Article

E-check fraud: Mitigating risks to protect your organization

How e-check fraud occurs, who is at risk and how to prevent it

#
Risk consulting Financial services Financial institutions

Alongside an increase in data breaches and personal information falling into criminal hands, organizations are now seeing a significant rise in e-check fraud. Given electronic banking’s convenience and growing popularity—and the fact that electronic transactions have fewer protections in place than in-person purchases—it is imperative to implement controls to protect your finances.

How fraud occurs

Bank account and routing numbers can be accessed in a number of ways: through a data breach, on past invoices or on the checks themselves. In fact, many companies make account numbers available to vendors so they can directly and efficiently submit payments or transfers. That information can then be taken and used for fraudulent purposes.

Banking institutions have controls in place with paper checks: Banks are required to provide reasonable care, and thus have established policies for verifying a signature on a check over a certain amount to confirm that the transaction is legitimate. But with an e-check, there is no reasonable way to perform this verification with the same level of scrutiny.

Responsibility and verification

The key issue with e-checks is presentment. If someone fraudulently uses a credit card at a vendor, the vendor bears responsibility for the fraud because the vendor should check the signature. With a physical check, the bank takes responsibility because it is required to verify the signature if the transaction is over a certain amount. But with an electronic transaction, your company has the ultimate responsibility, because the options for verification are limited.

Banks are not responsible for money taken from accounts during e-check fraud, as there is no way they can know the transaction is fraudulent. A low-end verification process verifies only that a routing number is valid before processing the transaction. The next level verifies that the routing number, the account number and the name on the account are correct.

The highest level of verification requires actual confirmation of ownership for both accounts: the one that funds are withdrawn from and the one that is receiving the transfer. But that level of security is typically found only among transactions completed within a financial institution, such as paying a mortgage or auto loan.

The highest level of verification causes significant processing issues for most merchants. In fact, many merchants do not want to implement a high level of protection, because they could flag legitimate purchases. For example, individuals or organizations can process many transactions in a short amount of time, and recurring payments can use multiple accounts, such as a parent paying a child’s credit card bill.

A PIN number may seem like a beneficial step for additional verification; however, adding that measure is not currently possible, as instantaneous verification cannot occur between banks. It would require a fundamental change to the entire banking system. Without a higher level of checks and balances to prevent fraudulent transactions, companies must implement protective measures on their end to safeguard accounts and save time spent on recovering lost funds.

Who is at risk?

Large companies often have automatic reconciliation systems that can identify and flag unusual transactions, leading to more effective fraud controls. Small organizations simply process fewer transactions, so irregular transactions and missing funds are easily spotted. Therefore, in many cases, midsize companies have the most difficulty recognizing and addressing e-check fraud.

As companies begin to grow—and bank activity consequently accelerates—going line-by-line to ensure transactions are valid becomes more difficult. They may not have reached the level where it is financially feasible to implement automatic reconciliation processes, but manual practices may have become lax or overwhelming to current personnel.

Putting mitigation techniques to the test: Can we withdraw money from RSM’s accounts?

Let’s be honest. It wouldn’t be fair to offer mitigation strategies without proof that they actually work, which is why we put them to the test—against ourselves.

In a controlled test, we attempted to withdraw small amounts of money from several of RSM’s accounts. As part of the test, we initiated withdrawals of varying amounts from three RSM checking accounts and directed them to three of our own external accounts.

In each of the tests, the transactions appeared to go through because the banks had no initial way to verify their authenticity. The balances appeared in the external accounts in a “pending” status. But within 24 hours, each of the three transactions had been declined by our external banks, because we use Positive Pay and ACH blocking.

Mitigating e-check fraud: How did we do it?

Your organization can take advantage of several strategies to protect finances and discourage e-check fraud. You should start by talking to your financial institution to discuss appropriate controls and protective measures. Strengthening reconciliation practices is your major line of defense against e-check fraud; if you are not performing reconciliations in a timely and thorough manner, instances of fraud can go undetected.

You may need to strengthen reconciliation practices or leverage external resources to improve processes and observe transaction activity. Your organization also may want to consider making adjustments to reconciliation parameters to target suspicious transactions both large and small: Many companies have suffered significant financial losses from a series of small fraudulent transactions that went undetected because they fell below the reconciliation threshold.

You can also limit your susceptibility to e-check fraud by allowing deposits only into certain accounts and locking them so funds can only go in—even if account and routing numbers are compromised, a criminal cannot withdraw funds. For example, many organizations create separate accounts for payroll, accounts payable and operations in order to add additional controls and ensure that their primary cash accounts don’t allow e-transactions. Additionally, Positive Pay or similar solutions limit allowed transactions by your financial institution.

Using the example of payroll, transferring only the payroll amount into that account in advance of payday limits your liability if someone tried to use the routing and account number from a payroll check in e-fraud. The risk levels are limited if only the outgoing funds, or a manageable balance, are deposited in the account.

The number of paper checks issued is dramatically declining due to the efficiency of electronic banking and ACH transfers—but with increased convenience comes increased risk to your organization. Banking information is under attack, and as more banks upgrade their systems, e-check fraud will become even more prevalent. Implementing additional security controls and strengthening reconciliations will help identify criminal activity and protect funds.

What to do if you are the victim of e-check fraud

If you notice suspicious activity in your bank accounts or believe that your organization has suffered e-check fraud, you must file a police report to begin the process of recovering funds. In addition, submit a claim to your insurance company, depending on the level of suspected damages. Some companies have also purchased cybersecurity insurance policies in the midst of several high-profile security breaches; those can be leveraged following e-check fraud.

RSM contributors