Businesses must balance the information needs of their customers, suppliers and employees against responsible security and privacy policies. In fact,
they are at risk for variations of many of
the same identity theft risks that plague
individuals and must protect themselves
against these internal and external threats.
To help put external threats in perspective, 2006 information losses cost U.S. companies an average of $182 per compromised record, an increase of about 31 percent from 2005, according to a study by the
Ponemon Institute. The average business
loss for identity theft was measured at
$49,254 in 2004, according to the Identity
Theft Resource Center. Internally, a
National Retail Federation (NRF) study
found employee theft costs retailers much
more than shoplifting. Employee theft is
responsible for 30 percent of all business
failures, according to U.S. Chamber of
Commerce estimates.
“We’ve seen a fair amount of businesses
that had fraudulent activity happen to
them, when they had no idea that their
accounts had been compromised,” says
Michelle Mercer, a fraud prevention manager at MB Financial Bank.
Smart Business asked Mercer and Linda
Ray, a loss prevention manager at MB
Financial, about the types of fraud threats
businesses face and what can be done to
help prevent them and protect businesses.
What are some of the leading fraud risks in
business today?
The leading sources are check scams,
employee embezzlement, and wire or
Internet fraud. Recently, the industry has
been seeing an especially high number of
counterfeit check frauds, such as lottery
scams, Nigerian funds stories, secret-shopper offers and other Internet scams.
How do counterfeit check scams work and
how can businesses protect themselves?
One of the most common tactics is to
steal legitimate business checks from the
mail. Criminals use a solution to wash out
the payee, then type in a new one. Many times the criminals don’t change the
amount of the check, to lessen the chances
of detection. Businesses often don’t know
this is happening to them until a vendor
calls to check on a late payment.
Criminals can use account and bank
numbers to create their own counterfeit
checks. Sometimes they scan the logo and
signature from a stolen check to create
new ones. To help prevent these kinds of
frauds, companies should review their
statements and canceled check images
promptly and carefully. Physical checks
and blank check stock should be kept in a
locked location with restricted access.
In addition, businesses should consider
adopting other banking services, such as
Internet banking, to monitor activity more
frequently, or Positive Pay, an automated
fraud detection tool, to reduce the possibility of counterfeit checks being presented
and paid by the bank.
How else can businesses protect against
wire fraud?
Again, it’s important to review transactions and statements promptly. Many times
the wire fraud amounts are small, so the
transfer doesn’t attract special attention
and the money may not be missed. There
often will be repeated, fairly small transfers, and the fraud can go undetected for a
long time.
Companies should be very careful not to
divulge their account numbers and ACH
routing numbers to unauthorized parties, and should notify their financial institution
any time they suspect information has
been compromised. There needs to be
secure computer and communications systems in place, with firewalls and Internet
security on all computers. Passwords are
not enough. We recommend multifactor
authentication, which adds another layer
of security beyond passwords by requiring
users to be identified and validated in a
variety of ways.
Can you characterize risks posed by employees?
Employee fraud tends to happen to those
business owners who don’t manage their
own business finances and don’t have time
to monitor them. They have a trusted
employee whose job it is to pay bills and
manage accounts. It often starts when a
person needs money for an emergency and
thinks it will be a one-time thing. When the
person doesn’t get caught, it becomes a
habit.
One of the warning signs is when a key
employee never calls in sick or takes a
vacation — he or she could be afraid of getting caught if absent and someone else
may need to look at the work.
A good deterrent to this situation is to
have a system of checks and balances in
place. For example, have a policy so the
person who issues checks is not the same
person who balances the accounts. One of
the ways embezzlers have found to get
around this is to use bookkeeping software
where accounts are reconciled to it rather
than the bank statements, which reflect the
true account activity. The embezzlers can
claim that since the software does not
match the bank statement, there is no need
to check the bank statements. Businesses
should carefully review their statements. A
lot of people think they don’t have time but,
when you consider the consequences, it is
extra time well-spent.
MICHELLE MERCER is the BSA/AML/Fraud manager at MB
Financial Bank. Reach her at (847) 653-1009 or [email protected].
LINDA RAY is a loss prevention manager at MB Financial Bank.
Reach her at [email protected] or (847) 653-2781.