• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Electronic funds transfer payments – Trends and scams

By Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) | 3 Minutes Read October 5, 2015

Electronic funds transfer payments – Trends and scams

electronicfundstransferBusinesses must maintain awareness of, and vigilance against, the constantly evolving, and increasingly sophisticated threats in the electronic funds transfer (EFT) landscape. A recent Survey and a Federal Bureau of Investigations (FBI) Alert support this conclusion. (The Association of Finance Professionals (AFP) 2015 Payments Fraud and Control Survey can be found at: www.chase.com/content/dam/chasecom/en/commercial-bank/executive-connect/common/document/afp-payments-fraud-results.pdf. The Alert can be found at: www.ic3.gov/media/2015/150122.aspx.
A significant proportion of the businesses surveyed experienced losses from wire (27 percent), ACH Debit (25 percent) and ACH Credit (10 percent) fraud. (With ACH Credits, customers initiate online payments and with ACH Debits, customers authorize businesses to make electronic withdrawals).
Businesses surveyed said the most common reasons for ACH fraud losses included: (i) the failure to use ACH debit blocks, filters or positive pay – 76 percent (ii) untimely reconciliations – 28 percent (iii) gaps in online security controls/criminal account takeover – 24 percent. The most effective methods to combat ACH frauds included: (i) ACH positive pay (ii) daily reconciliations and other internal procedures and (iii) segregation of duties. (With debit blocks and filters, the bank does not post EFT payments to the business’ bank account, unless they meet pre-determined criteria. With positive pay, the bank provides the business with details of the rejected transactions and the opportunity to make a “pay or no pay decision”).
As a result, 70 percent of the businesses reconciled EFT transactions and investigated unusual items daily. 50 percent added layers of security or stronger forms of authentication, and 40 percent were upgrading their authentication procedures/devices used to access their networks.
The FBI Alert also provides insight into EFT payment frauds, specifically Business Email Compromise (BEC) Scams. Spanning 45 countries, over $214, 972,000 in losses and victims ranging from small to large businesses, there are three main versions of the scam:

  1. The bogus invoice scheme/supplier swindle: Scammers pose as a vendor, by spoofing (i.e. closely mimicking) a vendor’s email address, or use other media to make a bogus request to pay funds to an alternative bank account controlled by the scammer.
  2. The CEO fraud/business executive scam: Scammers hack or spoof a high-level executive’s email account and request an urgent wire or transfer to the scammer’s bank account.
  3. Other: An employee’s personal email account is hacked, and the scammer, posing as the employee, uses the email account to ask a vendor to make payments to the scammer’s bank account. The scam is usually discovered when the vendor follows up on the status of the payment.

Gone are poorly-worded emails, mass-mailed as a stab in the dark. BEC emails are well-worded, well-crafted and well-researched:

  • Emails are sent directly to the individuals responsible for initiating EFTs.
  • Spoofed emails very closely mimic legitimate addresses.
  • Emails appear legitimate because they are based on plausible information gleaned from social media, security breaches or other reliable means.
  • Emails are well-timed for efficacy, for example to coincide with the spoofed executive’s overseas travel.
  • Scams are often preceded by security intrusions or phishing emails seeking details the fraudster lacks.

To add insult to injury, an insurance company could refuse to pay claims related to certain BEC Scams, on the basis that the duped businesses made the transfers voluntarily.
The FBI and other security experts offer various suggestions to guard against BEC Scams, including:

  • Equip employees with the right strategies. Train them to:
  • Not divulge sensitive information on social media.
  • Pay attention to email addresses as spoofed emails can be hard to spot (e.g. [email protected] versus [email protected]).
  • Verify suspicious EFT instructions received by email (for example by phoning the sender at a known, bona fide number).
  • Escalate and seek appropriate approvals for all requests to change banking information or add payees. These requests should be investigated and verified.
  • Delete suspicious emails and spam without opening them or clicking on “unsubscribe” or other links in the emails. They should definitely not click on links purporting to lead to banks’ website. Instead they can type the bank’s web address in the browser or select it from “favourites”.

If these suggestions seem simplistic, think about the results of a controlled test that a security expert recently performed for a client. He spoofed the client’s domain name and emailed employees asking them to click on a link and provide usernames and passwords. A shocking 62 percent of employees did!

  • Implement IT controls that may help to thwart scammers, including:
  • Getting rid of free, open-source email, as they are often hacked.
  • Configuring email servers to reduce spoofing (See Microsoft’s guide at https://technet.microsoft.com/en-us/library/jj723164).Installing up to date antivirus, spyware and malware protection, firewall protection etc.
  • About
  • Latest Posts
Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)
Apolone Gentles is a CPA, CGA and Ontario lawyer and editor with over 20 years of business experience. Apolone is leveraging 20 years of business and accounting experience to build a commercial litigation practice with an emphasis on construction law. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools.
Latest posts by Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) (see all)
  • Employee’s time theft revealed by electronic monitoring - February 2, 2023
  • Petty cash controls - January 4, 2023
  • Implement effective backup procedures - December 7, 2022

Article by Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) / Business, Finance and Accounting, Information Technology, Privacy / ACH Credit, ACH debit blocks, Association of Finance Professionals, business executive scam, CEO fraud, criminal account takeover, E-tranfers, EFT transactions, Electronic funds transfer payments, electronic withdrawals, Federal Bureau of Investigations, online payments, Payments Fraud and Control, wire transfers

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)

Apolone Gentles is a CPA, CGA and Ontario lawyer and editor with over 20 years of business experience. Apolone is leveraging 20 years of business and accounting experience to build a commercial litigation practice with an emphasis on construction law. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy