Presentation on theme: "Entrepreneurship & Family Business - Complementary Dynamics 1 st Families in Business Day - November 8, 2013."— Presentation transcript:
Entrepreneurship & Family Business - Complementary Dynamics 1 st Families in Business Day - November 8, 2013
Fraud Prevention Keys to Protecting Your Business Presented by: Amy Mailloux, CTP ACI Vice President, Senior Treasury Advisor KeyBank November 8, 2013
“Armed with just a checking account number and a bank routing number, criminals can create checks at whim, experts and law enforcement authorities say.” - Bob Sullivan, a Technology Correspondent for MSNBC May, 2005
1.Welcome/Introduction 2.Payments industry fraud threats: Overview 3.Payments industry fraud: A closer look 4.Payments fraud: Knowledge is power 5.Types of fraud and how they originate 6.Types of fraud: Phishing 7.Protect against phishing 8.Types of fraud: Social engineering 9.Protect against social engineering 10.Additional cyber security concerns Agenda
11.Fraud prevention: Opportunities 12.How your bank can help 13.Additional bank resources and solutions 14.Positive Pay plan offerings: A closer look 15.Universal Payment Identification Code (UPIC) 16.Dual approvals, security alerts, and notifications 17.Debit Blocks/Filters Agenda
Today’s presenter: Amy Mailloux, CTP ACI Vice President, Senior Treasury Advisor KeyBank Amy has experience serving the small business, government, corporate and middle market customers over the past 28 years in banking. She earned the esteemed Certified Treasury Professional designation in 1997, and the Associates in Captive Insurance earlier this year. Her past experience includes relationship management, commercial lending, administration, cash management sales, administration and coaching. For the last couple of years, Amy has served as the Senior Cash Management Advisor for KeyBank working with Business Banking, Middle Markets and Private Banking clients. She is a frequent guest speaker at finance events and regular presenter at the New England conference of the Treasury Management Association on fraud and prevention. Amy and her husband, Ernie, are also the founders and owners of Amy’s Granola, a small specialty food company founded in They reside in Ferrisburgh, Vermont with their four children. Introduction
Norton’s 2011 Cybercrime report estimates that cybercrime costs us $388 billion annually. They claim that cybercrime is approximately $100 billion dollars larger than the global black market in marijuana, cocaine and heroin combined.
Payments industry fraud: A closer look According to the 2013 AFP Payments and Fraud Control Survey: 61% experienced attempted or actual payments fraud 27% reported an increase in the number of fraudulent incidents 87% of affected businesses reported that checks were targeted 29% reported that corporate/commercial purchasing cards were targeted Average loss was $20,300 64% of respondents discussed fraud prevention/security with their bank at least once in 2012
Today’s criminal: Oftentimes belongs to an organized group Stalks their victim and knows how to attack weak points Has access to very sophisticated physical and electronic tools Payments industry fraud: A closer look Fraud Origination Outside individual 80% Organized crime ring 18% Internal party 10% Third-party or outsourcer 5% Account takeover 5% Other 5% Lost or stolen laptop 1% Compromised mobile device <1% Source of Payments Fraud in 2012, as reported in the 2013 AFP Payments Fraud and Control Survey. (Percent of Organizations Subject to Attempted or Actual Payments Fraud)
Payments fraud: Knowledge is power When it comes to preventing fraud, we all must take a proactive stance. In some instances, the ability to identify fraud attempts can help stop them, or mitigate the impact they have. Steps you can take include: Learning about the types of fraud and how they originate Asking questions Invest to protect yourself Educating your employees to be aware of the risks Your defensive toolkit relies on: Detection Identification Deterrence Prevention
Types of fraud and how they originate Corrupt employees Phishing Pharming Fake job listings Fake sweepstakes/lotteries File sharing or Peer-to-Peer software Hacking/Malware
Types of fraud and how they originate Fake job listings Shoulder surfing Janitorial services/Building maintenance Skimming Vishing Reading Radio Frequency Indentification (RFID) Please note: This list is not comprehensive. Criminals are coming up with new and more efficient methods all of the time.
Types of fraud: Phishing What it is: Phishing is a type of Internet fraud that seeks to acquire a user’s credentials by deception. Oftentimes, it involves the theft of passwords, credit card numbers, bank account details, and other personal, confidential information. How it works: Fake notices that appear to be coming from banks, auction sites, e- pay systems, etc. are sent vial or SMS text messages (Smishing) Recipient is encouraged to urgently enter or update personal data via a false link Messages usually contain threats to block accounts or lose access if request is not completed.
Protect against phishing Don’t open s from unknown individuals or organizations. Be suspicious of any with an urgent request for personal financial information. Never click on an embedded link or attachment in an unsolicited . Avoid filling out forms in messages that ask for personal financial information. Ensure that your browser is up-to-date and security patches are applied. Run anti-virus software and ensure it’s always updated. If you receive a suspicious that appears to come from your bank, do not respond to the message. Instead, forward it to your bank’s fraud prevention department then delete the message from your mailbox.
“The key to social engineering is influencing a person to do something that allows the hacker to gain access to information or your network.” -Kevin Mitnick
Types of fraud: Social engineering What it is: Social engineering is the practice of deceiving someone either in person or via phone or computer, with the express intent of breaching some level of security or obtaining information. How it works: The fraudster, pretending to be a trusted party, may attempt via phone (SMS text message), online ( ), or in person to: Secretly install malicious software on your computer Trick you into divulging your passwords or other sensitive financial or personal information Direct you to a website to download something malicious Ask for remote access to your computer
Protect against social engineering Be suspicious of anyone requesting sensitive information. Never provide system credentials or any other personal information on an unsolicited inbound call. Always verify the identity of an unsolicited caller by insisting on calling him or her back at the phone number listed for that company. Remember that Caller ID is not a foolproof way to verify a caller's identity.
Additional cyber security concerns Distributed Denial of Service (DDoS) attacks: Flooding a website with bad requests Attempts to make the site “unavailable” to customers Not hacking, but a way to hide fraud or gain attention for a cause Malicious Websites Visiting an infected website could expose your laptop, PC, or mobile device to malware Designed to hijack your computer According to McAfee, 2.7 million new malicious URLs are created per month
“There is no doubt that the Internet brims with spamming, scamming and identity fraud. Having someone wipe out your hard drive or bank account has never been easier, and the tools for committing electronic mischief on your enemies are cheap and widely accessible.” - Evgeny Morozov
Fraud prevention: Opportunities The numerous ways to help protect your business from fraud include: Deposit accounts/Security features Dual controls Cross-training employees encryption Document shredding/destruction Written and published policies and procedures Separation of duties Internal/External escalation process
How your bank can help One key to preventing fraud is to make it difficult for criminals to make you a victim by working with your bank to help ensure you don’t become a victim. Banks offer great products to help stop or reduce fraud loss such as: Robust security controls for online and mobile banking Positive pay systems ACH and EFT filters and filtering Client educational materials on fraud prevention
Your banker can help you with ways to: Always be aware! Evaluate your policies Review your payment types and methods Educate your employees Implement fraud prevention and mitigation solutions
“I am thankful the most important key in history was invented. It’s not the key to your house, your car, your boat, your safety deposit box, your bike lock or your private community. It’s the key to order, sanity and peace of mind. The key is “Delete.” - Elayne Boosler
Additional bank resources and solutions Positive Pay plan offerings Universal Payment Identification Code (UPIC) Transaction blocks (ACH, wire only) features
Mr. Abagnale believes that punishment for fraud and recovery of stolen funds are so rare, prevention is the only viable course of action… -
Positive Pay Bank match Client Match aka Reverse Positive Pay
Bank match Positive Pay: Bank match Positive Pay is where the bank matches the checks presented on the client’s account against the check issue information provided by the client upon check issuance: Compare & Verify: Check serial number, Amount, Payee name Same Day Review and make a payment decision prior to check posting Prevent over-funding; for stop payment decisions, the CDA funding requirement may be reduced by the amount of the payment
Bank Match How it works: Suspicious payments are reported to client usually via an on-line website, requiring a client decision to Pay or Return. At setup, you determine the default decision (Pay All or Return All). If no decision is made by the 6:00 p.m. ET deadline, the default decision is submitted. If your default decision is Pay All, and you are unable to make a decision by the 6:00 p.m. ET deadline, those items will be available to decision with Next Day Positive Pay.
Positive Pay plan offerings: A closer look With Client Match Positive Pay aka Reverse Positive Pay, the client matches the information from the checks presented against their Accounts Payable system: No check issue information is presented to the bank prior to encashment Used by companies with lower check volume (less than 1,000 items or $100,000 per month) Access on-line platform to review images of your daily paid items Contact bank to initiate a return of a suspecious or fraudulent check Client must access account daily (preferable early in the day) Daily reconciliation is strongly encouraged
Reverse Positive Pay – extended Bank services How it works: You can designate pre-selected features including dollar amount thresholds. Checks presented over the set dollar amount threshold will be automatically flagged for return.
Check fraud is on the increase…. Use your bank’s Positive Pay or Reverse Positive Pay Maintain tight check security Examine new checks when they arrive and keep check boxes sealed until needed Destroy unused checks from closed accounts Use highly secure check stock Avoid multiple colors and sizes of checks
When laser-printing checks, issue passwords Use check paper with toner anchorage When typing checks, use a type font of 12 points or larger Use a fabric, single-strike security ribbon Reconcile your checking account statement as soon as you receive it Report losses or suspicious checks to your bank immediately Separate responsibilities for handling checks Contact your bank to review your check processes
Universal Payment Identification Code (UPIC) UPICs are secure bank account identifiers that allow companies to receive electronic credit payments without divulging their routing and bank account numbers. Receive more payments electronically while protecting accounts: Since a UPIC is used in place of the client’s actual bank account information, it can be openly shared to promote the receipt of electronic payments (e.g. print on invoices, websites) UPICs keep bank account information private UPICs are used for electronic credit payments only and cannot be used to initiate ACH debits
Universal Payment Identification Code (UPIC) UPICs deliver additional features that: Reduce the risk of unauthorized debits, demand drafts, and fraudulent checks Look and act like bank account numbers allowing the UPIC to be used with any cash management or accounts payable system Apply to a single company bank account, however, one account can have several UPICs Stay with an organization even if they change banking relationships
Dual approvals, security alerts and notifications Clients are strongly encouraged to set up dual authorization for ACH and wire payments as they; Allow for separation of duties within your department Provide an additional layer of protection from potential external fraud by making it more difficult for fraudsters to send an unauthorized payment Enable entitlements to be customized by user, including settings for dollar thresholds, specific accounts and types of payment (i.e. international, domestic, repetitive, one time, etc.)
Dual approvals, security alerts and notifications Security alerts and notifications are also important to set up as they: Alert you when certain activity occurs such as new users being setup, password resets, updating of security questions and changing an address. In addition, clients can sign up for security-related notifications for outgoing wire or ACH payments, wires pending approvals or ACH transactions pending release, or Positive Pay items available for decisioning.
On-line management of ACH Debit blocks & filters On-line management gives you the ability to: Decision items online Pay or reject items Add pay authorizations for any future transactions Block all transactions against your checking accounts with a “Block-All” Allow certain transactions within tolerances to be paid (originator, amounts, date range)
“There’s a way of transferring funds that is even faster than electronic banking. It’s called marriage. - author unknown