credit and cash management services, merchant services, business checking products, and other financial tools and resources that can help your business access working capital, improve cash flow, and compete for business more effectively.
For more information, please contact a Chase Cash Management Solutions Specialist today.
[Name]
[Phone]
BEST PRACTICE:
The single best way to reduce check fraud risk is to replace paper checks with electronic funds transfers.
The information presented herein is for informational purposes only and is not intended to be, nor should be construed to be legal, business or tax advice. Consult a qualified advisor regarding your particular situation. Accounts subject to credit approval. Restrictions and limitations apply.
JPMorgan Chase Bank, N.A. Member FDIC. Equal Opportunity Lender©2019 JPMorgan Chase & Co. 6/1/19 | CRM1223
