Help protect your company and accounts from payment fraud – during heightened pandemic threats – and beyond
RISE IN PAYMENT FRAUD — ARE YOU AT RISK?
ACH and wire payment fraud is a global and industry-wide issue affecting a growing number of customers of financial institutions around the world. And now, with a rise in fraud being seen due to the COVID-19 crisis, it’s more important than ever for businesses to know what to look for. The fraud attackers are very sophisticated, understand the ACH and wire payment systems and are targeting customers with both small and large account balances. Currently, the most popular fraud tactic is Business Email Compromise (BEC). BEC targets both businesses and individuals who are responsible for making payments. Fraudsters gain access to legitimate business email accounts through social engineering or similar tactics to make unauthorized transfers. The exploitation of valid internet banking credentials belonging to businesses still exists, however it occurs on a much smaller scale.
HOW IT CAN HAPPEN
Fraudsters will use various email schemes to con their victims. By gaining access to legitimate email accounts, fraudsters will impersonate vendors in emails to direct payments (based on valid invoices) to fraudsters’ accounts. They will pretend to be other third parties in an email and request changes in bank account(s) or payment instructions. They will also gain access to employees’ email and will send an email requesting a change in payroll instructions.
BEC falls under the umbrella of a type of fraud scheme known as Executive Impersonation. Another ploy fraudsters use is to spoof email addresses, by changing the email header to disguise the true source and making it look like the email is from a known individual. Fraudsters will typically impersonate a senior level executive via an email to trick a member of a company into sending money via ACH or wire.
Ransomware is another tactic that is frequently being used. Malicious software is downloaded to a computer and then it either encrypts files so they can no longer be accessed or it locks down the operating system entirely so the user can no longer access anything. The software is usually delivered via email and the user unknowingly opens it, allowing it to download to a computer. Fraudsters then reach out to the affected user and ask for payment to release the system, usually requesting payment via Bitcoin.
Phishing is usually the fraudster’s entry point, where a fraudster sends an email which contains either an infected file or a link to an infectious website. The email recipient is generally a person within an organization who can initiate funds transfers or payments on behalf of an organization. Once the email recipient opens the email or clicks on the infectious link, malware is installed on the computer which harvests the user’s logon credentials.
Deepfake is a new impersonation strategy in which fraudsters use software to impersonate the voice of the person who can authorize a payment. While the use of this software is time consuming and far from perfect, one European company did fall for a deepfake scam and sent nearly $250,000.
Be aware that fraudsters may request Personally Identifiable Information, or PII, which is any data that could potentially be used to identify a particular person such as full name, Social Security number, driver’s license number, bank account number, passport number, and email address. For example, fraudsters have been known to use BEC and Executive Impersonation to socially engineer victims into providing employee W2 information, similar to payroll/direct deposit schemes. Another new trend to watch out for is the compromising of employee personal email accounts to change direct deposit information.
The following checklist offers some suggestions on how you can help protect your PC from virus attacks and minimize internet payment fraud. This checklist is general in nature and is not geared toward any client’s particular situation. Please consult with your security officer or other security advisor to ensure you have comprehensive procedures in place appropriate for your particular organization and needs. It is important that your organization perform periodic reviews of your risks and controls with respect to payment fraud.
BEST PRACTICES TO HELP MITIGATE PAYMENT FRAUD
✔ BE CAREFUL ABOUT ANY PAYMENT INSTRUCTIONS/ACCOUNT CHANGES RECEIVED VIA EMAIL
- Verify any account changes for an employee (payroll) or vendor (invoice) by reaching out directly to that employee or vendor using existing, previously known contact information
- If you can’t confirm all account changes, then set threshold dollar amounts. Be careful of account number changes where large dollar payments will be paid in the coming days or weeks
- Confirm any payment instructions received via email or fax with the requestor by connecting using another communication method, i.e.,: separate email or phone call
- Avoid opening email attachments or clicking on internet links in suspicious emails
- Be suspicious of requests that stress urgency, secrecy or the need to act without further confirmation
- Be selective about what you install on your computer. Malicious programs can automatically be installed on a computer while installing other software
✔ TIGHTEN YOUR ACH AND WIRE CONTROLS
- Utilize ACH and check payment blocks or filters to place appropriate limits on payments
- ACH and wire payments should be utilized under dual control using two separate computers (i.e.,: one person creates the funds transfer and a second person approves the funds transfer)
- Implement dual approval of all ACH and wire profiles (i.e.,: one person authorizes the creation of the ACH/wire profile template that contains payment instructions and a second person approves the template)
- Dual approval of all profiles results in all new or modified ACH and wire payment profiles requiring secondary approval prior to being activated
✔ BE ON ALERT FOR COMPUTER HOAXES AND PHISHING SCAMS
- Phishers have become very good at impersonating legitimate companies. The emails and websites they use are nearly impossible to distinguish from those of the companies they are impersonating
- Make sure the URL matches the name of the company
- Watch for poor grammar or spelling
- Understand that phishers don’t just use email. They have also been known to try to collect information using automated phone messages and faxes, including cell phone text messages often posing as institutions that you trust
✔ WHAT TO DO IF YOU SUFFER FRAUD OR SUSPECT FRAUD
In the event you become a victim of fraud, help protect your financial interests with the following recommendations:
- Immediately contact M&T Bank at 1-800-724-2240 to request that the following actions, and any others you consider appropriate, be taken to help contain the incident
- Change online banking passwords
- Confirm any recent account transactions
- Close existing account and open new account(s) as appropriate
- Ensure that no one has requested an address change, title change, PIN change or ordered new cards, checks or other account documents be sent to another address
- Immediately cease all activity from computer systems that may be compromised
- Immediately contact your security officer or other security advisor to ensure you are following appropriate security guidelines and procedures to help contain the situation
✔ OTHER BEST PRACTICES:
- Prohibit the use of “shared” usernames and passwords for online banking systems. Set a different password for each website that is accessed
- Be suspicious of emails, internet pages or telephone calls purporting to be from a financial institution requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes and similar information. M&T will never ask for this information
SOLUTIONS TO HELP KEEP YOUR PAYMENTS AND ACCOUNTS SAFE
Why be a victim of fraud and be exposed to potential financial losses? At M&T Bank, we offer several fraud services to help protect your organization from payment fraud and reduce your risk of exposure to attacks on your personal accounts.
ACH MONITOR FRAUD REVIEW helps protect business checking accounts from unauthorized ACH debits. For added security, M&T offers two levels of service: block all ACH debits from your account or authorize only specific debits from select vendors.
ACH ACCOUNT NUMBER MASKING (UPIC) allows you to receive ACH credits without revealing sensitive bank account information. A unique number and routing/transit number are assigned so that you do not need to reveal your confidential account number. The UPIC (Universal Payment Identification Code) cannot be used to debit your account via ACH transactions or used to access your account.
PAYEE POSITIVE PAY compares the payee name, dollar amounts, and serial numbers on checks presented for payment to similar information in a customer-provided check issue file. Variations in payee name, including spelling errors, as well as variations in dollar amounts or serial numbers, are reported so that you can then review the suspect check for a pay or return decision.
REVERSE POSITIVE PAY helps ease the burden of protecting against unauthorized checks, which represent a serious risk of financial loss to your business. This service provides the ability to detect unauthorized checks with a daily paid check review, the ability to review a list of the previous day’s checks and return any fraudulent or counterfeit items, along with access to daily check reports.
CHECK BLOCK can help protect your deposit account from fraudulent or unauthorized check writing activity. This service will automatically return all checks and drafts presented against your account, while allowing you to continue to send and receive electronic payments or deposits.
DUAL APPROVAL can help by requiring two users to initiate and authorize ACH and wire transfers or to confirm decisions to pay suspect checks identified through our positive pay service. Dual Approval can be set up using Treasury CenterSM or Web InfoPLU$, so that one user sends or accepts a payment and a second user approves the payment.
Benefits of dual approval include:
- Enhanced fraud protection to help prevent against “account takeover” attacks
- Increased peace of mind that all wire and ACH payments will be reviewed and approved by a second user before they are processed
Learn how M&T can partner with you on fraud protection for your business.
IF YOU SUSPECT FRAUD, CONTACT YOUR RELATIONSHIP MANAGER OR TREASURY MANAGEMENT SERVICE AT 1-800-724-2240 IMMEDIATELY.
SEE SOMETHING. SUSPECT SOMETHING. SAY SOMETHING.
Cybersecurity and You
Protecting your information is one of our top priorities, which is why we at M&T Bank and Wilmington Trust (part of the M&T family), maintain an Enterprise Information Security Program.
But there are some things you can do to identify and manage cyber risks at home, in the office or on the go.
All M&T Treasury Management services are subject to M&T’s standard Treasury Management Services Agreement.
This article is for informational purposes only. It is not designed or intended to provide financial, tax, legal, investment, accounting, or other professional advice since such advice always requires consideration of individual circumstances. Please consult with the professionals of your choice to discuss your situation.