Tangled wires

Automated Clearing House and wire transfers are increasing but so is fraud in these transactions. All a fraudster needs is an account number and a bank-routing number. Here are ways to prevent and fight these lucrative crimes.

Lori was a specialist in the Automated Clearing House (ACH) and wire transfer department at a mid-size bank. One day, she spotted a glitch in the web-based system the bank used to send and receive wire transfers, so she immediately logged off and notified her supervisor. However, it was too late; $3 million in aggregate wires had been sent from one of the bank's top-tier customer's accounts to an account at another financial institution. 

In this actual case, the supervisor and Lori (not her real name) called the system provider together and verified that the funds had been sent. They quickly switched to their older wire system that wasn't web-based, notified the customer, credited the account and began to investigate.

The bank eventually determined that an employee's computer had been infected with malicious software, which allowed the fraudster to initiate the attack from an external site and send the wires.

ACH transfers increased nearly 11 percent per year from 2000 to 2010. (See the 2011 Report to the Congress on the Use of the Automated Clearinghouse System for Remittance Transfers to Foreign Countries, from the Board of Governors of the Federal Reserve System.) ACH and wire transfers were once considered low-risk, but fraud is increasing at an alarming rate because of greater accessibility, popularity, relative anonymity and poor economic conditions, according to Detecting and Deterring ACH and Wire Transfer Fraud, in the Industry Insights blog by Christine Meyers, Sept. 30, 2011, Bank Info Security.

Individuals, businesses and banks of all sizes in all geographical areas are at risk. However, the primary targets include small- to medium-size banks, businesses, schools and similar organizations. They often have less security infrastructure or rely on traditional security systems and legacy applications, which make them "soft targets," according to Meyers in her Bank Info Security blog.

Some of the most common ways to commit this fraud are through phishing, account hijacking, ACH kiting and social engineering. We'll examine all of these areas plus how to prevent this fraud through IT, bank customer best practices, and improved bank policies and procedures.

Wire transfers vs. ACH

A simple wire transfer is one of the fastest ways to send money to a recipient bank account. Although sometimes a transfer might take days, it normally only takes minutes because the transfer is sent directly to a receiving bank rather than through a clearinghouse as with an ACH transfer.

Both sending and receiving banks will notify customers when transactions are complete. Customers can initiate wire transfers with cash through providers such as Western Union or MoneyGram. However, the transfers are more risky because the providers don't notify senders and recipients.

Wire transfers are more expensive than ACH transactions because more people at financial institutions are involved. (See Difference Between Wire Transfer and ACH, by Miranda Marquit, DepositAccounts.com.)

According to Marquit, ACH transactions are the sort you make when you pay bills online or when you use your debit card. During a bank ACH transaction, an employee inputs information into the system to begin a transfer. The bank sends the transfer with others in a large batch to a clearinghouse, which then forwards the information to a receiving bank to complete the transfer. The funds aren't available as quickly as with a wire transfer because of the extra clearinghouse intermediary stop.

Fraud overview

According to the National Automated Clearing House Association (NACHA), 21 billion ACH transactions were initiated in 2013 totaling $38.7 trillion, which translates to about 665 transactions per second averaging $1,845 each.

These numbers represent a steady annual increase in the number of ACH transactions. In fact, Meyers, in her Bank Info Security blog, cites NAHCA statistics of approximately 18.2 billion ACH transactions totaling $30 trillion in 2008 — up from just 4 billion ACH transactions totaling $10 trillion in 1996. In 2012, the Clearing House Interbank Payments System reported settling an approximate $1.5 trillion in wire transfers daily — both cross-border and domestic.

The growing number of organizations affected by ACH and wire transfer fraud attacks is just as drastic as the growing number of these initiated transfers. The 2014 Association for Financial Professionals (AFP) Payments Fraud and Control Survey reports that payment fraud from ACH debits in 2013 affected 22 percent of responding organizations (down from 27 percent in 2012), while payment fraud from ACH credits in 2013 affected 9 percent (up from 8 percent in 2012) and payment fraud from wire transfers in 2013 affected 14 percent (up from 11 percent in 2012).

Meyers writes that losses from successful ACH and wire transfer fraud attacks average $100,000 to $200,000 per victim. Further, 12 percent of organizations that were victims of ACH fraud during 2012 suffered a financial loss as a result of such fraud, according to the 2013 AFP Payments Fraud and Control Survey. The 2013 American Bankers Association Deposit Account Fraud Survey revealed that ACH and wire transfer fraud cost the industry approximately $157 million in losses in 2012.

With all of the fraud risks associated with ACH and wire transfers, it's no surprise that regulators, businesses, banks and consumers are seeking ways to prevent and detect such frauds.

How ACH and wire transfer fraud is committed

This fraud has become much simpler for fraudsters to commit over the years because all they need is an account number and a bank-routing number, according to ACH fraud: Why criminals love this con, by Joan Goodchild, Aug. 16, 2010, CSO.

Fraudsters often use phishing emails to trick potential victims into opening up attachments, which install keylogging software on their computers that steal bank account passwords or Trojans that log keystrokes. More complicated schemes use mules, or hired accomplices, through work-at-home schemes to move funds on behalf of fraudsters to their overseas accounts.

A classic example of account hijacking, described by the U.S. Federal Deposit Insurance Corporation (FDIC), occurs when a fraudster uses phishing techniques to commit fraud. The fraudster sends a deceptive email to a customer stating that he or she can correct a supposed problem with the customer's account by clicking on a hyperlink. Unfortunately, that click takes the customer to a bogus website that resembles the financial institution's website. The customer logs in with his or her user name and password, both of which the fraudster captures. The fraudster then accesses the customer's online banking account to steal the customer's funds via an initiation of a fraudulent ACH or wire transfer. (See the FDIC's Putting an End to Account-Hijacking Identity Theft.)

ACH kiting, which is similar to check kiting, is an unusual but devastating kind of fraud. It involves a pair of fraudulent accounts in which an ACH debit is originated from one account and drawn on the other, with the available balance taken out before settlement, according to Payments Fraud: How it Happens And What You Can Do To Protect Your Organization, a J.P. Morgan Treasury Services publication.

Another scenario, according to the J.P. Morgan publication, involves the bogus company originating debits from other business accounts, which then credit the bogus company's account. The bogus company now has what appears to be a large credit on its account, which it withdraws immediately. Once the victim company notices the debits on its accounts and questions the bank, it's too late to return the money. The bank suffers monetary losses from reimbursing the victim company.

Fraudsters also can use social engineering (psychological manipulation to make people perform actions or divulge confidential information) to gain access to victims' computers to install software. For example, a fraudster might call a business employee and claim to be an IT employee to gain access to his or her computer on which the fraudster could then install spyware or keystroke loggers. Fraudsters might also use social engineering to convince bank employees that the fraudsters are customers. (See the breakout session of SIFMA's January 2014 Anti-money Laundering & Financial Crimes Conference, Latest Trends in Cybercrime: the Impact on our Industry and AML.)

Mitigating ACH and wire transfer fraud

Banks should help mitigate ACH and wire transfer fraud by setting limits and reviews on ACH and wire transfers, utilizing verification techniques, educating customers and through employee awareness training programs.

Banks should utilize IT to create a safe, online banking environment. They can use the layered security of multiple controls in account administration, including requiring additional identification prior to implementing changes and notifying a customer via telephone or email immediately after implementing an administrative change, according to the Texas Bankers Electronic Crimes Task Force's Best Practices Reducing the Risks of Corporate Account Takeovers.

The online banking system also should have a screen display that shows a customer the number of failed login attempts since a prior successful attempt and the date and time of the last login. Other best practices, according to the Texas Bankers Electronic Crimes Task Force, include out-of-band verification of ACH and wire transfers initiated, policies to address potentially compromised customer equipment, dual customer authorization through different access devices, and enhanced challenge questions and security requirements.

Internally, banks also should implement effective IT controls to mitigate ACH and wire transfer fraud. They should ensure effective firewalls and processes to evaluate, monitor, and validate firewall settings. At least every month, they should ensure their patches are effective to stave off security vulnerabilities. And, according to the Texas bankers, they should update anti-virus and anti-malware programs frequently, utilize strong authentication tokens for extra security, and initiate and submit ACH and wire transfers via dedicated and isolated machines.

Bank customer best practices 

Even though Internet users should have a reasonable expectation of privacy prior to logging into a website, they must still take precautions. Bank customers, of course, should never respond to emails or popups by divulging personally identifiable information, open attachments in unsolicited emails or click on links in bulk emails.

Bank customers should designate a single computer in households for online banking and install separate browsers for online banking. They should close all other browser tabs when banking online. When they're done they should log off online banking and close the browser, according to ACH & Wire Transfer Fraud: Protect Your Business, at MySECURITY Awareness.com.

Customers also should monitor and reconcile their accounts daily and immediately report any unauthorized transactions to their banks. They should never use their online banking passwords for any other online accounts and avoid using automatic login features that save usernames and passwords, according to the MySECURITY Awareness.com article. Also, they should never share their usernames and passwords with anyone and should share account numbers only with legitimate vendors for online payments. Customers also never should access their online banking accounts on public computers or at Internet cafes, according to MySECURITY Awareness.com.

Bank policies and procedures

Obviously, financial institutions should train staff to spot fraud. They should have strict "know-your-customer" policies. ACH and wire transfers employees should be able to recognize abnormal conditions.

For example, at Lori's bank, in another case, a fraudster hijacked a commercial customer's in-process online banking session and initiated an ACH payroll file to pay himself from the business' funds. The first letters of the first names of most of the receiving employees in the file were capitalized and the rest of the letters in each name were lowercase — a standard procedure. Most of the paycheck amounts were reasonable (not extraordinarily high) and for odd-dollar sums because of withholding taxes and other deductions.

However, one of the payee names was entered in all capital letters, for an unusually high-dollar, rounded amount that didn't appear to include any deductions. Of course, the payee was a fraudster.

Also, banks should train employees to ask for full account numbers and authentication through challenge questions when supposed customers want to transfer funds over the phone, according to Four Steps for Fighting ACH Fraud, by Tracy Kitten, April 27, 2012, Bank Info Security.

At Lori's bank, only customers with wire agreements could initiate funds transfers over the phone. The bank periodically gave them specific, complex PINs that bank employees would verify.

ACH and wire transfer specialists should have a limit on how much they can transfer and require that all requests above those limits obtain approval. Banks should place wire transfers of funds to overseas accounts on hold to give institutions time to verify authenticity.

Banks also should consistently update their employee PCs with the latest versions of anti-malware and anti-virus software. They should remember that some low-tech methods can still be effective antifraud methods, according to Kitten. For example, banks might require that corporate customers send follow-up faxes to verify any funds transfer requests.

Banks, especially larger institutions, should offer options to customers to help prevent fraudulent transfers. ACH debit block stops debits from posting to customers' accounts based on the criteria they select. For example, they can block all ACH debits greater than a certain amount or debits from a certain company or organization. Once they select the criteria, ACH debit block works automatically.

ACH transaction review allows customers to review and confirm ACH debit and credit transactions that post to their accounts case by case. Customers can decide those transactions they want to review by filtering for any combination of debits and credits, company IDs, dollar amount and transaction types. Once filtered, a customer can determine if transactions are authorized and return any that aren't, according to Mitigate Payments Fraud information on Chase's site.

Banks should also require customers to set limits on ACH transactions by ACH file type (such as payroll, payments to vendors and monthly dues), full amount of the ACH file and amount of each entry within the ACH file. Lori's identification of the fraudulent payroll file actually required the bank to review the file because the amount of the individual fraudulent entry and the full amount of the file exceeded the limits set by the customer. This control required a cash management specialist at the bank to review the file before it was sent to the Federal Reserve to spot any inordinate entries and contact the customer to resolve the issue.

Banks should educate customers about other protective features such as funds transfer limitations and automated payment filters. They should recommend that customers daily reconcile all banking transactions.

Also, banks should recommend that customers initiate ACH and wire-transfer requests under dual control, which means that the customer establishes a transaction originator and a separate transaction authorizer — two different people, according to 24 Tips to Avoid ACH Fraud, by Linda McGlasson, May 10, 2010, Bank Info Security.

Balance extreme risk with preparations

ACH and wire transfers are among the simplest and most convenient ways to transfer funds between bank accounts. These transfers can be extremely risky if banks don't take appropriate precautions. When financial institutions understand how ACH and wire transfer fraud is committed, they can understand how to prevent attacks through IT measures, identifying best practices, and implementing and monitoring those policies and procedures.

Stephanie Davis, CFE, is an audit associate at KPMG in Omaha, Nebraska.

Jack Armitage, Ph.D., CFE, CPA, is the Distinguished Alumni Accounting Professor in the Department of Accounting at the University of Nebraska at Omaha.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to FraudMagazine@ACFE.com.