4 (industry estimates in $ millions, 1997-2008) Historical Fraud ActivityClient Reported Attempted Fraud in IndustryPayment MethodsAll RespondentsRevenues over $1BRevenues under $1BChecks91%94%88%ACH Debit28%Consumer Credit18%15%19%Corporate Card14%ACH Credit7%6%Wire Transfer4%5%Source: Association for Financial Professionals Payment Fraud SurveyCommercial Card Fraud- Fraud attempts $11.4Billion in 2008- 91% of fraud mitigated by prevention effortsExternal Data Compromises35% increase in data breaches 2008 to 20092009 single event included 130 million credit and debit account numbers (Heartland)Best defense is to reissue account numbers for highest fraud risk accounts(industry estimates in $ millions, )Source: ABA Deposit Account Fraud Survey Report
5 Predicted Top Fraud Trends for 2010 Top 10 Fraud Trends Predicted for 20101. ACH/Wire transfer attacking small/medium businesses: Focus more on small- and medium-sized businesses as larger businesses increase security.2. Attacks via Vendor-managed servers: Businesses that outsource their transactional network servers must ensure those vendors maintain acceptable security levels.3. ATM skimming: Skimming machines look identical to legitimate ATM/card reader devices4. First party fraud: Criminals gradually establish good credit using an alias with a card issuer or business and then “bust out,” running up enormous debt and abandoning the credit account.5. Phishing: “phishing” attacks that illegally solicit victims’ personal information with official-looking requests are becoming more sophisticated, and increased 600% during 20096. Check fraud: Fraudsters have easy access to paper, printers and scanners to create phony checks. In addition, hackers can obtain detailed personal banking information from online check viewing services.7. Internal fraud: Employees are increasingly a source of corporate fraud, as are contractors, business partners and suppliers.8. Mobile phones: Web-enabled mobile phones are vulnerable to the same types of worms and viruses as PCs.9. Online application fraud: Similar to first party fraud, this involves criminals manipulating multiple online applications using multiple identities from multiple access points.10. Prepaid cards: Prepaid cards are a popular item for criminals to buy with stolen credit cards or steal and activate to obtain free spending power.Bank of America Merrill LynchSource: The Fraud Practice, LLC - Predicted Top 10 fraud trends for 2010 in its biweekly newsletter.
7 Social Networking/Susceptibility MySpace, FaceBook, and others have spawned new fraud tactics63 percent of administrators worry that employees share too much personal data on social networking sitesOf those companies in this research: Twitter, FaceBook, LinkedIn and MySpace has accounted for one quarter of their malware attacksExamples of direct messaging enticing Twitter members to phishing website (which attempted to steal their username and password)Source: Sophos: Security threat report: July 2009 updatePhishingSends with lure of reward or value.Loads virus on PC and gains access to vital information.Uses information to commit various types of fraud.Spear PhishingTargeting high value employees (CFO, Treasurer, Administrators)Obtain access to critical systems with payment capabilityBank of America Merrill Lynch7
8 The Man in the Browser Attacks Criminal community focuses attacks on corporate banking clients:Greater availability of fundsTransaction limits are higherAccess to Wire Transfer and ACH through online channelsHow it works:Infection PathInfected Download: Phishing suggesting user visit a site:Breaking news reportFree software downloadPhishing which looks as if it came from a financial institutionBrowser or OS VulnerabilityLatest version of OS and browser not updated on user’s computerTransaction TakeoverUser launches their browserTrojan is silently activatedTrojan stores or actively relay’s user’s activities without the user knowingTrojans are coded to watch for one or more online banksBank of America Merrill Lynch8
9 KeyloggersKeylogger products have been available to purchase for yearsOriginally developed for legitimate uses but are also used for illicit purposesCan be a piece of hardware or a thumb-drive that attaches to a computer and records keystrokesCan also be software that can capture and relay similar informationAll of these devices and software applications are readily available for purchase. Hardware keyloggers can be bought on ebay for around 80 dollars.Bank of America Merrill Lynch
11 Online Banking Fraud Online Banking – ACH & Wire Fraud Gains Client login credentials for user ID with dual access: Initiate and Release financial transactions.Perpetrator monitors legitimate user usage for one month prior to executing ACH transactions.Changes recipient information on existing ACH batch or standing wire template.Times transfer so that partners at recipient banks are ready to quickly withdrawal funds or further transfer to another bank outside the US.Online Banking – Check FraudGains access to Client’s Online Banking service accessed from a Trojan program.Looks at check issue patterns, captures check copies with signatures.Can sell information on the open market or give to their own fraud ring.Perpetrates fraud against the company with counterfeit checks in a coordinated manner.Same amount, same serial number/range, at different check cashing points at the same time.
12 Securing Online Banking Interactions The paradox of fraudToday companies expect anytime, anywhere banking that integrates efficiently into workflow. The trend is toward real-time communication and Straight Through Processing.Considerations need to be made to balance convenience and security.Carry out all online banking activities from a stand-alone computer system.Dedicate one workstation for Payment Initiations and one workstation for Release functions.Install and maintain anti-virus, anti-malware, spyware applications, and operating system patches.Never access online banking via Internet cafes, public libraries or open Wi-Fi hotspots.Avoid using an automatic login features that save usernames and passwords for online banking. Clear the browser cache prior to initiating an online banking session.Implement Dual AdministrationA single user should never have Initiation and Release capabilities.Prohibit shared user names and passwords. 10 characters minimum alpha numeric.Report suspicious transaction activity to the your bank immediately, particularly when Wire or ACH transactions are involved. Response time is critical to minimizing losses.If Bank of America client, forward “Phishing” s toContact authorities to report any fraud attempts or instances.
13 Check and Deposit Fraud Stolen Check RingFraudster takes checks out of the mail (post office, lockbox, company)Wash check and change payee information.“Mule” opens bank account with fraudulent credentials and deposits/cashes the check.Stolen Check – business accountFraudster takes checks out of the mail (post office, lockbox, company).Goes to State web site and obtains new business credentials that are the same or similar to the check.Bank account is opened and checks deposited.Funds withdrawn via various methods.Business purchase/saleFraudster poses as representative of company engaging in a business purchase.Loads virus on PC and gains access to vital information.Uses information to commit various types of fraud.Refund scamCustomer makes writes company a check for deposit on a new service. Could include overpayment such as $550 for a $50 deposit fee.Customer calls up and cancels service or return the “accidental” overpaymentCompany gives customer a $500 check for the overpaymentInitial deposit of gets returned days later as counterfeit.
14 Check Fraud Prevention and Best Practices Check Fraud Best PracticesReconcile accounts on a daily basisSegregate internal duties for financial activities (Audit/Control)Consider migration from Check Payments to Electronic Payment ProductsBecome fraud focused on inquiries from other banks or institutions regarding legitimacy of checksSeparate “Funding Only” Accounts to No Check Activity Status to prevent counterfeit item from clearingEscalate suspicious activities to client manager teamSafeguard check stock. Use check stock security features.Consider outsourcing check processing to secured vendor.Check Fraud Prevention ProductsPositive Pay - Automate review of items before decision to Pay or ReturnTeller Positive Pay - Integrates check decision at the teller in banking centersPayee Positive Pay - Determine if payee names have been alteredReverse Positive Pay - Notify bank of exception items identified on fileMaximum Dollar Control - Flag any check over a given dollar amount to decision
16 Fraud Prevention Best Practices Employee Education: Best Practices in user Awareness TrainingThere is a direct relationship between the amount of user training and the decreased number of successful fraud attacks. The following list highlights some best practices:Don’t assume employees understand and internet risks. The courts appreciate policies based on best practices and supported by mandatory enterprise-wide training and enforcement through disciplinary action.Don’t rely only on your company’s or intranet to inform employees of and internet policies and procedures. Distribute a hard copy of policies to every employee. Require employees to sign and date each policy.Set rules for personal internet usage. Specify how much web surfing is allowed when and with whom it is permitted, and under what circumstances.Ensure that employees understand policies toward monitoring their computer activity, and that violations of corporate and internet policies are enforceable through disciplinary action that may include termination.
17 Fraud Prevention Best Practices Specificity in Employee TrainingSpecificity strengthens the impact of employee training. Simple, straight-forward examples can be the most powerful for employee training. Here are some ways in which you can cite examples or case studies:Show employees how to recognize threats and convey the consequences of those threatsBe explicit about what to look for to identify a maliciousDiscussion or frequent reports of new threats and statistics of how many viruses have been caught within your organization, can help to raise their security awarenessCreate explicit instructions for employees, such as:Never turn off security protection on your computer and stay current with updatesKeep passwords in a secure place. Do not share them with coworkersDo not use your personal computer for company businessDo not connect to the internet through suspect wireless networks (e.g., WiFi from a café)Forward suspicious s to the company’s designated account (include the address)Never give your business address to a websiteOpen only identifiable attachments from known sources. Financial institutions and government agencies never ask you to enter personal data, such as passwords, SSN, account numbers, etcBank of America Merrill Lynch
18 Fraud Prevention Best Practices Two Minute Self-Assessment on Best PracticesFront-Door SecurityDo you or your team use workarounds to streamline access to your bank’s portal or online applications (e.g., group sign-on with shared passwords)? Or leave passwords lying around, like a set of keys to your office?Do you have an IT department or outsource your security to a firm that ensures all PC’s engaged in your cash management activities have all the security basics deployed, and those PC’s are not operating in unprotected networks and used by other individuals?Transactional ControlsDoes your company use dual administration and mandate dual approval and segregation of responsibilities for payment activities, including template creation?Does your organization use all authentication tools offered (e.g., tokens, digital certificates and encourage your employees to register their computers)?Back-Door SecurityIs a review of audit logs and bank account activity part of your department’s daily routine?Does your user administrator immediately respond to changes in an employee’s job requirements by making necessary changes to user entitlements?Employee EducationDo you have a formal employee education process — with user awareness training designed for specificity — for online security and fraud prevention?Do all employees receive hard copies of all internet policies and procedures? Are they required to sign and date each policy?
20 Fraud Liability Regulation E: The Electronic Funds Transfer Act (EFT), also known as Regulation E, was implemented in the U.S. in 1978 to establish the rights and liabilities of consumers as well as the responsibilities of the financial institution in EFT activities.Regulation E covers a consumer under certain conditions, limiting loss to $50 if the institution is notified within two business days.Reg E Purpose: Consumer ProtectionThere currently are no similar loss protections for commercial customers that limits the amount of fraud losses a business could bear from fraudulent ACH or wire transfers.Security is a shared responsibility between the business, consumer, and financial institution.
21 Fraud LiabilityRegulation CC: Current UCC Codes outline specific check fraud responsibilities for banks and corporations. Court decisions have already established guidelines for legal responsibilities, and failure to meet these guidelines can cause a bank or company to experience financial loss.UCC Revisions now define responsibilities for check issuers and paying banks under the term ordinary care. Under Sections 3-403(a) and 4-401(a), a bank can charge items against a customer's account only if they are "properly payable" and the check is signed by an authorized individual. However, if a signature is forged, the corporate account may be liable if one of the following exceptions applies:Ordinary care requires account holders to follow "reasonable commercial standards" prevailing in the area for their industry or business. failure to exercise ordinary care, may restrict restitution from the payee bank if their own failures contributed to a forged check signature or an alteration - (for example, raising a check amount from $50 to $5000).Requires customers to reconcile their bank statements within a reasonable time to detect unauthorized checks.Comparative fault can shift liability to the check issuer. If both the bank and corporate account holder have failed to exercise ordinary care, a loss can be allocated based upon the extent that each party's failure contributed to the loss. Since banks are not required to physically examine every check, companies may be held liable for all or a substantial portion of any given loss - even if the bank did not verify the signature on a fraudulent check.Liability for counterfeits that are virtually identical to originals will be examined on a case-by-case basis.
22 Questions?This presentation is for informational purposes only. It does not constitute an offer or commitment to buy or sell or a solicitation of an offer to buy or sell a security or any financial instrument, or a commitment to enter into a transaction, of the type generally described herein.The information contained herein, and any other communications or information provided by Bank of America, is not intended to be, and shall not be regarded or construed as, a recommendation for transactions or tax, business, legal, or investment advice, and Bank of America shall not be relied upon for the same without a specific, written agreement between us.The information contained herein has been obtained or derived from sources believed to be reliable, but we do not represent that it is 100% accurate or complete and it should not be solely relied upon. The information contained in this presentation is not legal advice.Thank you!2222