According to the 2011 Report to Congress on the Use of the Automated Clearinghouse System for Remittance Transfers to Foreign Countries, ACH transfers increased nearly 11 percent per year from 2000 to 2010. In 2012 alone, there were approximately 31 billion ACH transactions completed, moving approximately $37 trillion. There appeared to be fewer wire transfers, but larger amounts being moved.
Along with the increase in use of these automated transactions comes an increase in fraudulent transactions. The FBI saw a 38 percent increase in wire transfer fraud in 2011 alone. The 2014 Association for Financial Professionals Payments Fraud and Control Survey reported that payment fraud from ACH debits in 2013 affected 22 percent of responding organizations, while payment fraud from ACH credits in 2013 affected 9 percent. Payments from wire transfers in 2013 affected 14 percent of respondents, up from 11 percent in 2012.
While ACH and wire transfers appear very similar, there are a few differences. Wire transfers move money between financial institutions. The financial institutions are doing most of the moving, and charge fees to the customer to send and receive money through the wire transfer. In an ACH transfer, information is sent in a batch to an automated clearinghouse, which clears the payments through and sends them to a bank. The clearing house acts as a middle man. The downside to ACH transfers is that it takes more time, sometimes up to three business days to clear.
These transactions were once considered to be low-risk, but fraudulent transactions appear to be increasing significantly because of greater accessibility of information and popularity of use of these types of transactions. The primary targets are small- to medium-sized banks, businesses, schools and other organizations. These targets often rely on traditional security systems and applications, therefore increasing their risk.
How is it done?
Fraud through ACH and wire transfers is fairly simple considering all perpetrators need is an account number and bank routing number. ACI Worldwide, a Universal Payments Company, recently published an article discussing the following methods perpetrators use to commit ACH and wire transfer fraud:
• Account takeover: The account takeover occurs when the fraudster opens a fake business account with Bank A. The perpetrator then targets account holders at Bank B through phishing attacks, which could include an email with a link, taking them to a bogus site where they enter their login information, which the fraudster captures. Now that they have the account holder’s information, the fraudster accesses Bank B’s customers’ bank account online. They then initiate an ACH to the fake account at Bank A. Once the funds have been transferred to Bank A, the fraudster initiates a wire transfer from the fake account to another account that they control and sweep the money away.
• Man in the middle attack: this attack involves malicious code, hidden in an email scam, link to greeting card, or news story which infects the account holders’ computer with a virus that collects data typed into Web forms. Once the banking information is collected, the fraudster utilizes a scam to target the specific bank account, sending the account holder to a page to reset their security code, which installs another virus. The next time the account holder logs into their online banking account, the fraudster’s virus inserts itself between them and their online banking system, where it executes commands to initiate wire transfers or ACH transactions without the knowledge of the account holder.
• Social engineering attack: Fraudsters use psychological manipulation to trick people into divulging account information. This can be done by someone calling a business employee, claiming to be an IT employee, to gain access to his or her computer on which the fraudster could install spyware or keystroke loggers.
How to protect your money
Although banks and other organizations continue to increase security measures for customers, fraudsters continue to refine their approach. Banks must recognize that there is a huge client communication and education element to fraud prevention.
According to Mysecurityawarness.com, the following steps should be followed by banks to help mitigate the risks of ACH/wire transfer fraud:
• Setting limits and reviews on ACH/wire transfer transactions;
• Utilize verification techniques;
• Educate customers on risks;
• Conduct employee awareness programs;
• Ensure effective firewalls and processes are in place to evaluate, monitor, and validate firewall settings; and
• Frequently update anti-virus and anti-malware programs.
In addition to the banks, Mysecurityawareness.com recommends that bank customers should also take the following precautions:
• Never respond to emails or pop-ups by divulging personally identifiable information;
• Do not open attachments or unsolicited emails or click on links in bulk emails;
• Designate a single computer in the household for online banking;
• Install separate browsers for online banking;
• Close all other browser tabs when banking online;
• When finished with online banking, log off online and close the browser;
• Monitor and reconcile accounts daily and immediately report any unauthorized transactions to your bank;
• Never use any online banking passwords for other online accounts and avoid using automatic login features that save usernames and passwords; and
• Never access online banking accounts on public computers.
Regardless of the tools and tactics banks and organizations implement, criminals will make every attempt to overcome these obstacles. Do not rely 100 percent on banks to protect from these crimes – be just as involved in the protection of personal information as your bank.
Stephanie Wood, CPA, CIA, CFE, is a supervisor with EFP Rotenberg LLP, Certified Public Accountants and Business Consultants