Check fraud hits home

A week before I left for the Association of Certified Fraud Examiners’ (ACFE) 35th Annual Global Fraud Conference in Las Vegas, I received an innocuous text, purportedly from my bank, asking if I’d written a particular check. The text included a link to the check in question. I couldn’t remember the last time I’d written a check, and I wasn’t about to click on that link. My Certified Fraud Examiner (CFE) safety sense was tingling, and I went to the source — my banking app — to check for any suspicious activity or any messages related to the suspect check. No checks were pending, no alert messages were in my inbox, and I felt assured that I performed my due diligence. That night, as I lay in bed checking my phone one last time, I saw an email from my bank asking the same question as the text message.

Again, I wasn’t clicking on any provided link. So, back to my banking app I went. And there it was in my activity, the purloined check (see Figure 1 below) — made out to a real business from a fake business for more than $500. I contacted the fraud department through the phone number provided by my app, and although it was late, a wonderful woman who easily spotted the fake check helped me. The name on the check wasn’t mine, and I had a personal account, not a business account. She restricted my account and told me the next steps I needed to take to open a new account.

Figure 1

Not long ago, I explored the extensive history of check fraud. As I reported previously, check fraud has surged significantly in recent years, with nearly 680,000 cases reported to the Financial Crimes Enforcement Network in 2022, up from 350,000 in 2021. (See “Checks continue to be an attractive vehicle for fraud,” by Laura Harris, CFE, Fraud Magazine, March/April 2024.) Authorities attribute the increase to organized crime targeting checks, particularly through the mail. The U.S. Postal Inspection Service reported more than 300,000 mail theft complaints in 2021, more than double the previous year. (See “Cases of check fraud escalate dramatically, with Americans warned not to mail checks if possible,” by Ken Sweet, AP, June 12, 2023.) Check fraud and check washing are more often associated with mail theft. The U.S. Postal Service reported in late 2023 that its postal inspectors “recover more than $1 billion in counterfeit checks and money orders every year.” (See “Check Washing,” U.S. Postal Inspection Service.) At the same time, fewer Americans are writing checks.

Given the dwindling use of checks in the burgeoning digital age, why does check fraud continue to plague us? I’ll explore this quandary here and provide steps that businesses can take to help prevent fraud and limit exposure of personally identifiable information (PII).

Fake checks in the family

I was relaying my check fraud woes to my family, glad the bank spotted the phony check and relieved to have it processed as fraudulent, when my sister shared that she experienced a similar situation at her local bank. She found a fake check on her account, reported it and had to open a new account (see Figure 2 below). I laughed in frustrated empathy. However, when I mentioned that the check was written to a real business in her state, where I once lived, my sister and I decided to compare the checks. Although they were written to different real businesses by different fake businesses for three-figure amounts, they were signed by the same name in different handwriting styles.

Figure 2

The cost-to-benefit ratio didn’t favor pursuing the perpetrator for either bank, but the connection was undeniable. I hadn’t lived in this location in more than three years, and I hadn’t written a check in more than a year. My sister and I realized we’d both written checks to the business of a friend whose trash had recently been stolen. The story unfolded in my mind: A small business conducts spring cleaning and purges outdated records and documents that contain important personal information.

I wish I could say the story ended there, but life often enjoys one last laugh. Vigilant as ever, my sister found a second bogus check attempting to clear her fresh, new bank account for several times more than the first fraudulent check. She promptly informed her bank that it was trying to pass the fake check on the closed account. In the end, no money left anyone’s account, but it remains clear that fraudsters are going to push the limit of what they can get away with. Unfortunately, that means we bear the burden of remaining vigilant in our personal and professional lives.

Businesses contend with check fraud

The problem of check fraud lingers in the digital world. Is the answer to stop writing checks? Some businesses are making the decision for all. In July, retail giant Target ceased accepting personal checks due to their declining usage. Target will continue to accept other payment methods, including digital options, cash and cards. This change follows a broader trend among retailers, with Aldi and Whole Foods also rejecting checks. (See “Target will stop accepting this old-school form of payment,” by Erika Tulfo, CNN, July 10, 2024.)

Payment policy changes among retailers, grocery store chains and other  businesses come at a time when check fraud is a significant concern. The number of checks processed by the Federal Reserve has dropped significantly over the years — from 18.1 billion in 2015 to 11.2 billion by 2021. As noted earlier, check fraud cases have surged. (See “Federal Reserve Payments Study,” Board of Governors of the Federal Reserve System, 2022.) A recent survey of more than 500 treasury professionals indicates that checks are indeed a vulnerable payment method, with 65% reporting that their organizations were victims of check fraud last year. Despite the high rate at which checks are a frequent target of payments fraud, 70% of organizations currently using checks don’t plan to discontinue using them within the next two years. (See “2024 AFP Payments Fraud and Control Survey Report,” Association for Financial Professionals.)

In addition to checks, payment cards and money apps, lauded for their speedy transactions and convenience, aren’t immune from fraud. With just one click, your mobile app payment is gone into the ether. Maybe you sent money to a scammer or the wrong person, but the chances of getting your money back aren’t favorable. In fact, after losing funds to fraud last year, 30% of treasury professionals reported that they were unable to recover any funds. On the other end of the spectrum, 29% managed to recover up to 75% of the lost funds, and 41% were able to recoup more than 75% of the funds lost, primarily through check fraud. (See “2024 AFP Payments Fraud and Control Survey Report,” Association for Financial Professionals.)

Preventing check fraud

The type of PII found on checks is catnip for fraudsters. Small businesses should take precautions when disposing of any sensitive information, whether their own or that of their customers and vendors. Shredding or burning documents has been a reliable way to destroy information. Pulping, another option, involves soaking the paper for 24 hours in water (and bleach if desired) and muddling the paper by hand or with a tool to ensure the complete breakdown of the material.

Any paper that contains bank information is sensitive, but other types of information should be closely guarded, including:

• Purchase orders, including errors and duplicates.
• Packing lists, customer invoices, order confirmation and any copies thereof.
• Human resources records, such as payroll and personnel files.
• Financial statements and reports.
• Business development, marketing, strategic planning and budgeting documents.
• Contracts and printed emails.

Disposing of sensitive digital data might pose a bigger inconvenience. Deletion sounds straightforward enough, but simply deleting electronic recordings isn’t the same as destroying them. Deleted information can be recovered by those who know how and where to look. In addition, digital shredding, or wiping, overwrites the data. Degaussing uses a strong magnetic field to rearrange the structure and data of magnetic storage devices, such as hard disk drives. It might take a few attempts to destroy all records. Degaussing won’t work on nonmagnetic devices, such as solid state drives or USB flash drives. Physical destruction can offer a cathartic cleanse and render a device unreadable.

It may seem counterintuitive to add one more page to the record book, but keeping a disposition log may help keep track of what’s been archived, moved or destroyed. Knowing when particular records were properly disposed of and having supportive evidence of the secure destruction may prove valuable. Providing an organized and logical system for archiving and destruction can help ease the burden of handling PII.

Many laws govern larger companies and industries that handle PII. In 2005, the Federal Trade Commission’s (FTC) Fair and Accurate Credit Transactions Act (FACTA) went into effect and stated that any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. The rule protects against “unauthorized access to or use of” information in consumer reports and records. (See “FACTA Disposal Rule Goes into Effect June 1,” FTC, June 1, 2005.) Additionally, many financial institutions are subject to the Disposal Rule and the FTC Safeguards Rule, which requires institutions to take steps to protect sensitive customer information. (See “FTC Safeguards Rule: What Your Business Needs to Know,” FTC, May 2022.)

Fraudsters will take advantage of any opportunity to obtain PII. When it comes to any type of fraud, take nothing for granted. Although you might not be able to control what happens to your payment after it has left your account, you can monitor your account regularly. You can choose with whom you do business. You can ensure your business, employees and clients correctly and securely dispose of PII. You can advocate constant financial vigilance, know-your-customer and know-your-business processes, and conduct ongoing fraud risk assessments. Train employees on what fraud is, how to spot it and why it matters. Educate them on the proper process to report concerns. Keep those resources active and available to continue detecting fraud.

Laura Harris, CFE, is a senior research specialist for the ACFE. Contact her at LHarris@ACFE.com.