Ways To Get Out Of Debt

6 Steps to Reduce Online Fraud

April 12th, 2010

What can – and should – a banking institution do to help protect its business customers?

Mike Urban, senior director of Fraud Solutions at FICO, has studied this question and offers his observations on how institutions and customers can fight back against the risks of online fraud.

“Really, the problem is that ACH fraud can be as lucrative or even more than physically breaking into a retail establishment and stealing card data,” Urban says. “It can really be lucrative for a one-time hit on a business.” This puts institutions and their business customers in a “Catch-22″ position, because small and medium businesses want easy access to their accounts, and institutions look at fraud detection on these accounts as an added expense. “But somehow institutions and businesses have to get closer to the middle and strike the right balance,” Urban says.

Current Fraud Trends

There are three variations of fraud that Urban sees as particularly prevalent now:

First Party – where criminals open accounts and use them as pass-through accounts to move money. Additionally, Urban says there also may be legitimate business owners who are kiting — they create additional float so they have additional line of credit. “They’re not meaning to defraud the bank, but creating float type of credit,” he says.

Internal – where employees sell information about a business’ accounts to outside organizations. Another scenario is where the small business employee who is accessing the business accounts moves out money and then leaves town. One twist to detecting internal fraud is the possibility that employees who perform the transactions will muddy the trail by saying their account credentials were taken in a phishing email. “They can almost use that as an excuse, and it can’t be proven unless the business has internet web logs,” Urban says. “So it is hard to prove if the employee was colluding with outsiders, or their account actually was phished.”

Third party – where most of the warnings are coming in via phishing, social engineering or spear-phishing. There are even infected webpages that can compromise a user’s PC. “Criminals attack the business, compromise the online credentials and move money out of the accounts,” he says.

//

The increasing number of fraud events being reported by institutions and their business customers isn’t a mystery to Urban, who sees a number of factors that increase the chances that a small business would fall prey to criminals attacking their online banking accounts.

“The fact is that businesses want easy access to their accounts, and typically small and medium businesses are understaffed and overworked,” he says. Along with this is the level of trust built in those organizations, where employees are even getting access to the business’s records from outside locations, even on vacation, so the financials are exposed. “This reduces the ability to enact dual controls, as the amount of trust given to employees is high,” he says.

One potential solution: Businesses should designate a single computer for only online banking transactions. “Having a separate computer is costly and often unworkable for a small business,” Urban says. “What if the owner needs to access or employees need to access from home or from laptop outside of the company?”

Urban says ACH fraud is only one of the indicators of how big the problem of fraud is becoming. “Cybercrime is such a pervasive problem, I don’t think we even have a good picture of how big it is, and we’ve not gotten our arms around the size of the problem.” He says the industry has seen glimpses into some of these attacks, including the Google hack, but that awareness is still an issue. “Many businesses have the mindset that ‘it’s not going to happen to me,’ but it is growing rapidly.”