Fraudsters Today Part One: 6 of the Most Common Fraud Types
-
bookmark
-
print
- Keywords:
It’s no surprise that fraudsters are actively trying to infiltrate networks at an alarming rate. It’s common for fraud and cybersecurity attacks to increase during times of change in an organization and attempt to prey on the people most impacted by those changes. The first part of this series focuses on some of the most common types of fraud we’re seeing affect our clients today, along with tips and tools to help stop fraudsters in their tracks.
1. Business Email Compromise (BEC)
A finance director clicked on a link within an email from an unknown travel website, which unknowingly exposed the company’s network to an outside attack. The fraudster was then able to infiltrate the secure company network with malware and gain access to the email account of the victim. Using the victim’s account, the fraudster sent an email to treasury asking for an urgent wire transfer to the fraudster’s account. Since it was a real email address, the employee who received the request had no way of knowing it was fraudulent and processed the fraudulent wire transfer to help the finance director complete this “urgent request.”
Prevention Tips
- Training: Ensure your staff is properly trained to recognize the signs of an attack, most notably phishing schemes, and to understand what steps to take.
- Be cautious: Take precautions when posting information online or to social media about senior staff on vacation or away from the office, including the CEO or CFO.
- Verify: Implement a twostep verification process for wire transfer payments, and consider making the approver someone with authority, like a director or a vice president.
Prevention Tools
- Protect: Ensure all software, including antivirus programs, is upto-date on all computers and servers.
- Flag external emails: Make sure that incoming emails received from external addresses are flagged as external. This adds an extra layer of security with a visible indicator to employees.
- Keep inboxes secure: Avoid using free webbased email platforms. They normally have fewer security features and are easier to hack. What’s more, block employee access to personal emails from work devices.
2. Coronavirus Phishing Scam
A company was in the process of applying for government relief assistance due to the closure of their store resulting from COVID-19 stay-at-home orders. While waiting to hear if the request had been approved, the COO who filed the paperwork received an email that appeared to be from the government office she filed with asking to verify the information she submitted, which included private information about the company and its owners.
This immediately raised a red flag that this was a suspicious request as she knows that the government office only communicates by mail, not by email. She deleted the email and blocked the sender.
Prevention Tips
- Be aware: Watch out for communications attempting to collect detailed information via email, text or websites.
- Do not click: Avoid clicking on links from email senders you do not recognize.
- Red flags: Pay attention to typos and domain name errors.
Prevention Tools
- Use computer security software: Set the software to update automatically to protect against new security threats.
- Set mobile phone software to update automatically: These updates could give you critical protection against security threats.
- Back up your data: Make sure the backups aren’t connected to your network.
3. Electronic Payments Fraud
An accounts payable associate received an email from a customer asking for a reimbursement after overpaying for an item. The associate reviewed the order and verified that the customer did indeed overpay. To keep the customer satisfied, the associate set up a transaction to process a refund for the surplus but failed to wait for the client’s payment to clear in the company account before issuing the refund. Because the transaction was executed with fraudulent information, she processed a refund without ever receiving funds from the client in the first place.
Prevention Tips
- Verify requests for electronic payments: Use a phone number already on file or known to be genuine.
- Ask authentication questions: Ensure that your customer service team asks authentication questions to verify the identity of the caller to avoid serviceassisted payment requests.
- Separate the duties of payment creation and approval: One person enters the payment details and another OK’s the payment’s release.
- Ensure payments match invoice amounts: Do not accept payments above what you are charging.
Prevention Tools
- Monitor payments in realtime: This could help detect suspicious activity, such as ACH alerts.
- Implement 3D secure: Verify the identity of the customer making the payment.
4. Invoice Fraud
An accounts payable manager received an urgent request from a supplier requesting payment on an overdue invoice. Because this was a known supplier, the manager quickly processed the invoice to keep them happy. The manager noticed there was a new account number but could not reach the supplier to verify it until the next day and decided to proceed with the transaction. The next day the AP manager received a call from the supplier stating that their email was compromised and that the invoice and request were fraudulent.
Prevention Tips
- Employ threeway matching: If you can match each invoice to a purchase order and receipt of goods, then you’re much less likely to pay a fraudulent invoice.
- Verbal approvals: For wire transfers that have new or updated banking information, request verbal approval or confirmation from a number and contact you are used to doing business with.
Prevention Tools
- Employ automation: Automation in the AP department gives you the tools you need to more effectively implement the tips above for preventing fraud. It’s probably the single most important step you can take to stop invoice fraud.
5. Check Fraud
An accounts payable employee was in the process of replenishing the check stock when a fraudster, posing as a prospective customer, needed assistance. She placed the stack of checks on her desk and invited the gentleman to sit down. As they were talking, he noticed the stack of blank check stock on the employee’s desk. When the employee stepped away to get what he’d requested, as a distraction, he picked up the blank check stock from the employee’s desk and quickly put it in his bag.
After the fraudster left, the employee didn’t realize the stack of blank check stock was gone. The fraudster was able to write checks against the organization’s accounts.
Prevention Tips
- Training: Employees should be trained on how to look for check security features and identify fraudulent checks.
- Bank statement reconciliation: Be sure to reconcile bank statements and daily transactions to check for irregularities.
- Bank tools: Take advantage of the check services offered by banks to help reduce fraud, such as positive pay.
Prevention Tools
- Positive Pay: Allows the business and bank to work together to detect check fraud by identifying items presented for payment that the organization did not issue.
- Reverse Positive Pay: Similar to Positive Pay except for the company, not the bank, maintains the list of checks issued.
- Payee Positive Pay: Protects your company from payee fraud losses by including the payee name with your check issue information.
6. Telephone Fraud
An individual had just placed an order with an online retailer. The next day, she received a phone call from an unknown number saying there was a problem with her order and to call them back at a certain number. Without hesitation, she dialed the number and inquired about the order. She was asked to verify her personal information including name, address, phone number and card number.
Prevention Tips
- Screen your calls: Don’t answer any calls from unknown numbers—let it go to voicemail.
- Protect your privacy: If you do answer the call, do not confirm your identity if asked; simply hang up or ask who is calling you. Otherwise, do not respond to any questions asked either by a live or recorded voice and do not provide any personal information.
- Don’t select any options to proceed: If you are prompted by a recording to press a button or taken through a list of options, don’t make a selection, simply hang up.
- Verify all numbers: Only dial numbers you are certain are valid, like a website customer contact area.
Prevention Tools
- Register: Make sure your phone number is on the “National Do Not Call” list to help reduce unwanted calls.
- Block numbers: Be sure to block suspicious numbers on your mobile phone.
8 Common Fraud Tips
- Educate yourself about common scams
- Monitor against insider threats
- Ensure employees are aware of security best practices
- Back up data off-site
- Restrict administrative rights
- Secure against business email compromise
- Install and update antivirus software
- Talk to your bank about the fraud mitigation services they offer
It’s no surprise that fraudsters are actively trying to infiltrate networks at an alarming rate. It’s common for fraud and cybersecurity attacks to increase during times of change in an organization and attempt to prey on the people most impacted by those changes. The first part of this series focuses on some of the most common types of fraud we’re seeing affect our clients today, along with tips and tools to help stop fraudsters in their tracks.
1. Business Email Compromise (BEC)
A finance director clicked on a link within an email from an unknown travel website, which unknowingly exposed the company’s network to an outside attack. The fraudster was then able to infiltrate the secure company network with malware and gain access to the email account of the victim. Using the victim’s account, the fraudster sent an email to treasury asking for an urgent wire transfer to the fraudster’s account. Since it was a real email address, the employee who received the request had no way of knowing it was fraudulent and processed the fraudulent wire transfer to help the finance director complete this “urgent request.”
Prevention Tips
- Training: Ensure your staff is properly trained to recognize the signs of an attack, most notably phishing schemes, and to understand what steps to take.
- Be cautious: Take precautions when posting information online or to social media about senior staff on vacation or away from the office, including the CEO or CFO.
- Verify: Implement a twostep verification process for wire transfer payments, and consider making the approver someone with authority, like a director or a vice president.
Prevention Tools
- Protect: Ensure all software, including antivirus programs, is upto-date on all computers and servers.
- Flag external emails: Make sure that incoming emails received from external addresses are flagged as external. This adds an extra layer of security with a visible indicator to employees.
- Keep inboxes secure: Avoid using free webbased email platforms. They normally have fewer security features and are easier to hack. What’s more, block employee access to personal emails from work devices.
2. Coronavirus Phishing Scam
A company was in the process of applying for government relief assistance due to the closure of their store resulting from COVID-19 stay-at-home orders. While waiting to hear if the request had been approved, the COO who filed the paperwork received an email that appeared to be from the government office she filed with asking to verify the information she submitted, which included private information about the company and its owners.
This immediately raised a red flag that this was a suspicious request as she knows that the government office only communicates by mail, not by email. She deleted the email and blocked the sender.
Prevention Tips
- Be aware: Watch out for communications attempting to collect detailed information via email, text or websites.
- Do not click: Avoid clicking on links from email senders you do not recognize.
- Red flags: Pay attention to typos and domain name errors.
Prevention Tools
- Use computer security software: Set the software to update automatically to protect against new security threats.
- Set mobile phone software to update automatically: These updates could give you critical protection against security threats.
- Back up your data: Make sure the backups aren’t connected to your network.
3. Electronic Payments Fraud
An accounts payable associate received an email from a customer asking for a reimbursement after overpaying for an item. The associate reviewed the order and verified that the customer did indeed overpay. To keep the customer satisfied, the associate set up a transaction to process a refund for the surplus but failed to wait for the client’s payment to clear in the company account before issuing the refund. Because the transaction was executed with fraudulent information, she processed a refund without ever receiving funds from the client in the first place.
Prevention Tips
- Verify requests for electronic payments: Use a phone number already on file or known to be genuine.
- Ask authentication questions: Ensure that your customer service team asks authentication questions to verify the identity of the caller to avoid serviceassisted payment requests.
- Separate the duties of payment creation and approval: One person enters the payment details and another OK’s the payment’s release.
- Ensure payments match invoice amounts: Do not accept payments above what you are charging.
Prevention Tools
- Monitor payments in realtime: This could help detect suspicious activity, such as ACH alerts.
- Implement 3D secure: Verify the identity of the customer making the payment.
4. Invoice Fraud
An accounts payable manager received an urgent request from a supplier requesting payment on an overdue invoice. Because this was a known supplier, the manager quickly processed the invoice to keep them happy. The manager noticed there was a new account number but could not reach the supplier to verify it until the next day and decided to proceed with the transaction. The next day the AP manager received a call from the supplier stating that their email was compromised and that the invoice and request were fraudulent.
Prevention Tips
- Employ threeway matching: If you can match each invoice to a purchase order and receipt of goods, then you’re much less likely to pay a fraudulent invoice.
- Verbal approvals: For wire transfers that have new or updated banking information, request verbal approval or confirmation from a number and contact you are used to doing business with.
Prevention Tools
- Employ automation: Automation in the AP department gives you the tools you need to more effectively implement the tips above for preventing fraud. It’s probably the single most important step you can take to stop invoice fraud.
5. Check Fraud
An accounts payable employee was in the process of replenishing the check stock when a fraudster, posing as a prospective customer, needed assistance. She placed the stack of checks on her desk and invited the gentleman to sit down. As they were talking, he noticed the stack of blank check stock on the employee’s desk. When the employee stepped away to get what he’d requested, as a distraction, he picked up the blank check stock from the employee’s desk and quickly put it in his bag.
After the fraudster left, the employee didn’t realize the stack of blank check stock was gone. The fraudster was able to write checks against the organization’s accounts.
Prevention Tips
- Training: Employees should be trained on how to look for check security features and identify fraudulent checks.
- Bank statement reconciliation: Be sure to reconcile bank statements and daily transactions to check for irregularities.
- Bank tools: Take advantage of the check services offered by banks to help reduce fraud, such as positive pay.
Prevention Tools
- Positive Pay: Allows the business and bank to work together to detect check fraud by identifying items presented for payment that the organization did not issue.
- Reverse Positive Pay: Similar to Positive Pay except for the company, not the bank, maintains the list of checks issued.
- Payee Positive Pay: Protects your company from payee fraud losses by including the payee name with your check issue information.
6. Telephone Fraud
An individual had just placed an order with an online retailer. The next day, she received a phone call from an unknown number saying there was a problem with her order and to call them back at a certain number. Without hesitation, she dialed the number and inquired about the order. She was asked to verify her personal information including name, address, phone number and card number.
Prevention Tips
- Screen your calls: Don’t answer any calls from unknown numbers—let it go to voicemail.
- Protect your privacy: If you do answer the call, do not confirm your identity if asked; simply hang up or ask who is calling you. Otherwise, do not respond to any questions asked either by a live or recorded voice and do not provide any personal information.
- Don’t select any options to proceed: If you are prompted by a recording to press a button or taken through a list of options, don’t make a selection, simply hang up.
- Verify all numbers: Only dial numbers you are certain are valid, like a website customer contact area.
Prevention Tools
- Register: Make sure your phone number is on the “National Do Not Call” list to help reduce unwanted calls.
- Block numbers: Be sure to block suspicious numbers on your mobile phone.
8 Common Fraud Tips
- Educate yourself about common scams
- Monitor against insider threats
- Ensure employees are aware of security best practices
- Back up data off-site
- Restrict administrative rights
- Secure against business email compromise
- Install and update antivirus software
- Talk to your bank about the fraud mitigation services they offer
Common Fraud Types to Watch Out For
PART 2
Fraudsters Today Part Two: 5 More Fraud Types to Watch Out For
December 01, 2021 | Manage Cash Flow, Addressing Covid 19
Today's fraudsters are exceptionally thorough and can use the information they gain to trick companies of all types and sizes. The second part of…
What to Read Next.
Balancing the Liquidity Scales
Oscar Johnson | December 11, 2020 | Manage Cash Flow, Addressing Covid 19
For CFOs and corporate treasurers, the events of 2020 have highlighted the need for sound fundamentals. We’ve seen organizations boost their ca…
Continue Reading>More Insights
Tell us three simple things to
customize your experience.
Contact Us
Banking products are subject to approval and are provided in the United States by BMO Bank N.A. Member FDIC. BMO Commercial Bank is a trade name used in the United States by BMO Bank N.A. Member FDIC. BMO Sponsor Finance is a trade name used by BMO Financial Corp. and its affiliates.
Please note important disclosures for content produced by BMO Capital Markets. BMO Capital Markets Regulatory | BMOCMC Fixed Income Commentary Disclosure | BMOCMC FICC Macro Strategy Commentary Disclosure | Research Disclosure Statements.
BMO Capital Markets is a trade name used by BMO Financial Group for the wholesale banking businesses of Bank of Montreal, BMO Bank N.A. (member FDIC), Bank of Montreal Europe p.l.c., and Bank of Montreal (China) Co. Ltd, the institutional broker dealer business of BMO Capital Markets Corp. (Member FINRA and SIPC) and the agency broker dealer business of Clearpool Execution Services, LLC (Member FINRA and SIPC) in the U.S. , and the institutional broker dealer businesses of BMO Nesbitt Burns Inc. (Member Canadian Investment Regulatory Organization and Member Canadian Investor Protection Fund) in Canada and Asia, Bank of Montreal Europe p.l.c. (authorised and regulated by the Central Bank of Ireland) in Europe and BMO Capital Markets Limited (authorised and regulated by the Financial Conduct Authority) in the UK and Australia and carbon credit origination, sustainability advisory services and environmental solutions provided by Bank of Montreal, BMO Radicle Inc., and Carbon Farmers Australia Pty Ltd. (ACN 136 799 221 AFSL 430135) in Australia. "Nesbitt Burns" is a registered trademark of BMO Nesbitt Burns Inc, used under license. "BMO Capital Markets" is a trademark of Bank of Montreal, used under license. "BMO (M-Bar roundel symbol)" is a registered trademark of Bank of Montreal, used under license.
® Registered trademark of Bank of Montreal in the United States, Canada and elsewhere.
™ Trademark of Bank of Montreal in the United States and Canada.
The material contained in articles posted on this website is intended as a general market commentary. The opinions, estimates and projections, if any, contained in these articles are those of the authors and may differ from those of other BMO Commercial Bank employees and affiliates. BMO Commercial Bank endeavors to ensure that the contents have been compiled or derived from sources that it believes to be reliable and which it believes contain information and opinions which are accurate and complete. However, the authors and BMO Commercial Bank take no responsibility for any errors or omissions and do not guarantee their accuracy or completeness. These articles are for informational purposes only.
This information is not intended to be tax or legal advice. This information cannot be used by any taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer. This information is being used to support the promotion or marketing of the planning strategies discussed herein. BMO Bank N.A. and its affiliates do not provide legal or tax advice to clients. You should review your particular circumstances with your independent legal and tax advisors.
Third party web sites may have privacy and security policies different from BMO. Links to other web sites do not imply the endorsement or approval of such web sites. Please review the privacy and security policies of web sites reached through links from BMO web sites.
Notice to Customers
To help the government fight the funding of terrorism and money laundering activities, federal law (USA Patriot Act (Title III of Pub. L. 107 56 (signed into law October 26, 2001)) requires all financial organizations to obtain, verify and record information that identifies each person who opens an account. When you open an account, we will ask for your name, address, date of birth and other information that will allow us to identify you. We may also ask you to provide a copy of your driver's license or other identifying documents. For each business or entity that opens an account, we will ask for your name, address and other information that will allow us to identify the entity. We may also ask you to provide a copy of your certificate of incorporation (or similar document) or other identifying documents. The information you provide in this form may be used to perform a credit check and verify your identity by using internal sources and third-party vendors. If the requested information is not provided within 30 calendar days, the account will be subject to closure.