Pandemic Plans: How Is Your Fraud Mitigation Evolving?

We are living in unusual times. And when normal processes change, it opens the door for bad actors to get involved.

One simple example: Many offices are now empty, so we are seeing a rise in mail theft. Fraudsters are stealing unmonitored business mailboxes, going through the material, and using it to gather sensitive information that can be used to commit scams.

Or, as another example, imagine a parent trying to put in a full day of work, while his two children are in the room next door. While remote schooling is supposed to be orderly, in this instance, it frequently turns into loud arguments that require parental refereeing. A frazzled parent is ripe for a social engineering attack.

Fraudsters are well aware of this shift to a virtual office environment: for example, we’ve seen an explosion of ransomware attacks – they were up 25% in the first quarter of 2020.¹

COVID-19 and Evolving Fraud Mitigation

Another effect of the pandemic is a change in customer habits. As many more payments are made remotely, or online, spending habits are falling outside of typical patterns. More companies and individuals are buying in bulk or buying different products than they normally do. Or they are using new payment methods. When many atypical requests are legitimate, it becomes easier for a fraudster to slip an illegitimate request past a monitoring system.

And, as mentioned, the unexpected transition to remote work is no small matter. For many companies, their employees are now unable to confirm in-person with colleagues about a request for payment; they are also more likely to be distracted at home. Employees may be skipping steps in their company approval procedures to make their personal workload lighter. And, because remote employees are working in an unmanaged environment, they may not have the necessary IT safeguards on their devices and network.

This less regulated environment leaves you and your employees more susceptible to business email compromise (BEC). This is when a criminal gets access to a company’s network via email phishing and watches your company’s typical communication patterns for weeks or months, so that they can create invoices or other requests for payment that seem legitimate and match usual patterns, fonts, and logos – and come from what appears to be a known recipient.

The result of BEC is most often someone posing as a known vendor who is changing their payment instructions. That way, when a legitimate invoice is being paid, it goes to the fraudster’s account. Other times, we see BEC as someone posing as an internal supervisory colleague in an email, requesting an immediate payment somewhere – that payment, of course, actually ends up in a fraudster’s account.

In the U.S., there were $2.1 billion in actual losses from BEC scams between January 2014 and October 2019.¹ And 61% of those who reported actual or attempted fraud in 2019 cited BEC as the source.¹ Worse still, these attempts seem to be increasing during the pandemic. We recommend developing a fraud monitoring system tailored specifically for the challenges of doing business in this environment.  

With the pandemic in full force, you should also be aware of the rise of first-party fraud – in other words, formerly legitimate customers who are facing hard choices and are willing to bend the rules or create deception in their favor.

A Rise in Credit Card Fraud

Before we dive into credit cards, let’s be clear: the less paper and physical material you can use when making a payment, the better. Checks have historically been – and continue to be – the biggest fraud target, with 70% of businesses reporting attempted or actual payment fraud via check in 2018.²

By comparison, in 2018, only 29% of businesses reported attempted or actual payment fraud via credit or debit card.² And ACH Debits and Credits came in at 33% and 20%, respectively.² When it comes to payments, digital is by far the safest. However, you should be diligent about monitoring all forms of payment.

During the pandemic, we are seeing an overall increase in credit card fraud, particularly account takeover. Account takeover is when a criminal gains access to an individual’s login credentials, and changes key information, such as an email address or physical address, and begins using the account as their own while the victim is unaware of the change. In recent years, fraudsters have often been able to access the second step of a two-step verification process, meaning the victim does not receive the usual account change notifications.

As a business, you need to monitor all credit card transactions to make sure payments are as they should be. You should also reconcile your statements regularly – ideally daily. Businesses have only two business days to dispute and return an electronic transaction, including those via credit card. 

You read that right. While individual consumers have 60 days to report fraud and have losses protected, businesses, in contrast, only have two business days. When you are monitoring your transactions, typically you are reviewing those that happened as of the close of business the day before. Therefore, you have only that business day to seamlessly report. That is why regular reviewing of accounts is crucial to catching a first attempt at fraud, before it costs you substantial money.

Next Step: Review Your Fraud Mitigation Protocols and Plan

You need to have a disaster mitigation plan in place. This is a team effort. You will want to have your attorney, your accountant, your banker, and your insurer all at the table. Your executive leadership team needs to be there, as does your IT team.

A lack of a disaster recovery plan – and a lack of fraud mitigation protocol – can leave your business reeling. For example, even if you have a cybersecurity insurance, you only have 30 days from the event to report it. Yet, despite the growing importance of remote work, 56% of companies have no plan in place if they are a victim of a cyber breach.³ Does this describe your business? 

Do you have a system in place to identify attacks? Is your monitoring system effective? Fraudsters are constantly evolving – are you? The average loss from one fraudulent item is $23,100 – fraud is no small matter.³

If you suspect fraud, alert your bank immediately. We can help. In 2018, American banks prevented $22.4 billion in attempted fraud, or $9 out of every $10 of attempted fraud.⁴

If you are unsure of where to get started, reach out to your Treasury Management team at your local bank. They can help you review your current practices and suggest improvements, as well as products and services designed to keep your business safe. At Old National Bank, we are always happy to help.

 

Endnotes

1. “Combating Fraud in a Remote Working Environment.” Association for Financial Professionals (AFP) Payment Guide, accessed October 16, 2020.

2. AFP Payments Fraud & Control Survey, accessed October 16, 2020

3. AFP 2019 Risk Survey, accessed October 16, 2020

4. “2019 Deposit Account Fraud Survey.” American Bankers Association, accessed October 16, 2020.