Fraud Smarts - Fraud Prevention Handbook

ACH & Wire Fraud Prevention

Both ACH (automated clearing house) transactions and wire transfers are forms of electronic fund transfers (EFTs). Wire transfers typically involve larger sums of money and are transferred between banks. ACH transfers are scheduled transactions, like online bill payments, that typically involve smaller amounts of money.

ACH (automated clearing house)

ACH fraud is the theft of funds through the Automated Clearing House financial transaction network. The ACH network acts as the central clearing facility for all Electronic Fund Transfer (EFT) transactions in the United States, representing a crucial link in the national banking system. Payments linger in the ACH network awaiting clearance for their final banking destination.

Here are a few examples of ACH fraud:

The criminal accesses a commercial customer's credentials, generates an ACH file in the originator's name, and quickly withdraws funds before the victim discovers the fraud.

The criminal accesses a retail customer's credentials and sets himself up as an automatic bill pay recipient.

In an insider threat scenario, an employee of the target company or a bank modifies ACH files to steal money.

In a variation on check kiting—a scam in which funds are juggled back and forth between bank accounts at separate banks—a criminal takes advantage of the time lag in transactions.

In a spear phishing scam, an employee with authorization for ACH transactions receives an email that leads him to an infected site, which installs a keylogger to access authentication information. The thief can then impersonate the company's authorized representative and withdraw funds.

ACH fraud prevention tips:

Reconciliation of all banking transactions on a daily basis.

Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.

If possible, and in particular for customers that do high value or large numbers of online transactions, carry out all online banking activities from a stand-alone, hardened and completely locked down computer system from which e-mail and Web browsing are not possible.

Be suspicious of e-mails purporting to be from a financial institution, government department or other agency requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes and similar information. Opening file attachments or clicking on web links in suspicious emails could expose the system to malicious code that could hijack their computer.

Install a dedicated, actively managed firewall, especially if they have a broadband or dedicated connection to the Internet, such as DSL or cable. A firewall limits the potential for unauthorized access to a network and computers.

Create a strong password with at least 10 characters that includes a combination of mixed case letters, numbers and special characters.

Prohibit the use of shared usernames and passwords for online banking systems.

Use a different password for each website that is accessed.

Change the password a few times each year.

Never share username and password information for Online Services with third-party providers.

Limit administrative rights on users' workstations to help prevent the inadvertent downloading of malware or other viruses.

Install commercial anti-virus and desktop firewall software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.

Ensure virus protection and security software are updated regularly.

Ensure computers are patched regularly particularly operating system and key application with security patches. It may be possible to sign up for automatic updates for the operating system and many applications.

Clear the browser cache before starting an Online Banking session in order to eliminate copies of web pages that have been stored on the hard drive. How the cache is cleared will depend on the browser and version. This function is generally found in the browser's preferences menu.

Verify use of a secure session (https not http) in the browser for all online banking.

Avoid using an automatic login features that save usernames and passwords for online banking.

Never leave a computer unattended while using any online banking or investing service.

Never access bank, brokerage or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account number and sign on information leaving the customer vulnerable to possible fraud.

Stay in touch with other businesses to share information regarding suspected fraud activity.

Immediately escalate any suspicious transactions to the financial institution particularly, ACH or wire transfers. There is a limited recovery window for these transactions and immediate escalation may prevent further loss by the customer.

Here is an example of wire fraud:

The organization’s legitimate email domain is @company.com.

The attacker registers domain names deceptively similar to the organization’s (for instance, @conpany.com, @cornpany.com, @cmpany.com).

The attacker learns the names of the Designated Executive and Designated Employee through social engineering or online research.

The attacker sends an email purporting to be from the Designated Executive, using a deceptively similar email domain.

The Designated Employee receives this email and sees that it is from Designated Executive directing the Designated Employee to have $1 million wired to account number 123456789.

The Designated Employee, following procedure, checks to see that the email came from Designated Executive.

But the Designated Employee fails to notice the misspelling in the email domain @conpany.com, mistaking it for a legitimate company email address.

The Designated Employee logs into the online banking portal account and requests an outbound wire transfer for $1 million to account number 123456789.

The bank, following procedure, checks to confirm that the request for the wire transfer did come from the Designated Employee’s account on the online banking portal.

The bank wires $1 million to account number 123456789.

Meanwhile, the actual Designated Executive has no knowledge of this wire transfer.

Wire fraud prevention tips:

Never wire money to people you don't know, regardless of how convincing or enticing their story may be. Scammers often win their victims' confidence with some bait, such as a work-at-home offer, a great deal on a product for sale, or news that you have won some kind of lottery. Be especially careful with transactions over the Internet, where the other person's true identity can remain anonymous. A stranger asking you to wire money is a huge red flag that it is a scam. Don't fall for it.

But even if you get a request to send a wire transfer and it's supposedly from someone you do know, confirm that's the case some other way, such as through a separate phone call.

If you're being pressed to make a decision or send money fast, it's probably a sign of a scam.

Walk away from any offer from a stranger who asks you to deposit a check into your bank account and instructs you to wire any of that money to someone else, perhaps in another country. Let's say you receive a check, cashier's check or money order for an item you are selling or to cover so-called processing fees, shipping costs or other expenses. But then you notice that the check is for more money - perhaps far more - than what you were expecting. The other party instructs you to deposit the check and wire a portion back to an associate in another country. Later you find out that the check was fake and you are out all of the money you wired. In this type of scam, victims may end up owing thousands of dollars to the financial institution that wired the money.

Likewise, if you are selling something online, be wary of a request by a buyer to wire you the money because that may be a ruse to get your bank account information. Or, this person may plan to send you the money illegally using someone else's bank account number, and ultimately you'd be without your merchandise as well any payment. Always remember that wiring money is like sending cash, and because you voluntarily sent the money, you have fewer protections in terms of getting it back.

Never give out your bank account or credit card numbers in response to an advertisement or an unsolicited call, text message or e-mail. That information could enable someone to steal money out of your account by a wire transfer, before you have time to realize that the interaction was fabricated by a swindler.

ATM Machine Safety

As always be mindful of your surroundings. Don't select an ATM at the corner of a building - corners create a blind spot. Do your automated banking in a public, well-lighted, high traffic location that is free of shrubbery and decorative partitions or dividers.

Maintain an awareness of your surroundings throughout the entire transaction. Be wary of people trying to help you with ATM transactions. Be aware of anyone sitting in a parked car nearby. When leaving an ATM make sure you are not being followed. If you are followed or think you are, drive immediately to a police or fire station, or to a crowded, well-lighted location or business. If lights around the ATM are not working, don't use that machine.

Do not use an ATM that appears unusual looking or offers options with which you are not familiar or comfortable. There are machines that thieves stick on top of ATM machines called skimmers that steal your banking information.

When using a walk-up ATM, park as close as you can to the machine. Before leaving the safety of your car, check for suspicious persons or circumstances. Have your ATM card ready before you approach the machine.

ATM Skimming

ATMs and gas stations — especially in tourist areas — may have skimming devices. Scammers use cameras, keypad overlays, and skimming devices — like a realistic-looking card reader placed over the factory-installed card reader on an ATM or gas pump — to capture the information from your card’s magnetic strip without your knowledge and get your PIN.

How to avoid being skimmed

Inspect the ATM, gas pump, or credit card reader before using it...be suspicious if you see anything loose, crooked, or damaged, or if you notice scratches or adhesive/tape residue.

When entering your PIN, block the keypad with your other hand to prevent possible hidden cameras from recording your number.

If possible, use an ATM at an inside location (less access for criminals to install skimmers).

Be careful of ATMs in tourist areas...they are a popular target of skimmers.

If your card isn’t returned after the transaction or after hitting cancel, immediately contact the financial institution that issued the card.

Bitcoin

If your wallet’s stolen, act fast - If your Bitcoin wallet has been stolen, the thief will need to move the Bitcoin currency out of it. You need to act fast in order to save your Bitcoin. When the Bitcoin wallet is stolen from the victim, the thief will have to spend the Bitcoins in it - by either adding them to his own wallet, purchasing something, etc. The only way to get away without losing your money is if you spend the Bitcoins (purchase something or import them to a new wallet) before the thief does.

Keep your PC clean if you’re dabbling in Bitcoin - Cybercriminals love Bitcoin. There are numerous malware families today that either perform Bitcoin mining or directly steal the contents of victims’ Bitcoin wallets, or both. Keep your computer clean and uncompromised by thinking before you click and keeping your system, applications and anti-virus up-to-date.

Encrypt your wallet - Despite Bitcoins own beautiful illustrations of glittery coins, what you’re dealing with are numbers - long encryption keys. To stay safe, you just have to ensure no one else ever has access to these. There are several important rules to keep Bitcoins safe. The key words here are: back up and encrypt. Bitcoin provides a way to encrypt wallets, and this would make it much more difficult for the attacker to get his hands on the Bitcoins.

Don’t keep all your eggs in one basket - or you’re Bitcoin in one wallet - Bitcoin is a special case - if you’re worried a site breach or Trojan attack may have put your Bitcoin within reach, don’t just change passwords, even if your wallet is encrypted. Make a new one, and move your coins to it (with a new, strong password). If a wallet or an encrypted wallet’s password has been compromised, it is wise to create a new wallet and transfer the full balance of bitcoins to addresses contained only in the newly created wallet.

Most finance experts advise - don’t put your life savings in Bitcoin - The soaring price of Bitcoin isn’t a signal to invest: If you’ve made a profit on Bitcoins you already own, well done. There’s simply no way to know whether their prices will keep rising, stabilize or collapse. And there are a lot of risks - everything from them being hacked, your e-wallet being hacked, someone successfully forging them or Bitcoins being made illegal.

If you must store Bitcoins online, don’t store large amounts - Online Bitcoin wallets are not designed to work like bank accounts - they’re convenient, as you can access them from anywhere - but they’re a prime target for cybercriminals. Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in.

Mobiles and Bitcoins don’t mix - Various Android apps offer ways to carry Bitcoins with you - but again, these come with their own risks. Earlier this year, a flaw in Android rendered ALL Bitcoin wallets unsafe - although it was rapidly patched - and apps which allow transfer via NFC add additional risks, particularly if a device is lost. Mobile wallet applications are available for Android devices that allow you to send bitcoins by QR code or NFC, but this opens up the possibility of loss if mobile device is compromised. It is not advisable to store a large amount of bitcoins there.

Keep your fortune in cold storage - If you’re serious about Bitcoin, the security procedures are long and complex - even Bitcoin admits that setting up an offline wallet, stored on CDs and USB sticks is tedious and not user friendly.Bitcoin says, Because bitcoins are stored directly on your computer and because they are real money, the motivation for sophisticated and targeted attacks against your system is higher than in the pre-bitcoin era. Bitcoins own procedure for creating an offline wallet, which never contacts the internet in plaintext form, is here. This procedure is also known as creating an air gap or cold storage. Followed correctly, it provides protection from malware and cyber attacks - although not, of course, from traditional crimes such as extortion.

Still worried? Store them on paper - One safe - if extreme - way of ensuring Bitcoins don’t fall into the hands of hackers is to store them on paper. Bitcoin says, When generated securely and stored on paper, or other offline storage media, a paper wallet decreases the chances of your bitcoins being stolen by hackers, or computer viruses. With each entry on a paper wallet, you are securing a sequence of secret numbers that is used to prove your right to spend the bitcoins. This secret number, called a private key, most commonly written as a sequence of fifty-one alphanumeric characters, beginning with a ’5′. Be sure, though, your PC is clean before you print - the free software used to generate codes has been targeted by cybercriminals. Run a complete scan of your machine first, then keep AV software running as you print out.

Business basics

Data Security

Safeguard Data Privacy: Employees must understand that your privacy policy is a pledge to your customers that you will protect their information. Data should only be used in ways that will keep customer identity and the confidentiality of information secure. Of course, your employees and organizations must conform to all applicable laws and regulations.

Establish Password Management: A password policy should be established for all employees or temporary workers who will access corporate resources. In general, password complexity should be established according to the job functions and data security requirements. Passwords should never be shared.

Govern Internet Usage: Most people use the internet without a thought to the harm that can ensue. Employee misuse of the internet can place your company in an awkward, or even illegal, position. Establishing limits on employee internet usage in the workplace may help avoid these situations. Every organization should decide how employees can and should access the web. You want employees to be productive, and this may be the main concern for limiting internet usage, but security concerns should also dictate how internet guidelines are formulated.

Manage Email Usage: Many data breaches are a result of employee misuse of email that can result in the loss or theft of data and the accidental downloading of viruses or other malware. Clear standards should be established regarding use of emails, message content, encryption and file retention.

Govern and Manage Company-Owned Mobile Devices: When organizations provide mobile devices for their employees to use, a formal process should be implemented to help ensure that mobile devices are secure and used appropriately. Requiring employees to be responsible for protecting their devices from theft and requiring password protection in accordance with your password policy should be minimum requirements.

Establish an Approval Process for Employee-Owned Mobile Devices: With the increased capabilities of consumer devices, such as smart phones and tablets, it has become easy to interconnect these devices to company applications and infrastructure. Use of these devices to interconnect to company email, calendaring and other services can blur the lines between company controls and consumer controls. Employees who request and are approved to have access to company information via their personal devices should understand and accept the limitations and controls imposed by the company.

Govern Social Media: All users of social media need to be aware of the risks associated with social media networking. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. Active governance can help ensure employees speak within the parameters set by their company and follow data privacy best practices.

Oversee Software Copyright and Licensing: There are many good reasons for employees to comply with software copyright and licensing agreements. Organizations are obliged to adhere