Wire & ACH Fraud: Where It Comes From & How to Stop It
To better manage wire and ACH fraud exposures, you must understand how these attacks typically occur.
Fraudsters continue to find weaknesses in authentication processes to obtain secure information and fraudulently transfer money to themselves via a wire or ACH transaction.
A wire is an electronic funds transfer used for sending cash to a disclosed business or recipient. An ACH transaction is a type of wire transfer performed through the Automated Clearing House. These transactions include scheduled fund transfers, like online bill payments, and typically involve smaller transaction amounts, while wire transfers take place directly between financial institutions and tend to involve much larger transaction amounts.
Simply defined, wire and ACH fraud involves any unauthorized funds transfer that occurs in a bank account. Oftentimes, these attacks originate from phishing attacks with malware or ransomware that result in fraudulent entry to a secure system with secure data.
With phishing attacks becoming more sophisticated and streamlined, ACH fraud attempts are almost certain to continue in the coming years, especially on the international spectrum.
To better manage wire and ACH fraud exposures, your credit union will need to understand how these attacks typically occur, so you know where to look and what to do should you suspect an attack.
Detecting Wire and ACH Fraud
According to the FBI, wire fraud scams involving a corporate account takeover, or “business email compromise,” target businesses that regularly make wire transfers to foreign companies. These crimes can result in millions of dollars in rerouted, stolen funds. Because many of the more serious and common wire fraud attacks involve international funds transfers, it is important to be especially diligent in monitoring and authenticating these types of wires.
HELOC transfers that occur on an account shortly before a wire request is another early warning sign for wire fraud. These are quite often the starting point for a wire fraud attack.
There is a substantially higher risk of ACH fraud for any financial institution that offers ACH loan payments on credit card accounts; this risk is even higher when granting immediate credit on loan payments. To stay one step ahead of the fraudsters, credit unions should not offer immediate credit on loans, but instead wait until the individual’s identity has been authenticated.
Your ACH processor is also a great resource for understanding and deterring the risks associated with ACH transactions. Regularly working with your processors to review the daily returns on settlement accounts and evaluate daily, weekly and monthly reports – i.e. credit card kiting reports, over credit card limit reports, excessive activity reports and cash advance reports – could help you find early warning signs for fraud.
Authentication Tools for Preventing Wire and ACH Fraud
To prevent wire or ACH fraud, it is important to implement multiple authentication requirements. These requirements should include a number of different elements to ensure you are doing everything in your power to protect your members’ accounts and keep the bad guys out.
First and foremost, it is important you require your accountholders to establish a unique PIN and/or password for their accounts, along with unique security questions that the accountholder has set up. When establishing these security questions, it is best to offer options that do not involve attainable data, like Social Security numbers, home addresses or any other information, as a lot of this information was compromised during last year’s Equifax breach.
Contacting the accountholder on their home, work or cell phone is also a good way to validate the authenticity of a transaction; to be doubly safe, it is best to ask for more than one callback telephone number.
Encryption and biometrics tools are also extremely valuable tools for keeping out cybercriminals, especially as their techniques continue to evolve in sophistication and frequency. Encryption tools use a codified passcode to safeguard your transactions and data from unauthorized access. This technology which is offered by numerous software organizations has been proven to reduce fraud significantly. Biometric technology uses physical, human characters, like fingerprint and face recognition, to authenticate access to private data. This can be used within your organization to protect against internal fraud and used in partnership with smartphone producers to request biometric credentials for mobile account access. Though biometric technology isn’t as easy to universally apply to all accounts and transactions, it is becoming more and more commonplace, and is gaining popularity among consumers of all ages.
Internal Controls for Preventing Wire and ACH Fraud
It is important that at least one person inside your credit union understands the intricacies of ACH processing, terms and acronyms – i.e. ODFI, RDFI, etc. – so they can more easily and quickly help uncover the source of an attack. Resources for better understanding these transactions include the FFIEC’s Information Technology Handbook on third-party payment (ACH) processing, the NACHA Operation Guidelines and the NCUA’s guidance on third-party providers.
To help protect against phishing attacks, it is important that all wire and ACH transactions are processed on a secure, encrypted computer. It is also smart practice to keep your wire transfer policies and procedures off of your website. Giving fraudsters easy access to this information can help them to uncover a weak link in your defenses.
Limiting the dollar amount for daily transactions and singular transaction amounts is also a very effective way to reduce wire-related fraud losses, as this keeps the criminals from having access to an endless supply of funds.
Additionally, you should review the agreement with your third-party processors that offer online ACH payments to ensure their internal processes don’t open your credit union to additional liability risks associated with their payment process.
Make sure your employees are well-trained on what to look out for to detect wire and ACH fraud so they may notify specified individuals if anything looks out of the ordinary. You should also establish internal processes that double down efforts on protecting against these crimes, such as dual controls where one person authorizes a payment and another person verifies it. It may not be convenient, but this creates another layer of security and another method of protection.
It is equally as important that you advise your members to setup strong security settings, like two-factor authentication (2FA) and complex passwords, to protect their accounts against these and other fraud crimes. It cannot be overstated how important it is to deploy multifactor, multilayer security for your personal and business accounts to help prevent these fraudulent transactions.
Both your members and staff should participate in protecting against these crimes, but it is up to your credit union to establish strong internal controls, and train your employees and members on how they can do their part in helping to protect against these risks.
Ann Davidson is Vice President of Risk Consulting for Allied Solutions LLC. She can be reached at ann.davidson@alliedsolutions.net.