Title: Association of Corporate Credit Unions ACH Fraud Mike Thomas
1Association of Corporate Credit Unions ACH
FraudMike Thomas
2Agenda
- Unauthorized Transactions
- ACH Kiting
- E-Check Fraud
- Client Social Engineering/ACH Fraud
3Unauthorized Transactions
4Unauthorized Transactions - Debit
- A dishonest ACH business customer could instruct
the financial institution to debit numerous
individuals accounts at various institutions
claiming the individuals had contracted for a
good or service, when in fact, the individuals
had not contracted with the business. - When the transactions start being returned, the
business customer disappears.
5Unauthorized Transactions - Credit
- A dishonest employee at a good ACH business
customer (or a dishonest financial institution
employee) could create a fraud by altering the
number of legitimate ACH credit recipients (ex.
monthly payroll) with fraudulent account numbers
that the dishonest employee controlled.
6Unauthorized Transactions - Prevention
- Have strong upfront due diligence procedures
before allowing a business customer to process
ACH transactions (i.e. know your customer or
KYC type procedures). - Verify, through the use of callbacks to the ACH
business customer, the validity of tapes received
for ACH processing. - Ensure transmissions are scheduled in advance by
the ACH customer before processing. - Have segregation of duties in the ACH processing
(ex. segregate preparing files, sending files,
performing callbacks, performing reconcilements,
etc.).
7ACH Kiting
8ACH Kiting
- ACH kiting is similar to an unauthorized
transaction scheme, with the exception that the
dishonest ACH business customer does not cut and
run. - As ACH items are being returned, the dishonest
business customer replaces the returned items
with new fraudulent items. - The account balance created by bogus transactions
continues to rise over time. The fraud could
continue until the fraud perpetrator decides to
cash out and disappear or until the financial
institution becomes suspicious. In either case,
the amount of fraud can be substantial.
9ACH Kiting - Prevention
- Have strong upfront due diligence procedures
before allowing a business customer to process
ACH transactions (i.e. know your customer or
KYC type procedures). - Monitor the level of float caused by returned
debits. - Place holds on accounts with high debit
reversal activity.
10E-Check Fraud
11E-Check Fraud
- E-Check is ACH activity that closely resembles
paper check transactions, but the transactions
are processed electronically. Types of E-Check
activity include - Point of Purchase (POP)
- Re-Presented Check (RCK)
- Accounts Receivable Check (ARC)
- Internet Purchases (WEB)
- Telephone Purchases (TEL)
12Point of Purchase (POP)
- A consumer hands a stores cashier a check for
payment. The cashier uses a MICR reader to scan
and capture data from the checks MICR line and
keys in the check amount. The consumer signs an
authorization for the check to be converted and
receives the check back. The payment is
processed electronically through ACH.
13Point of Purchase (POP)
14Re-Presented Check (RCK)
- A payment that was presented as an ordinary paper
check is returned for some reason (ex.
insufficient or uncollected funds). Instead of
being re-presented on paper, it is transmitted
electronically through the ACH Network as a debit
entry. RCK applies only to bounced checks, not
to bounced ACH transactions.
15Re-Presented Check (RCK)
16Accounts Receivable Check (ARC)
- A consumer mails a check payment to a creditor
who has a Lockbox arrangement with a financial
institution or intermediary. The Lockbox
provider then captures information from the MICR
line and enters non MICR information (e.g. dollar
amount of check) and converts check to an ACH
debit entry. The entry flows through the ACH
network and is posted to the customers account.
17Accounts Receivable Check (ARC)
18Internet Purchases (WEB)
- A customer is purchasing an item through a
website and the merchant offers a payment option
of an electronic debit to a deposit account. The
consumer provides authorization, including keying
in routing number and account number, usually
from their checks MICR data. The merchant then
sends a debit through the ACH network (possibly
through a processor) to ultimately debit the
consumers account for the purchase.
19Internet Purchases (WEB)
20Telephone Purchases (TEL)
- A customer calls a company or, in some cases, the
company calls the customer. The company offers a
debit to a checking account as way to pay for the
goods or services being ordered. If the customer
agrees, the customer provides the MICR
information from the check and the company sends
payment through the ACH network and debits the
customers account for the purchase.
21Telephone Purchases (TEL)
22E-Check Fraud
- E-Checks have many of the same fraud risks that
paper checks have (see Deposit-Branch Fraud). - E-Checks add the risks of speed and anonymity.
- The fraud is enabled by the conversion or
elimination of the paper payment to electronics.
23E-Check Fraud
- E-Check Fraud differs from paper check
- fraud in the following ways
- Fraudulent or nonexistent authorization
- Denial of otherwise valid authorization
- No physical document to examine
24Example 1 E-Check Fraud
- An individual
- Calls retailer for purchase
- Authorizes telephone transaction
- Receives proper notice of authorization
- But denies transaction upon receiving checking
account statement and completes written statement
under penalty of perjury.
25Example 2 E-Check Fraud
- An Individual
- Notices that a certain retailer converts checks
at the point of sale and doesnt appear to
otherwise have maker (check writer) information. - Passes a batch of bad checks at this retailer.
- Retailer faces challenges tracking down fraudster
without the bounced check.
26E-Check Fraud Prevention - ODFI
- Know your corporate/business clients.
- Perform due diligence on each potential and
existent customer. - Calculate risk exposure for each customer.
- Track debit return rates and take prompt action
for customers with too-high rates. - Prosecute originators found to be fraudulent.
27E-Check Fraud Prevention - RDFI
- Extend check fraud prevention tools to ACH
transactions. - Encourage customers to be wary of sharing account
information with unknown parties. - Question ACH files with unusually high return
rates.
28Client Social Engineering/ACH Fraud
29Social Engineering
- Social Engineering is commonly used to gain
sensitive information. - May start with gaining trivial Information
- Reliance on Human Nature
30Social Engineering
- Most Social Engineering is performed via phone
and/or by gaining access to a work area. - Attackers typically will pose as a trusted source
(i.e. IT personnel) - Whats the Risk? The information given could
seem trivial but could help the attacker with
their next inquiry for information (i.e.
providing a high level managers name). This is
also called nibbling.
31An Example Scenario
- Using the IT administrators name, an attacker
will pose as the IT administrator or someone
working for the IT administrator. - He will then inform the employee that IT noticed
a problem with the users computer. - They will ask the user to perform several
functions to gather information, like the
computers IP address. - The attacker will then tell the user that an
application needs to be executed on their
computer to fix the problem.
32Trojan Horse
- Trojan Horse - a malicious program that is
disguised as or embedded within legitimate
software. - Greeting Card
- Picture
- Success Depends on Human Interaction
- The attacker counts on the employee opening the
email or executing a program - Whats the Risk? The attacker could gain access
to the computer network.
33Client Social Engineering/ACH Fraud
- Using various techniques (Social Engineering,
Trojan Horse, Technical Hacking, etc.), a con man
gains access to a bank clients computer system. - With this knowledge, the con man uses the bank
clients network application to enter the banks
on-line cash management services (e.g. ACH). - Then, similar to the Unauthorized Transaction
-Credit scenario, the con man sends bogus ACH
transactions and cleans out the bank clients
account/line of credit.
34Client Social Engineering/ACH Fraud - Prevention
- With the level of automation at the client site,
many banks dont follow the manual processes
(ex. callbacks, scheduled transactions, etc.)
that used to be used for authentication. - To reduce this type of fraud, finding solutions
similar to the manual controls is critical. - To be efficient, banks are looking to automated
verification sources (like sending a facsimile)
that work outside of the clients computer
system.
35- Questions?
- Mike Thomas
- Crowe Horwath LLP
- mike.thomas_at_crowehorwath.com
- 404-442-1607