Check Fraud: The Next GenerationSchemes Have Evolved, But Detection Methods Haven't
Many banks are complacent about check fraud, perhaps because it's been around for so long. And yet, according to the 2012 Faces of Fraud survey, it remains the second-most common form of fraud institutions face.
"When they look at fraud and how to contain it, they have a certain amount they're willing to tolerate," says George Tubin, financial fraud expert and senior security strategist at security firm Trusteer. "They look at percentages, not overall losses."
See Also: How to Defend Your Attack Surface
Another reason for the complacency? Check fraud seems minor, relative to escalating fraud threats posed by emerging e-commerce channels. "Banks perceive the risk to be much higher in the electronic-payment channels," Tubin says. "With check fraud, they've been dealing with it forever, and they're used to it."
But the lines between old-school schemes such as check fraud, and emerging e-commerce scams are blurring. The advent of check images has married the check to the online channel. And financial institutions that continue to rely on manual processes to detect check fraud find themselves challenged by new cross-channel schemes.
"In most instances, this fraud is coming from the online channel, whether they're hacking in to look at check images or they're getting in to move money," Tubin says. "If you stop it online, then you don't have to worry about trying to catch things downstream."
To adequately address check fraud in an era of convergence, experts advise banking institutions to set limits on check amounts, automate monitoring for anomalous check behavior and integrate check-fraud into know-your-customer and other anti-money-laundering controls and systems.
New Services, New Fraud Opportunities
A number of recent cross-channel schemes have resulted in check fraud.
In late April, Trusteer uncovered an elaborate - but relatively easy to pull off - check-hijacking scheme where hackers relied on phishing attacks and malware to access online accounts to retrieve check details.
Amit Klein, chief technology officer at Trusteer, who blogged about the scheme, says the hackers were able to gather business account names, addresses, account numbers, routing numbers and check numbers online, bypassing the need to get their hands on the paper checks themselves.
A similar scheme involving check images cropped up in August 2010, when federal investigators discovered hackers in Russia had breached an online check-image database managed by a third-party.
Andy Schmidt, a payments-channel fraud analyst at TowerGroup, says more questions about the online security of third-parties that house images were raised after news of the Global Payments breach broke in late March.
"Banks realize it's only a matter of time before there's another major breach at a third-party," Schmidt says, whether it's card numbers or check images. "But if you follow basic rules, like looking for duplicate checks and other fraud activities, like velocity and the amounts of the checks being cashed or deposited, you are on your way to protecting yourself."
Mobile RDC Threats
While most of the new check attacks have been linked to online attacks, experts warn the industry can soon expect similar hacks waged against mobile. As more banking institutions launch mobile remote deposit capture capabilities, those threats will grow.
If users save check images they capture with their mobile-phone cameras, that creates more risk. And mobile banking apps that transmit check images also can be compromised with malware, Schmidt says.
"That's why it's so critical that mobile banking apps be constantly tested," Schmidt says.
Banking institutions contacted by BankInfoSecurity declined to comment about specific measures they're taking to mitigate risk in the check arena.
But 76 percent of banks ranked check fraud second among the top fraud threats they faced in 2011, according to BankInfoSecurity's fraud survey. Check fraud trailed only credit and debit fraud when it came to the number of incidents banking institutions said they dealt with last year.
"The very nature of the paper item - that it can be deposited through multiple channels - mobile, ATM, lockbox, at the branch, etc. - makes it very hard to track," Schmidt says.
So what steps can banking institutions take to mitigate the known and unknown risks? Tubin and Schmidt offer the following advice:
Set limits. The best way to control check fraud, in the branch, online or via mobile RDC - is to set proper limits on check amounts. If a check comes in for an amount that exceeds those limits, reject it.
Automate. Transition from the manual process of counterfeit check monitoring to a more automated process that resembles what issuers use in the card space. "Monitor behavior," Schmidt says. "Look for patterns that fall outside the normal range." If a check comes in from an accountholder who does not typically write checks, raise a flag. Or if the amount of the check is much higher than what is normal, contact the accountholder before accepting the check.
Integrate KYC Controls. AML controls can flag checks based on velocity - the number of checks written in a given period of time - as well as the sequence of the check numbers. "If it's not sequential, then they should know something does not look right," Schmidt says. Vendors offer technology that can automate the tracking of check numbers and notify banking institutions when checks are out of range or appear to be coming from different checkbooks, as an example.
But banks and credit unions have to balance investments in automation against the potential cost of fraud losses.
"If they continue to rely on a straight item-by-item approach, they're going to miss fraud," Schmidt says. "But it's a tradeoff. Am I spending more on an automated solution than I'm losing? That's the question they have to answer."