Corporate Strategies for
Preventing Payments Fraud
MAAFP Annual Financial Forum
March 16, 2016
Karen Nash-GoetzVice President & Senior Legal Counsel
T. Rowe Price Associates, Inc.
2
Discussion Topics
Payments Fraud Landscape
Understanding Your Risk
Fraud by Payment Type
Check Fraud
Card Fraud
ACH & Wire Fraud
Payment Security Practices
Disclaimer
The opinions expressed are those of the presenter and are not those of
T. Rowe Price
3
Payments Fraud
Landscape
44
Corporate Fraud Attacks & Losses
62% of organizations reported payments fraud attacks in 2014; of
those, 30% suffered losses
55%68% 72% 71% 71% 73% 71% 66% 61% 60% 62%
17% 19%
58%
37% 37% 30% 29% 26% 27% 30% 30%
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
% of Organizations Subject to Fraud Attacks & Losses
Subject to Fraud Subject to Fraud w/ Losses
Source: 2015 AFP Payments Fraud & Control Survey, Association for Financial Professionals
55
Corporate Experiences with
Attempted Fraud &/or Losses
Fraud Experience by Payment Type
Source: 2015 AFP Payments Fraud & Control Survey, Association for Financial Professionals
Payment Types Check ACH Cards Wire
Subject to Fraud
Attacks77%
25% Debit
10% Credit34% 27%
Financial Loss from
Fraud15% 11% 15%
Not
Available
Responsible for
Greatest Financial
Loss to Company
45%7% Debits
1% Credits
2% Debit
25% Credit20%
6
Understanding Your
Risk
77
Assess Your Risk
Know your customers, vendors & suppliers
– Who do you conduct payment transactions with?
Probability of fraud attempts by payment type
Probability & size of financial loss from successful fraud
8
Who’s on the Hook for Fraud Liability
Understanding fraud liability
Liability for payments fraud is governed by laws, regulations, &/or private
contracts
Liability varies by payment type
It is complicated by market dynamics & innovation
Divergent case law makes it hard to know with certainty who is liable for
payments fraud: check images, account takeover
“Remote” payments may change the nature of liability: card not present (CNP)
fraud
Practical matter of recovering lost funds & timing of recovery
9
Prevention Costs versus Actual Fraud Losses
For every payment type, a higher percentage of businesses respond
that prevention costs exceed actual losses
0%
20%
40%
60%
80%
100%
ACH Wire Checks Creditcards
Cash Debit PIN Debitsignature
Mobile Prepaidcards
Fraud Prevention Costs versus Actual Fraud Losses by % of Businesses (N=186 to 239)
PreventionCosts
ActualFraud Loss
Don’t Offer/Use Payment
Source: 2014 Federal Reserve Payments Fraud Survey – Summary of Consolidated Results
10
Account Takeovers
Target Victim (Business)
Malware Installed
Online Banking
Collect & Transmit Data
Transfers Funds to Mule Accounts via ACH or Wire
Mule Accounts Emptied & Abandoned
Mule accounts are
emptied shortly after
money is received &
abandoned
Once the money is
sent, it is hard to get
it back
Fraudster targets business by way of
phishing, spear phishing, social
engineering, or computer hacking
If successful,
malware is installed
on computer—e.g.,
key logging or
screen shot
capabilities
Victim visits online
banking; logs in using
normal processes
Malware collects & transmits data
(including online banking
credentials) back to fraudster
Using compromised
online banking
credentials, fraudster
initiates funds transfers
(via ACH credits or
wires) to mule accounts
1.
2.6.
5.
4.
3.
How
Account
Takeovers
Work
(Example)
11
Business Email Compromise (BEC)
Version 1
— A business, which often has a long-standing relationship with a supplier, is
asked to wire funds for invoice payment to an alternate, fraudulent account.
Request is made via fax, telephone or email & appears legitimate.
Version 2 — The email account of c-suite executive is compromised.
A request for a wire transfer from the compromised email account
is made to a second employee within the company who is normally
responsible for processing these requests.
Version 3
— An employee of a business has his/her personal email hacked. Requests for
invoice payments to bank accounts controlled by fraudster are sent from this
employee’s personal email to multiple vendors identified from this employee’s
contact list.
Source: FBI Public Service Announcement, Business E-Mail Compromise Alert, January 2015
12
Industry Sectors Targeted by Phishing
Attacks
Retail/Service, 29.4%
Payment Services,
25.1%
Financial, 20.8%
Email, 12.4%
Social Networking,
6.4%
ISP, 2.8% Other, 3.1%
Source: APWG Phishing Activity Trends Report 4th Quarter 2014, April 2015
Retail/Service was
the most-targeted
industry sector in the
Q4, 2014, with
Payment Services
close behind
13
Fraud by Payment Type
14
Check Fraud
Low barriers & costs to entry
Account & other information
needed is accessible
Attributes of paper facilitate
fraud
Common types of fraud:
Counterfeits, Alterations,
Forgeries
Remote deposit capture creates
different fraud risks
Checks had highest average
value of unauthorized
transactions
$104 $136$199
$736
$1,272
Average value of unauthorized
transactions, non-cash retail
payments 2012
Debit* Credit ATM ACH Check
Source: 2013 Federal Reserve Payments Study (study excluded wires)
*Debit card includes prepaid cards
15
Methods to Mitigate Check Fraud Risk
Implement strong internal controls & procedures around key
payment functions
— Reconcile accounts daily
— Address exceptions & make timely returns
— Secure checks – stock, deposit slips, canceled checks
— Securely store & systematically destroy original paper checks of RDC items
— Separate employee’s duties to lessen possibility of internal fraud
— Use secure financial document destruction processes
16
Methods to Mitigate Check Fraud Risk
Use proven tools & services
from your bank & other
providers—e.g., positive pay,
reverse positive pay, RDC
duplicate deposit detection,
etc.
Educate & train employees on
check fraud prevention
Limit/reduce the number of
checks issued
How do you detect
altered checks?
17
Card Fraud
Common Types of Card Fraud
On purchasing cards (p-cards) or commercial cards
— Employee misuse
— Use of lost or stolen cards
• Fraudsters may “ping” an account with a small purchase to see if the transaction goes through before escalating the attack
— Counterfeit cards used online or at point of sale
When accepting card payments
— Counterfeit, lost, or stolen cards
• Used at point of sale (card present)
• Used online (card-not-present)
1818
Methods to Mitigate P-Card Fraud
Establish policies & processes for P-card program
Monitor transaction activity
Use P-card program tools & controls offered
by the card issuer
— Set dollar limits
— Apply merchant category code (MCC)
restrictions
Educate & train employees X
1919
Methods to Mitigate Fraud on Cards
Accepted
Educate & train employees
— Establish a card acceptance policy & make sure employees are familiar with it & follow it
Be cautious about accepting international orders
Know your customers
Use automated tools such as security code verification or real-time decision
support
Get an authorization for the full amount of the sale
Inspect the card, verify data matches—e.g., account number to what’s on
terminal, card name that prints on the receipt to name embossed on the card
Consider upgrading POS card readers to accept EMV cards
2020
What Is EMV?
EMV (Europay, MasterCard &
Visa) is a set of global
proprietary specifications for
credit & debit payment cards,
point-of-sale terminals & card
transaction processing networks
based on “smart chip” card
technology
EMV chip cards use an embedded microprocessor for payment transactions
21
Main Benefits of Chip Cards
Improved usability of U.S. cards in worldwide EMV markets
Reduced POS counterfeit fraud
Harder to skim data from EMV transactions
— Chips authenticate card readers & EMV cards to one another at POS, and
can detect tampering
Reduced fraud from foreign EMV cards used as mag stripe cards in
U.S.
But, based on what has happened for countries that have already
adopted, fraud rates for “card-not-present” transactions are expected
to rise in the U.S.
22
ACH Fraud that Affects Businesses
Unauthorized debits to accounts
— Your business’s account information is obtained & used to create unauthorized ACH
debits against your business bank account
Check positive pay rejects represented as ACH debits
Email scams—e.g., reverse phishing
— A fraudster impersonates one of your vendors
— Business receives email instructing a change to the payment account information
for your outgoing payments to that vendor
— Your accounts payable sends ACH credits to updated account without realizing it is
a fraud scheme
— Business email compromise schemes involving wire & ACH
Fraudulent claims of unauthorized debits
— Your customer claims they did not authorize payment via an ACH debit
Origination of fraudulent ACH items by an insider
Account takeovers that issue fraudulent ACH & Wire payments
23
Combating ACH Debit Fraud Losses
Establish & follow internal procedures & controls
— Reconcile accounts daily
— Notify your bank of any suspicious transactions
— Address exceptions & make timely returns
— Separate duties
— Use dual controls
— Secure your bank account information
— Limit access to sensitive online data & restrict access to computers used for
payment process
— Use strong passwords & change them often
Limit ACH debit activity to one or two accounts
Use fraud prevention services offered by your bank
— ACH blocks on all accounts where ACH debit activity will not be used
— ACH filters
— ACH positive pay or payee positive pay
— ACH debit alerts that notify you when ACH debits arrive
24
Combating ACH Credit & Wire Fraud
Implement best practices for online & IT data security, such as
— Adopt stronger form of authentication or added layers of security
— Dedicate a PC for ACH & wire origination
— Use logical & physical controls to payment processing
Use dual controls for payment origination & account set-up
— Verify against whitelists or directories
— Use out-of-band communication to verify significant transactions
— Be aware of sudden changes in business practices
— Implement proactive detection & monitoring
— Check with your bank on services—e.g., single item authorization, notice of new payee added,
transaction limits
Use files of known fraudulent recipients—e.g., blacklists
Require due diligence of 3rd party processors; do background checks before
hiring employees that will have access to sensitive data & payment processes
Update business continuity plans to include events such as DDOS & account
takeovers
Start thinking about changes needed for same-day ACH payments
25
Payments Security Practices
Ensure fraud prevention & detection is an
organizational objective— Complete a risk assessment, set policies, establish
procedures, monitor compliance, & take action
on exceptions
Leverage cost-effective tools & processes to address
vulnerabilities
— Talk to your banker about fraud monitoring services & tools they offer
Educate & train employees on fraud prevention
26
Payments Security Practices
Check accounts daily
Secure your bank account information, lock up paper documents, limit
access to sensitive online data
Use strong passwords & change them often
Monitor & measure fraud attempts & losses
Update defenses; best practices today may not be
best practices tomorrow
27
Payments Security Practices:
Online
Educate employees about security practices
Use dual control for origination of ACH files & wire
transfers—so that one person alone cannot complete
a transaction
Use multifactor authentication to access your online
banking—factors are something you have, something
you know & something you are
Dedicate a PC for online banking; don’t use it for other purposes
Keep anti-virus & malware detection software up-to-date; install
security apps on mobile devices
2828
Shut down your work PCs at night
Follow recommendations for strong
passwords & change passwords frequently
Don’t open email attachments or click on links
in emails from someone you don’t know or if the email seems
suspicious
Be cautious about sharing personally identifiable information,
especially on your website & social media—What information are you
sharing with fraudsters?
Payments Security Practices:
Online
29
Questions
3030
Association for Financial Professionals www.afponline.org
The Remittance Coalition https://fedpaymentsimprovement.org/get-involved/remittance-coalition/
— Small Business Payments Toolkit https://fedpaymentsimprovement.org/wp-content/uploads/small-business-toolkit.pdf
— B2B Directory Concept Paper https://fedpaymentsimprovement.org/wp-content/uploads/remittance_coalition_b2b_directory_paper.pdf
Federal Reserve Bank of Minneapolis www.minneapolisfed.org & our Payments Information Resources https://www.minneapolisfed.org/about/what-we-do/payments-information
— 2014 Federal Reserve Payments Fraud Survey – Regional & Consolidated Results
— Industry & Government Information-Sharing Resources Related to Payments Fraud
— Payments Fraud Liability Matrix
Strategies for Improving the U.S. Payment System https://fedpaymentsimprovement.org/
Resources
31
Resources
Federal Reserve System 2013 Federal Reserve Payments Study
http://www.frbservices.org/communications/payment_system_research.html
EMV Migration Forum public educational website http://www.emv-connection.com
Multi-State Information Sharing & Analysis Center www.msisac.org
Financial Services Information Sharing and Analysis Center (FS ISAC)
http://www.fsisac.com/
— Securing Merchant Card Payment Systems from the Risks of Remote Access
7/7/2015 https://www.fsisac.com/sites/default/files/news/Alert%20--
%20Securing%20Merchant%20Terminals%20Remote%20Access%20FINAL%207
%20July%202015.pdf
— Business E-mail Compromise Continues to Swindle and Defraud U.S. Businesses
6/19/2015
http://www.fsisac.com/sites/default/files/news/BEC_Joint_Product_Final.pdf
3232
Internet Crime Complaint Center (IC3) www.ic3.gov
— IC3 Alert, 1/22/2015 Business E-mail Compromise
http://www.ic3.gov/media/2015/150122.aspx
Talk to your banker
— Discuss tools, services & best practices for preventing payments fraud
Anti-Phishing Work Group (APWG) http://apwg.org/
— Phishing Activity Trends Reports http://apwg.org/resources/apwg-reports/
National Association of Credit Management www.nacm.org
Association for Certified Fraud Examiners www.acfe.com
Federal Financial Institutions Examination Council www.ffiec.gov
International Association of Financial Crimes Investigators www.iafci.org
National Automated Clearing House Association www.nacha.org
Resources
3333
Appendix
3434
$9.15
$11.58
$10.23 $3.74
$1.70
$10.90
$12.45
$6.91 $0.43
$0.05
$0.13
$0.09 $0.37
$- $2 $4 $6 $8 $10 $12
Loss per $10,000 Spent
Unauthorized Transactions in the U.S. by
Payment Method
All TransactionsAll ACH Transactions
Debit
Credit
All Check Transactions
All Debit Card Transactions
Signature, card-present
Signature, card-not-present
PIN
ATM withdrawal
All Credit Card Transactions
Card-not-present
Card-present
Source: 2013 Federal Reserve Payments Study
3535
0.5
1.2
0.9
13.7
16.1
ACH Credits
ACH Debits
Check
General PurposeCredit Cards
General PurposeDebit Cards
Unauthorized Volume in U.S. 32.3 Million
8.8
12.9
18.3
23.8
55.9
ACH Credits
ACH Debits
Check
General PurposeCredit Cards
General PurposeDebit Cards
Transaction Volume in U.S. 119.7 Billion
Source: 2013 Federal Reserve Payments Study
Card Total Volume Is High & So Is Fraud
Volume
3636
2.2
2.6
25.9
66.7
77.4
General PurposeCredit Cards
General PurposeDebit Cards
Check
ACH Debits
ACH Credits
Transaction Value in U.S. $174.7 Trillion
2.3
1.8
1.1
0.8
0.4
General PurposeCredit Cards
General PurposeDebit Cards
Check
ACH Debits
ACH Credits
Unauthorized Value in U.S. $6.4 Billion
Card Is Small in Total Value But Highest in
Terms of Fraud Value
Source: 2013 Federal Reserve Payments Study
3737
October 2012
April 2013 October 2013
April 2015 October 2015 October 2016
October 2017
Visa PCI audit relief
Acquirers & processors required to support merchant acceptance of EMV transactions
3rd party ATM acquirer processors & sub-processors required to support EMV data
Card-present counterfeit liability takes effect excluding automated fuel dispensers (AFD)
ATM liability shift
Card-present counterfeit liability takes effect for automated fuel dispensers
MasterCard Account Data Compromise (ADC) relief (50%)
ADC relief (95% -100%)
ATM liability shift
Lost or stolen liability shift for AFD
Lost or stolenliability shift
Discover PCI audit relief
American Express
PCI reporting relief
U.S. EMV Migration Key Dates
3838
CNP fraud in other countries increased after EMV
adoption
U.S. Card-Not-Present Fraud Expected to
Rise after EMV
0
100
200
300
400
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Lo
cal C
urr
en
cy
UK France Canada (credit only) Australia
Sources: Financial Fraud Action UK, The Observatory for Payment Card Security, Canadian Bankers Association, Australian Payments Clearing Association. 2013 data cited in Digital Transactions, September 2014, page 34.
3939
One-Time Password (valid for only one transaction or online session)
Randomized Pin Pad (scrambles the key pad & captures XY coordinates)
Device Authentication (authenticates the device not the cardholder)
Biometrics (iris, retina, hand, voice, fingerprint, etc.)
3D Secure (enables real-time cardholder authentication during an online transaction)
Tokenization (replaces personal account number with surrogate values)
Proprietary Data/Transactional Data (collecting, analyzing & scoring data to determine out of pattern activity against the customers history)
Validation Services (card security code, address verification)
Source: EMV Migration Forum, Card-Not-Present Fraud Working Committee
Near-Term Solutions to Address the Growing Threat of Card-Not-Present Fraud, April 2015
Fighting Card-Not-Present Fraud
4040
Online
Phishing
Spear Phishing
Spoofing
Hacking
Social Engineering
Telephone
Smishing
Vishing
Impersonator Fraud
Social Engineering
Eavesdropping
Physical Hardware, Documents, & Mail
Device Tampering
Dumpster Diving
Theft
Employee Misuse
Points of Interaction Are Potential Points of
Compromise
41
Payment Security Practices:
Telephones
Educate employees
Don’t disclose your online password or banking credentials over the
phone; your bank will not ask you for this information
Establish procedures to verify identity of caller, including call back
procedures using contact information you maintain
Don’t respond to automated voice messages from unknown or blocked
numbers
Be aware of your surroundings—can employees, customers, vendors, or
strangers overhear your conversation when sensitive information might
be discussed?
42
Payment Security Practices:
Telephones
For mobile devices:
— Don’t respond to text messages from unknown
or blocked numbers
— Treat your mobile phone like you would your computer; install anti-virus & malware detection software apps & keep them up-to-date; install a phone locator/remote erase app; use passwords to access device; don’t download anything unless you trust the source
— Don’t respond to unsolicited e-mails, texts, or phone calls requesting personal information
— Don’t click on links or attachments contained in unsolicited e-mails
— Prohibit use of personal devices for company business purposes
— Limit payment functions that can be performed via a mobile phone
— Don’t log into accounts & conduct any sensitive transactions, such as banking, while using public Wi-Fi; disable the “automatically connect to Wi-Fi” setting on your device
43
Payment Security Practices: Devices,
Documents, & Mail
Take steps to protect sensitive information that could
be used to perpetrate payments fraud
Know where sensitive information is stored, lock it up,
& limit access to those that need it
Only collect information that you need
Establish procedures to dispose of sensitive information
after it is no longer needed, such as subscribing to a records
destruction service or shredding documents
Don’t leave incoming or outgoing mail with sensitive information,
financial information, or checks in a location where anyone can steal it
Take security measures to protect & detect physical tampering of devices
such as a card reader
Top Related