Fraudsters continue to find weaknesses in authentication processes to obtain secure information and fraudulently transfer money to themselves via a wire or ACH transaction. These attacks often originate from phishing attacks that result in fraudulent entry to a secure system with secure data. 

With phishing attacks becoming more sophisticated and streamlined, ACH and wire fraud attempts are almost certain to continue in the coming years.

To better manage these fraud exposures, you will need to understand how these attacks typically occur, so you know where to look and what to do should you suspect an attack.

 

Detection Methods 

• Be especially diligent in monitoring and authenticating international wire requests. Many of the more serious and more common wire fraud attacks involve international funds transfers. These crimes can result in millions of dollars in rerouted, stolen funds.
• Be cautious of HELOC transfers requested shortly before a wire request. This is another early warning sign for wire fraud. These back-to-back requests are quite often the starting point for a wire fraud attack. 
• Wait until an individual’s identity has been authenticated before offering credit on loans, if at all. There is a substantially higher risk of ACH fraud for any financial institution that offers ACH loan payments on credit card accounts; this risk is even higher when granting immediate credit on loan payments. 
• Regularly work with ACH processors to review the daily returns on settlement accounts and evaluate daily, weekly and monthly reports – i.e. credit card kiting reports, over credit card limit reports, excessive activity reports, and cash advance reports. Working closely with your processors could help you to better understand these transactions and find early warning signs for fraud. 

 

Authentication Tools

• Implement multiple authentication requirements. These requirements should include a number of different elements to ensure you are doing everything in your power to protect your consumers’ accounts and keep the bad guys out.
• Require your accountholders establish a unique PIN and/or password and a unique security questions for account access. When establishing these security questions, it is best to offer options that do not involve attainable data, like social security numbers, home address, or any other information, as a lot of this information was compromised during last year’s Equifax breach.
• Request a contact number from accountholders for validating the authenticity of wire requests. To be doubly safe, it is best to ask for more than one callback telephone number.
• Adopt encryption and/or biometrics authentication tools. These security methods have been proven to reduce fraud significantly, even as these crimes grow more sophisticated and frequent.  

 

Internal Controls

• Designate at least one person inside your organization as the go to expert on ACH processing, so they are equipped to help uncover the source of an attack. Resources for better understanding these transactions include the FFIEC’s Information Technology Handbook on ACH processing, the NACHA Operation Guidelines, and the NCUA’s guidance on third party providers. 
• Use a dedicated, secure computer for all incoming and outgoing wire and ACH transfers. This will help you protect your secure systems from malware and phishing attacks. 
• Keep your wire transfer policies and procedures off of your website. Giving fraudsters easy access to this information can help them to uncover a weak link in your defenses. 
• Limit the dollar amount for daily transactions and singular transaction amounts. This reduces wire related fraud losses by preventing criminal access to an endless supply of funds. 
• Review agreements with your third party processors that offer online ACH payments. Look at their internal processes to ensure they don’t open your organization to additional liability risks associated with their payment process.
• Make sure your employees are well trained on what to look out for to detect wire and ACH fraud. Make sure they know to notify specified individuals if anything looks out of the ordinary. 
• Establish dual controls where one person authorizes a payment and another person verifies it. It may not be convenient, but this creates another layer of security and another method of protection.
• Deploy multi-factor, multi-layer security requirements for your personal and business accounts. Advise your accountholders to also take part in establishing strong security settings, like turning on two-factor authentication (2FA) and setting up complex passwords. 

Both your accountholders and staff should participate in protecting against these crimes, but it is up to your financial institution to establish strong internal controls and train your employees and consumers on how they can help to protect against these risks.