Two-thirds of businesses face payments-related fraud

No business is immune from fraud. Usually only the most egregious fraud stories make the newspapers, such as Koss Corp.’s $30 million loss due to embezzlement by then-CFO Sue Sachdeva. While damages are rarely this high, most businesses experience actual or attempted fraud each year. Data released by the Association for Financial Professionals Payments Fraud and Control Survey shows the following:

• In 2011, two-thirds of surveyed businesses reported actual or attempted fraud related to receiving payments.
• The average loss from payment fraud in 2011 was $19,200.

While financial institutions invest heavily in consumer fraud-prevention policies, including high-tech, real-time monitoring of credit accounts, you should be equally aware of the danger of fraud to your business. Dealing with fraud after the fact is often fruitless; even if the perpetrator is caught, you may never get your money back. Therefore, as Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.”

From our vantage point as bankers, we see businesses struggling to combat the constant threat of fraudulent transactions. Below are three key areas to help protect your business against fraud.

1. Preventing check fraud. Eighty-five percent of businesses reporting fraud in 2011 experienced check-related payments fraud or received fraudulent checks. Often, check-writing occurs without any electronic safeguards at the point of purchase. Follow these fraud-prevention best practices to help avoid unauthorized checks written against your business accounts:

• Purchase check stock from known vendors.
• Use high-quality check stock with built-in security features, including watermarks, chemical resistant paper and ink, thermo-chromatic ink, and micro printing.
• Store checks, deposit slips, and statements securely.
• Establish a policy for employee check orders and reorders.
• Reconcile accounts daily using online banking.
• Move to ACH for payroll, billing, and vendor payments.
• Use Positive Pay – an electronic system for comparing cleared items with a file of known issues.

2. Preventing electronic payments fraud – “the technology side.” ACH, which stands for Automated Clearing House, is a large network for clearing credit and debit financial transactions, including direct deposit payroll and vendor payments. ACH is the second most common context of payments-related fraud. Criminals use various methods to gain access to a company’s ACH payment origination system – and then initiate unauthorized payments. One common method used to hijack accounts is malicious software, or “malware,” which are spread through Internet visits to infected Web pages. To help avoid malware and its effects, follow these best practices:

• Monitor and reconcile your accounts daily online.
• Contact someone immediately in the event of suspicious transactions.
• Use “strong” passwords that are unique to each individual, and change passwords frequently.
• Have a procedure for updating employee access.
• Do not transmit sensitive banking information over unencrypted communication lines.
• Do not store sensitive information on portable storage devices.
• Have dedicated workstations if possible.
• Dedicate separate computers for internet browsing and online banking access.
• Implement “dual control” for all payment methods – release payments only after authorization from two employees.
• Segregate employee duties.
• Use ACH Debit Filters and Blocks to block all transactions except those you want.
• Maintain up-to-date virus protection and security software.
• Install security patches via automatic vendor updates.

3. Preventing electronic payments fraud – “the people side.” Even with robust technological safeguards, your business is still vulnerable to insider fraud and employee-enabled fraud. In the case of deliberate insider fraud, an employee may manipulate ACH files or wire transfers to redirect funds to fraudulent accounts. Or an unscrupulous employee may provide fraudsters with company login credentials for a fee.

   But criminals often obtain sensitive information from employees who are well-meaning, too. Mechanisms include “phishing” (spam or pop-up messages used to gain access to sensitive information), “spear phishing” (targeting of high-profile company employees with malware), and “vishing” (automated recordings that encourage recipients to “contact their bank immediately”). Sometimes, these attempts are blatant; other attempts are much more subtle. Protect your business by following these practices:

• Block pop-ups and plug-ins on computers used to conduct business.
• Use separate email addresses for personal/company business.
• Do not use the same computer for Internet surfing and banking.
• Log out of online sessions when not in use.
• Always contact your bank using information you know to be valid.
• Always type the bank’s Web address into your Internet browser rather than cutting and pasting from a link.
• Never provide sensitive information over the phone unless you placed the call or are sure you are talking to the correct party.
• Maintain skepticism – if it seems too good to be true, it almost always is!

The bottom line is to take fraud seriously. Payments-related fraud is extremely common. Take practical steps to protect your business. Work with your bank’s treasury management department to ensure sophisticated fraud-prevention methods are in place. You can’t prevent fraud attempts, but together with your bank’s experts, you can reduce the risk and protect your business’s assets.

Kevin Tenpas is president of Wisconsin Bank & Trust, a community bank with assets of $500 million serving customers statewide. Greg Normington, AAP, is treasury management risk manager for Heartland Financial USA, Inc., the parent company of Wisconsin Bank & Trust.

Sign up for the free IB Update – your weekly resource for local business news, analysis, voices, and the names you need to know. Click here. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.