PROTECT YOUR BUSINESS AGAINST PAYMENT FRAUD

Recognize It. Resist It. Report It.

Payment fraud is a growing problem that every organization needs to guard against.

Payment fraud can happen to your business at any time. You pay what you believe is a legitimate invoice from a legitimate vendor or contractor, but the payment actually goes to an impostor who may be anywhere in the world and virtually impossible to find. Beyond the financial loss, it can also result in the exposure of confidential company information and can spread malware and spyware to gain access to confidential personnel and customer information. If payment fraud happened to you, you wouldn’t be alone: In a recent Association of Financial Professionals^® (AFP) survey, 82% of financial professionals have reported that their organizations were targeted in 2018.^*

Continue reading to find out:

What payment fraud is
What payment control is
How payment fraud is becoming more complex
How payment fraud can be avoided
View the checklist

Business Email Compromise (BEC) is an increasingly common scam.

BEC, also known as Email Account Compromise (EAC), targets business officers who execute payments. The targeted individual receives an email from what appears to be a known vendor, contractor or other third party—often a senior executive. The email requests an urgent transfer, invoice payment, and/or a change in bank account or payment instructions (e.g., new routing and account information for ACH or wire payments, a change of payment method from check to ACH, or changes in business banking information for payroll). Impersonating HR departments and directing employees to sign in using what appears to be official links has become increasingly common.

Fraudsters have become stunningly skilled at impersonation.

Fraudsters are more sophisticated than ever and can stalk their victims with great efficiency. Using phishing emails and social engineering techniques via social media, they learn all they can about their targets’ patterns, habits and mindset. They poach contacts and other information. They learn what payment methods their potential victims use, in an effort to make their requests appear routine. Another tactic is to create a fake bank account and let it sit for months so that when it appears, noone is alerted by a new vendor or contractor. They can also hack into the officer’s account and use it at will, with no way for anyone to tell. They often use social media or “out of office” messages to time the attack for when the officer is away.

Best practices for fraud detection to safeguard your business and employees against payment fraud:

Isolate and safeguard your payment system

Use a dedicated computer to process payments
Choose hardware, software and service providers that meet security requirements
Always use antivirus software and keep it updated, to keep your IT systems protected from viruses and malware
Use a secure system for remote access or eliminate remote access if you don’t need it
Never provide nonpublic business information or any sensitive information on social media

Protect your email account and devices

Never, ever provide your login credentials to anyone
Do not use the “Reply” option when authenticating emails for payment requests; instead, use the “Forward” option and enter the correct email address by typing it or selecting it from your address book
Do not use free web-based email accounts; business emails should always use company domains

Verify all payment and change requests

Require that all payments and/or changes (e.g., account or routing transit numbers, payment type, amount, financial institution, mailing address, etc.) be verified separately and approved by different people
Use a different communication channel from the one the request came in on; for large payments, use multiple channels
Never use the contact information from the request; always use what you have on file
Make vendor payment forms available only to appropriate personnel, using secure means
Require that any changes to payment account information be made or confirmed by a system administrator, using methods such as verification codes for existing contacts
If a financial institution questions the legitimacy of a payment, respond quickly

Limit access, implement dual custody and segregate functions

Limit access to payment systems to employees who need it
Break down the payment process into separate steps and divide those steps between two people; the same person should not be able to both create and approve a payment
Segregate accounting duties, so there is dual custody

Teach your employees to recognize suspicious activity, resist potential fraud and provide tools to report it

Educate and train employees to question and independently authenticate changes in payment instructions; they should never fall prey to requests for secrecy or pressure to take action quickly
Urge them to be skeptical even when the outreach appears to legitimately be from the requesting organization
Make sure they are always aware of the telltale signs including typos, grammatical errors, missing words, payment amounts that differ from the invoice, use of a public email domain such as Gmail, subtle changes in the organization’s name in the email address requests to pay individuals, or anything that does not exactly match the information you have on file
Make sure they know not to open attachments, click links or give any personal information, as fraudsters use these to install malicious malware
Refer them to government agency websites that provide information and advice about recognizing and responding to suspected fraud, and links to report it; these include the FBI, FCC and FTC

Implement background checks and rigorous monitoring protocols

Review past payment history to detect any deviation from the typical pattern
Perform account reconciliations regularly
Review vendor address and banking information changes and request supporting documentation to confirm any changes
Review personnel changes

Teach your employees to be wary of fake check scams

Teach employees to be alert and check scams in which a scammer sends a (bad) check for more than has been billed to the targeted vendor or contractor asking you to wire the overage to a third party; this scam often includes a reason for the overpayment and an immediate need for the reimbursement
Guard your checks and check stock carefully; scammers may steal them and defraud you by “check washing”—deleting your information and changing the payee’s name and, possibly, the amount.

Use Positive Pay to protect against check fraud

Positive Pay continues to be the method most often used by organizations to guard against check fraud
It helps identify fraudulent checks by matching check issue information against checks presented for clearing, and sends electronic notification alerts of certain discrepancies so you can decide whether to pay or return it
Payee Positive Pay provides a second security layer to our standard Positive Pay with Payee name matching
If relevant discrepancy appears, you will receive electronic notification alerts, which require your decision to pay or return the item

Use ACH Positive Pay and ACH Block to combat wire transfer fraud

Business Online Banking provides advanced anti-fraud features and a wide range of self-service banking capabilities
ACH Positive Pay enables you to establish and control acceptable sender parameter profiles. You can view any ACH debit outside of your sender parameter profiles and either pay or return it. ACH antifraud services include features to help avoid inadvertently rejecting authorized ACH payments
ACH Block provides the ability to block all ACH debits, or those of specific originators, from being posted to your account; all blocked transactions will be automatically returned to the originator.

Help your employees guard against payroll fraud

Train your employees to watch for phishing attacks and suspicious malware links and to carefully examine the sender’s address of any emails they receive
They should know not to reply to any suspicious email or enter login credentials when clicking on a link or opening attachments
• Employer self-service platforms should authenticate requests to change payment information using previously known contact information. One method is to require “Out of Band Authentication”—a second password that is sent in an SMS text message or to an existing email address, or to use a hard token code. They should also re-authenticate users accessing the system from unrecognized devices, using previously known contact information
Set up administrator alerts on self-service platforms for unusual activity such as a change in banking information or when multiple changes that use the same new routing number or identical account numbers. Also, consider validating any new Direct Deposit information by sending ACH prenotification transactions.

HOW TO REPORT FRAUD

If you believe you are the victim of payment fraud, contact the FBI Internet Crime Complaint Center (IC3). If you suspect a payment fraud attempt but have not lost money, contact FTC Complaint Assistant. Please contact Banc of California if you believe you are the victim of payment fraud or suspect a payment fraud attempt.

CONNECT WITH A RELATIONSHIP MANAGER

COMPLETE THIS FORM OR CALL
877-770-BANC (2262)