Four Steps for Fighting ACH FraudTexas Bankers, Law Enforcers Collaborate and Offer Advice
In Texas, increasing incidents of corporate account takeover, often perpetrated by phishing schemes used to commit ACH and wire fraud, have raised concern.
See Also: Evolution of Attacks on Online Users
"Crime is changing so rapidly, with technology advancements and globalization," says FBI Special Agent Steve Dillon, who works in the Houston division. "There's a blurring between the types of crime we see going on, and that's why collaboration is so important. We are very interested in further collaboration with other entities."
Now SWACHA, a non-profit payments association that serves financial institutions throughout the Southwest United States, has joined forces with local and regional law enforcement to more closely address payments fraud trends.
In March, SWACHA, the Federal Bureau of Investigation and the U.S. Secret Service hosted a seminar at the Houston Federal Reserve Bank to focus on corporate account takeover trends.
The seminar is just one in a series of annual events hosted by SWACHA, through a partnership with the FBI, the Financial Services Information Sharing and Analysis Center and the Secret Service. The seminar offered bankers face-to-face time with investigations experts who closely monitor emerging online fraud threats, especially those affecting the financial sector.
Four Anti-Fraud Tips
Among the recommendations offered during the seminar, SWACHA and the FBI highlight four steps every institution should make priorities:
- Train Staff to Spot Fraud. Many funds transfers are actually initiated over the phone, not online. The best authentication solutions aimed to curb ACH and wire losses won't make a difference when a person, not a system, is verifying and authenticating the transaction. Tellers and call center representatives should be trained to ask for full account numbers, authenticate transactions with challenge questions and always ask for more than one contact number before approving any funds transfer.
- Set Limits on Wires. When a wire transfer is requested for funds going to an overseas account, put a hold on the transfer for a specified period of time. That gives the institution time to verify the transaction's authenticity.
- Keep Fraud Detection Up to Date. Make sure employees and corporate customers and members are consistently updating their PCs with the latest versions of anti-malware and anti-virus software.
- Out of Band Verification Can be Low Tech. Some old-fashioned techniques, like a follow-up fax, can be just as effective at verifying and authenticating a funds transfer.
In addition to SWACHA, the Texas Department of Banking, the Texas Bankers Association and the Independent Bankers Association of Texas also have taken an interest in curbing ACH fraud related losses. In fact, online security has become a priority for 2012. (See Texas Targets ACH Fraud.)
Through the creation of the Texas Bankers Electronic Crimes Task Force, those entities identified additional recommendations for improving online security and risk management programs.
Among those standards:
- Expanding risk assessments to specifically include account takeover;
- Rating each customer or type of customer that performs online transactions;
- Outlining to the boards of directors account takeover issues and concerns;
- Communicating basic online security practices for corporate online banking customers;
- Implementing and enhancing customer security awareness for retail and high-risk business accounts;
- Establishing bank controls to mitigate risks of corporate account takeovers;
- Educating bank employees about warning signs of account theft and takeover;
- Educating accountholders about the warning signs of potentially compromised computer systems;
- Implementing contingency plans to recover or suspend compromised systems;
- Contacting law enforcement and regulatory agencies when initial recovery efforts have concluded.
Texas: Target for ACH Fraud
In Texas, the highly publicized ACH fraud case between PlainsCapital Bank and former commercial customer Hillary Machinery was the springboard for a wave of legal wrangles between business and banks over losses linked to ACH and wire fraud. It also catapulted the FFIEC's issuance last summer of updated Authentication Guidance about how financial institutions should authenticate and verify online transactions
In November 2009, Dallas-based PlainsCapital Bank ($4.4 billion in assets) sued former business customer Hillary Machinery after cyberthieves successfully pushed a series of fraudulent ACH and wire transfers from Hillary's bank account at PlainsCapital. In total, more than $801,000 worth of bad transactions was approved by the bank.
PlainsCapital and Hillary eventually settled their legal dispute, but other cases, such as those waged by Maine-based PATCO Construction Inc. and Michigan-based Experi-Metal Inc. against their respective former banks, soon followed, drawing national attention to ACH and wire fraud trends.
The crux of a successful risk management program, SWACHA and the FBI say, builds on education and communication.
"Many of those things are perceived by banks and credit unions as onerous and time consuming, but it's the only way we're going to curb losses. ... and we keep driving home that training the bank employee is critical."
Branch and call center staff are often the best lines of defense. "You never know what seemingly innocuous piece of information becomes crucial during a criminal investigation," Dillon says.