Businesses must balance the information needs of their customers, suppliers and employees against responsible security and privacy policies. In fact, they are at risk for variations of many of the same identity theft risks that plague individuals and must protect themselves against these internal and external threats.
To help put external threats in perspective, 2006 information losses cost U.S. companies an average of $182 per compromised record, an increase of about 31 percent from 2005, according to a study by the Ponemon Institute. The average business loss for identity theft was measured at $49,254 in 2004, according to the Identity Theft Resource Center. Internally, a National Retail Federation (NRF) study found employee theft costs retailers much more than shoplifting. Employee theft is responsible for 30 percent of all business failures, according to U.S. Chamber of Commerce estimates.
“We’ve seen a fair amount of businesses that had fraudulent activity happen to them, when they had no idea that their accounts had been compromised,” says Michelle Mercer, a fraud prevention manager at MB Financial Bank.
Smart Business asked Mercer and Linda Ray, a loss prevention manager at MB Financial, about the types of fraud threats businesses face and what can be done to help prevent them and protect businesses.
What are some of the leading fraud risks in business today?
The leading sources are check scams, employee embezzlement, and wire or Internet fraud. Recently, the industry has been seeing an especially high number of counterfeit check frauds, such as lottery scams, Nigerian funds stories, secret-shopper offers and other Internet scams.
How do counterfeit check scams work and how can businesses protect themselves?
One of the most common tactics is to steal legitimate business checks from the mail. Criminals use a solution to wash out the payee, then type in a new one. Many times the criminals don’t change the amount of the check, to lessen the chances of detection. Businesses often don’t know this is happening to them until a vendor calls to check on a late payment.
Criminals can use account and bank numbers to create their own counterfeit checks. Sometimes they scan the logo and signature from a stolen check to create new ones. To help prevent these kinds of frauds, companies should review their statements and canceled check images promptly and carefully. Physical checks and blank check stock should be kept in a locked location with restricted access.
In addition, businesses should consider adopting other banking services, such as Internet banking, to monitor activity more frequently, or Positive Pay, an automated fraud detection tool, to reduce the possibility of counterfeit checks being presented and paid by the bank.
How else can businesses protect against wire fraud?
Again, it’s important to review transactions and statements promptly. Many times the wire fraud amounts are small, so the transfer doesn’t attract special attention and the money may not be missed. There often will be repeated, fairly small transfers, and the fraud can go undetected for a long time.
Companies should be very careful not to divulge their account numbers and ACH routing numbers to unauthorized parties, and should notify their financial institution any time they suspect information has been compromised. There needs to be secure computer and communications systems in place, with firewalls and Internet security on all computers. Passwords are not enough. We recommend multifactor authentication, which adds another layer of security beyond passwords by requiring users to be identified and validated in a variety of ways.
Can you characterize risks posed by employees?
Employee fraud tends to happen to those business owners who don’t manage their own business finances and don’t have time to monitor them. They have a trusted employee whose job it is to pay bills and manage accounts. It often starts when a person needs money for an emergency and thinks it will be a one-time thing. When the person doesn’t get caught, it becomes a habit.
One of the warning signs is when a key employee never calls in sick or takes a vacation — he or she could be afraid of getting caught if absent and someone else may need to look at the work.
A good deterrent to this situation is to have a system of checks and balances in place. For example, have a policy so the person who issues checks is not the same person who balances the accounts. One of the ways embezzlers have found to get around this is to use bookkeeping software where accounts are reconciled to it rather than the bank statements, which reflect the true account activity. The embezzlers can claim that since the software does not match the bank statement, there is no need to check the bank statements. Businesses should carefully review their statements. A lot of people think they don’t have time but, when you consider the consequences, it is extra time well-spent.
MICHELLE MERCER is the BSA/AML/Fraud manager at MB Financial Bank. Reach her at (847) 653-1009 or firstname.lastname@example.org.
LINDA RAY is a loss prevention manager at MB Financial Bank. Reach her at email@example.com or (847) 653-2781.