Fighting Fraud. Online Security Management and Fraud Prevention
Latest Developments, Best Practices, and Practical Solutions
This white paper makes a case for engaging employees at all levels to effectively combat fraud in its emerging context. It serves as a starting point for broadening and deepening discussion within your organization on the optimal ways to fight fraud.
A Call to Action
In the escalating war on fraud, the nature of the threat—and the necessary responses—are changing rapidly:
•
Companies are operating in an open and highly networked online environment.•
Employees are changing how they communicate and are more open to, and trustful of, new communication models.•
The nature of fraud threats is changing to take advantage of this operating context.•
Fraudsters have shifted focus to end users, i.e., your employees and their computer desktops.•
Fraud prevention requires a new level of collaboration between banks and their clients.•
The best way to fight fraud is with a comprehensive, multi-layered approach.•
Security management is becoming more integrated into the online bank portal experience in a way that is less intrusive and that facilitates the ease of doing business.•
Leading banks should play an advisory role in fraud prevention—sharing best practices based on their experience and expertise.Today’s economic downturn only heightens the risk of fraud and the need for institutionalized vigilance, best-practice prevention measures, and readiness for rapid response.
Fraud Landscape – a rocky Terrain
U.S. organizations lose about seven percent of their revenues to fraud, according to the Association of Certified Fraud Examiners—or nearly $1 trillion based on the 2008 US GDP. Tough economic times warrant increased vigilance towards fraud prevention. Internal fraud is likely to increase due to the economic environment. According to the 2008 AFP Payments Fraud and Control Survey, payments fraud is a pervasive threat to organizations of all sizes.
► 71% of respondents experienced attempted or actual
payments fraud in 2007.
► Among payments fraud victims, 80% had annual
revenues greater than $1 billion, and 58% had annual revenues under $1 billion.
► 94% of the victims of attempted or actual payments
fraud experienced check fraud.
Many companies don’t act aggressively to protect against fraud until they’ve been compromised. But fraud prevention should be mission-critical for all companies. Beyond a direct financial loss, corporate victims of fraud experience the reverberating effect of reputational damage due to breaches in customer payment information and other exposures.
The Paradox of Fraud
Today companies expect anytime, anywhere banking that integrates efficiently into workflow. Converging trends— towards real-time communication and straight-through processing (i.e., end-to-end automation without human intervention)—imply fluidity, which requires flexibility. Historically, though, safeguards to thwart online fraud have been antithetical to speed, efficiency, and flow. Many businesses associate fraud prevention with added controls and administrative burden.
This presents a dilemma for corporate treasury departments that—despite taking center stage in the credit and liquidity crisis—remain thinly staffed. Lean staffing tends to weaken internal controls even while speed and efficiency become critical to doing more with less resources.
The New Operating Context:
More Conducive to Fraud
The front line in fighting fraud has shifted to corporate end users—a company’s work force. Employees are increasingly the first point of attack for fraudsters, who recognize end users as the weakest link, and, therefore, the best penetration point.
A New Level of Collaboration, an Integrated Approach
Many companies place responsibility for fraud prevention strongly on their banks. Because of the nature of today’s fraud, though, corporations must form a front line of defense. At the same time, banks are experts in payment fraud prevention and continue to be at the forefront of emerging technology and new strategies for fighting fraud.
Today’s fraud environment, therefore, requires an integrated approach to security management that includes a new level of collaboration between corporate clients and their banks. An integrated approach involves multiple layers of defense, which may include:
•
Front-door security•
Back-door Security•
Bank solutions•
Transactional Controls•
Employee educationWhen implemented together, these layers comprise a comprehensive and integrated approach to online security
management and fraud prevention. The latest developments—such as PC prints and tiered controls—can better integrate security into a client’s workflow and calibrate controls to the level of risk, while enabling a more personalized and customized security experience.
A handful of global banks are developing such fraud-prevention measures to help make controls less intrusive to a client’s workflow yet, at the same time, more transparent. Emerging security tools and solutions aim to facilitate the ease and efficiency of doing business—rather than hinder it—and to enable greater visibility into irregularities.
The remainder of this paper highlights new developments and best practices in each of these areas.
Front-door security
In addition to dual administration and entitlements, up-front controls—technology-based authentication tools today include digital certificates and tokens. Patterning a user’s PC print—a user’s online modus operandi—can strengthen authentication controls. A PC print can include, for example, the type of computer, Internet provider, and operating system of a user.
A bank portal can understand this pattern, as well as how a user transacts online, and use this to create a risk profile. When the system identifies a change in a user’s pattern—such as accessing the bank portal from a different computer—it challenges the user by asking a security question. This additional passive layer of security intervenes only if it detects an
Workplace trends
A number of interrelated trends have precipitated this shift. Companies are operating in a more open environment, with the Web integrated into the workplace. In parallel, employees are open to the Internet as a communication channel—especially those from Generation Y, “millenials” aged 18 to 30, who are trustful of putting personal information on the Internet, participating in social networking sites, and transacting via mobile devices. Trusted communication channels have expanded from email to instant messaging, social networking and group-messaging applications. These are the new channels for fraud.
The way employees interact is shifting too—away from in-person communication and towards online collaborative networks. While employees conduct business in a highly networked Web environment—where they can connect, converse, and work faster than ever before—so do fraudsters, who can breach a system and steal a user’s identification and password too.
Fraud trends
The nature of fraud has transformed to take advantage of this open, trust-based online environment. Malware, malicious software concealed from the end user, includes viruses, worms, trojan horses, rootkits, and spyware, among others. Security breaches can occur while employees conduct normal business activities, such as performing research or downloading Web content. Keyloggers, for example, access computers by first compromising a Website and then riding a downloading data stream to an end user’s desktop. Keylogging spyware monitors and records the end user’s key strokes and searches for stored security information like online banking credentials, user IDs and passwords to transmit to perpetrators for use with a company’s online banking. New security threats reflect the professionalization of cybercrime into organized virtual crime networks. Businesses not using best practices in fraud prevention may have weak controls, which can heighten the risk of a serious breach.
Transactional Controls
More and more banks are requiring stricter security measures (e.g. tokens) for transactional activities like wire payments. Layers of fraud authentication can help prevent hackers from compromising a user’s identity. The key is in building strong walls and making it harder and more time consuming to penetrate or climb up over the barriers. Increasingly, sophisticated portal security will distinguish between activities by level of confidentiality and risk, with banks tailoring the level of security features to the application. For example:
•
Tier one security might be required for clients researching non-confidential information•
Tier two for receiving confidential information reporting and check images•
Tier three for payment initiation—with tier three activities requiring the use of tokens.In the future clients also will have more flexible security options. This means that beyond their bank’s minimum requirements, they will have the ability to opt in to stronger levels of portal security. For example, a client might choose to use tokens for all employees entering the portal or for receiving information reporting. A tiered approach provides a more personalized and customized security experience.
Behind the scenes, many banks perform additional security measures at the transaction level as part of their early fraud warning systems. For example, banks may monitor client transactions and alert clients to suspicious activity. Banks increasingly should work to build client awareness of these types of fraud-prevention activities. For instance, a bank may call its client, informing the client that their ID has been deactivated due to a suspicious warning and, in the client’s benefit, access is shut down until activity can be confirmed by the client. Banks will also incorporate additional call backs regarding suspicious wires.
Back-door security
Back-door security provides a layer of controls targeted to work closely with front-door and transactional controls. Early detection of fraud is key to minimizing financial loss. If fraud cannot be prevented, it must be caught and reported as soon as possible after the event. It is best practice to integrate back-door controls into the daily work routine. For example:
Bank Fraud prevenTion soLuTions aT a GLance
Used in conjunction with internal controls and initiatives to increase electronic payments, these bank solutions can provide added protection against fraud.
For eLecTronic paymenTs
► Direct deposit. Make payroll, expense reimbursement,
dividend, interest, and pension payments directly to employee bank accounts.
► Payroll card. Pay unbanked employees by direct
deposit. Employees gain access to payments using a debit card at point-of-sale terminals.
► ACH Debit Blocks and Authorizations. Block ACH
direct debits from non-authorized entities.
► ACH Positive Pay. Accept or reject ACH transactions
presented throughout the day.
► Corporate card program. Set individual employee
spending guidelines and authorization parameters on card purchases such as for supplies, T&E and fleet expenses
► Prepaid debit card. Replace one-time and recurring
check payments to employees and customers.
For checks
► Account reconcilement. Reconcile paid checks to
your bank account statement and receive a range of related reports.
► Positive Pay. Automate the matching of your record of
issued checks to your bank’s record of presented checks. Choose to pay or return unmatched items. Some bank solutions include additional optional controls that trigger Positive Pay, such as a predetermined maximum dollar-value thresholds and stale-dated checks.
► Teller Positive Pay. Provide information on issued
checks to your bank’s branches to help tellers detect fraudulent checks before encashment.
► Payee Positive Pay. Determine if payee names have
been potentially altered by comparing them to the payee names in your issued-check file.
► Reverse Positive Pay. Decide to pay or return
suspicious checks without submitting information on issued checks to your bank.
► Check Outsourcing. Integrate checks into the payments
file you send to your bank. Outsourcing the printing and mailing of checks brings your paper payments into a production environment with best-practice controls.
•
Daily review. Controls should include a review of audit logs for suspicious log-ins, monitoring of bank account balances and transaction activity, and daily bank account reconciliation. Frequently review bank account activity online. If you make payments easily in the morning, schedule a review of payment activity in the afternoon.•
User administration. User ID and password administration must be responsive to staff changes. This includes revoking credentials immediately for transferred or terminated employees.Employee education
Given the vulnerability of end users, employee education is mission-critical to fraud prevention. Too often it does not receive enough attention. Human greed and failed prevention measures are the common threads in most cases of fraud. Proper employee training is key to early detection.
Whenever employees gain access to the Internet or email, your organization’s assets and reputation may be at risk. User awareness training—in conjunction with Internet usage policies—is an important element of employee training. Training is less effective when it is too general or high level. It must be tailored to the audience—including citing specific examples and relevant case studies—and reinforced over time. Accountability should be enforced by measuring results as part of an employee’s annual performance review.
exampLes oF usinG speciFiciTy in empLoyee TraininG
Specificity strengthens the impact of employee training. Important doesn’t necessarily mean complex. Simple, straight-forward examples can be the most powerful for employee training. Here are some ways in which you can cite examples or case studies:
► Show employees how to recognize threats and convey
the consequences of those threats.
► Be explicit about what to look for to identify a malicious
email.
► Discuss frequent reports of new threats and statistics
of how many viruses have been caught within your organization can help to raise their security awareness
► Teach tricks that help with memorizing passwords
as a deterrent to storing them where they can be compromised. For instance, pick a phrase for your password that uses only the first letter of every word (e.g., My son is 5 years old on June 4th (Msi5yooJ4).
expLiciT insTrucTions To convey To empLoyees
► Never turn off security protection on your computer.
► Keep passwords in a secure place. Do not share them
with co-workers.
► Do not use your personal computer for company
business.
► Do not connect to the Internet through distrusted
wireless networks (e.g., WiFi from a café).
► Forward suspicious emails to the company’s
designated email account (include the email address).
► Stay current with security software updates.
► Never give your business email address to a Website.
► Open only identifiable attachments from known
sources. Financial institutions and government agencies would never ask you to enter personal data such as passwords, SSN, account numbers, etc.
Bank Solutions
Best-practice organizations combine the use of strategic initiatives to increase electronic payments with tight internal controls and bank solutions to reduce exposure to payment fraud.
Paper-to-electronic (P2E) migration is a key fraud-fighting strategy. The growth in check fraud has far outpaced that of electronic payment fraud. According the 2008 AFP survey, 90% of respondents reported increased check fraud compared to 16 % reporting more ACH fraud.
Examples of internal controls that complement bank solutions include: daily reconciliation, segregation of duties, bank account segregation (e.g., by payment type), timely return of potentially fraudulent payments, and online security controls. A restriction on posting checks to depository accounts also can be useful, since depository accounts can be a target for check fraud.
Banks as Advisors on Best Practices
Banks already use best practices in their operating environments, including integrating the latest advances in online security. Banks should take a consultative role in sharing these best practices with clients—including education on improving fraud prevention, detection and resolution.
Bank of America is incubating a number of ideas related to client education and best practices. For example, just as banks engage in risk assessments, they could develop risk profiles for their clients based on conducting a security assessment, built on what the bank considers to be best practice in systems and operational controls.
Getting Started
At the end of this white paper we have included a few appendices—lists of best practices and a quick self-assessment.
These tools are meant to spur further reflection and discussion within your organization. We look forward to continuing to
dialog with you on this important topic.
APPENDIx A.
checkLisT oF BesT pracTices
in onLine conTroLs
The following basic controls are best practices often overlooked:
► Maintain high standards around password
management—a basic line of defense.
► Deactivate user IDs of employees that are no longer
working in the company.
►Don’t recycle IDs.
►Don’t ignore password reset notifications. ► Keep email accounts up-to-date and cancel email
accounts that are attached to old IDs.
► If you suspect an ID has been compromised, deactivate
it immediately, don’t change the password and continue to use it.
► Use dual administration for entitlements and dual
approval for payment release (e.g., for ACH, wires, Positive Pay)
► Segregate responsibilities of payment duties for
initiation, approval and release.
► Use different machines to initiate and approve
transactions.
► Review transactions before releasing them to your bank
for processing.
► Review transactions initiated on a daily basis, using
audit logs and reports.
► Use all multi-factor authentication tools offered (e.g.,
tokens, digital certificates, and registration of PC print).
► Evaluate job functions and remove unnecessary online
applications.
► Establish different payment transaction limits for
employees based on job levels and responsibilities.
APPENDIx B.
empLoyee educaTion: BesT pracTices
in user awareness TraininG
There is a direct relationship between the amount of user training and the number of successful fraud attacks.
The following list highlights some best practices: ► Don’t assume employees understand email and Internet
risks. The courts appreciate policies based on best practices and supported by mandatory enterprise-wide training and enforcement through disciplinary action.
► Don’t rely only on your company’s email or intranet to
inform employees of email and Internet policies and procedures. Distribute a hard copy and policies to every employee. Require employees to sign and date each policy.
► Set rules for personal Internet usage. Specify how
much Web surfing is allowed when and with whom it is permitted, and under what circumstances.
► Ensure that employees understand policies towards
monitoring their computer activity and that violations of corporate email and Internet policies are enforceable through disciplinary action that may include termination.
APPENDIx C.
Two minuTe seLF-assessmenT on
BesT pracTices
FronT-door securiTy
► Do you or your team use workarounds to streamline
access to your bank’s portal or online applications (e.g., group sign-on with shared passwords)? Or leave passwords lying around, like a set of keys to your office?
► Do you have an IT department or outsource your security
to a firm which ensures all PCs engaged in your cash management activities have all the security basics deployed and that those PCs are not operating in unprotected networks and used by other individuals?
TransacTionaL conTroLs
► Does your company use dual administration and
mandate dual approval and segregation of responsibilities for payment activities, including template creation?
•
Does your organization use all authentication tools offered (e.g., tokens, digital certificates, and encourage your employees to register their computers)?Back-door securiTy
► Is a review of audit logs and bank account activity part
of your department’s daily routine?
► Does your user administrator get immediately respond
to changes in an employee’s job requirements by making necessary changes to user entitlements?
empLoyee educaTion
► Do you have a formal employee education process—
with user awareness training designed for specificity— for online security and fraud prevention?
► Do all employees receive hard copies of all Internet
policies and procedures? Are they required to sign and date each policy?
Bank soLuTions
► Is increasing electronic payments one of your strategic
initiatives?
► Are you using all of the available bank anti-fraud
solutions?
This article contains suggestions only, and is not meant to substitute for your own internal procedures which are appropriate for your company. This information is not legal or tax advice. You may wish to consult your own legal and/ or tax advisors to discuss your company’s needs.
This article contains suggestions only, and is not meant to substitute for your own internal procedures which are appropriate for your company. This information is not legal or tax advice. You may wish to consult your own legal and/or tax advisors to discuss your company’s needs.