5 Tips to Reduce Banking Fraud

Payments Assoc. Offers Advice to Fight Corporate Account Takeover
5 Tips to Reduce Banking Fraud
The keys to overcoming corporate account takeover: a mix of "old school" procedures and layers of technology.

This is the advice from Alex Romeo, VP, Electronic Payments Network Product Manager, at the Clearing House, a payments association and processor that is owned by 20 of the largest banks in the U.S.

"Large or small businesses are targets," Romeo says. "What oftentimes it is called ACH fraud, or wire fraud, is actually corporate account takeover. Once the criminals have the corporate's banking credentials, they're off to the races."

Romeo sees several things that both institutions and the businesses can be doing to lower the potential for corporate account takeover:

1. Multi-Factor Authentication

The best approach is to start with a multi-factor authentication/multi-layered security structure. This is what Romeo is seeing from the institutions that are successfully thwarting fraud. "Remember, there is no one silver bullet that will solve this problem, so if you put all your hope in a single solution, you'll get compromised, and the intruder will have everything."

This multi-layered approach from a software perspective, combined with old-fashioned out-of-band phone calls to the customer to confirm a questionable transaction, can cut the institution's headaches and the business' fraud losses.

In the old days, Romeo says, calendars were put in place for all set transactions for all accounts, whether they were large corporates or small businesses. "If they had a weekly payroll, that only went out once a week, and then all of a sudden we saw something going out every day -- that would be a red flag; we would question it," he says.

2. Banks: Monitor Transactions

In his days in bank operations, Romeo says, the bank used to set up daily limits on each user. "We used to set these limits on our mainframe processor in the bank, along with file limits and batch limits, so if there were something added, or out of the ordinary, we would spot it." Another thing to watch for is a whole lot of activity right under $9,000. "Because the fraudsters know they won't draw suspicion of a bank if they fly under $10,000 mark."

3. Businesses: Reconcile Corporate Accounts Daily

For businesses, Romeo recommends reconcilement of banking accounts and transactions on a daily basis -- either at end of day or at least at the beginning. "This will help catch any transactions you didn't make, and the sooner you bring it to your bank's attention, the better chance to retrieve the money, with the bank doing a recall or reversal of the transaction. The longer you wait, the less likely it is that you'll see that money recovered."

4. Employ Dual, Triple Controls

Dual controls at the corporate side are, at the very least, tablestakes. Romeo suggests even triple controls, where one person creates the transaction, a second person approves it, and then a third person actually sends the transaction.

"If you don't have the people, then set up the ACH transactions with the institution, an out of band confirmation, whether it is a phone call to confirm that you've sent it, and confirmation of the correct information was received," he notes. This can be done live or through an automated voice response system. Usually, only one person would have the password and ID to call the bank, which would be totally separate from the person's computer.

5. Raise Fraud Awareness

Finally, Romeo says, continuous education of business customers is important. At the national level, this problem of corporate account takeover has gotten real attention. But real solutions won't come until financial institutions and their corporate accounts alike realize the real risks they face - and simple solutions they can implement to help mitigate those risks.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.