Is your firm guarding against fraud? Is your payments provider?
If you’ve never experienced the nightmare of fraud, you may not realize how prevalent it really is. According to the Association for Financial Professionals’ (AFP) 2019 Payments Fraud and Control Survey Report, 82 percent of financial professionals report attempted and/or actual payments fraud in 2018. And while check fraud is declining, the percentage of organizations falling prey to Business Email Compromise (BEC) scams has increased from 64 percent in 2014 to 80 percent in 2018 according to the report. Indeed, while technology is making electronic payments easier, it’s also helping bad actors attack those same payment methods.
BEC scams target small, medium and large businesses as well as personal transactions. Between December 2016 and May 2018, there was a 136 percent increase in identified global exposed dollar losses. The scams have been reported in all 50 states and in 150 countries. Victim complaints filed with the Internet Crime Compliance Center (IC3) and other financial institutions indicate fraudulent transfers have been sent to 115 countries.
The cost of fraud.
So, what does all this attempted and actual fraud cost the companies involved? The AFP report shows some respondents experiencing losses of $2 million or more from successful fraud attacks. But financial loss isn’t the only issue. Company leaders are well aware that fraud can expose confidential company information and adversely affect an organization’s reputation.
All of this begs the question: What is your organization doing to protect itself against the growing threat of fraud? Better yet, what are your critical financial partners (banks, insurance companies, investment firms) doing to protect your accounts with them?
Above all else, your critical financial partners should be well aware of fraud tactics and how to recognize them. Not only should they be keeping their employees up to date on the latest schemes, but they should be educating their clients on how to spot fraudulent attempts to gain access or information that could compromise your company.
Here are 10 strategies to help your firm mitigate fraud:
- Dual Controls: Dual control approvals completed from separate computers help protect against multiple users’ credentials being captured on a single infected device.
- Separation of Duties: A separation of duties between the individual verifying activity/reconciling accounts and the staff person(s) with authority to originate transactions protects a single bad actor initiating a fraudulent scheme alone.
- Secure Location: Position computers used to transact business in a secure location.
- Internet Security: Ensure your device has current anti-virus software and all operating system and application updates and patches. Firewalls should be enabled if possible.
- Dedicated PC: Devote dedicated computers for online financial transactions.
- Email Security: Train employees to recognize phishing email and how to identify potential threats in email and instant messages.
- Verify Transactions: Always carefully and thoroughly verify transactions for authenticity and promptly reconcile accounts.
- Utilize Controls: Any partner software should feature controls that help limit exposure and require secondary review and approval of funds transfer activity.
- Multi-factor Authentication: Access to a payment portal from an unknown IP address prompts for a second verification to ensure proper user authentication.
- Password Protection: Remind users to maintain strict confidentiality of login/authentication credentials, e.g., IDs, passwords, PINs, and (if applicable) fobs.
- Patch Management Policy: Ensure your company has an established Patch Management Policy and that it covers third-party client software such as Adobe, Flash and Java.
Most payment fraud thought leaders agree that almost all fraud is preventable. The challenge is helping employees recognize suspicious communications and inquiries and supporting them with technology that fills in the gaps.
Also See:
Payment Strategies: Virtual Card Best PracticesWhat you need to know about Ransomware