Presented to: Mitigating Payment Fraud July 23, 2014 A perspective on recent fraud experience and...
-
Upload
august-palmer -
Category
Documents
-
view
218 -
download
1
Transcript of Presented to: Mitigating Payment Fraud July 23, 2014 A perspective on recent fraud experience and...
Presented to:Presented to:Presented to:
Mitigating Payment Fraud
July 23, 2014
A perspective on recent fraud experience and best practice approaches for reducing the risk of payment fraud
North Carolina Local Government Investment Association
2
Avoiding the Headlines …
Source: Fraud Advisory for Business: Corporate Account Takeover
Where Are We Now?A look at current state metrics
4
Are Things Improving?% of Organizations with Attempted/Actual Payment Fraud
2014 AFP Payments Fraud and Control Survey
2004 2005 2006 2007 2008 2009 2010 2011 2012 20130
10
20
30
40
50
60
70
80
55
6872 71 71
7371
66
61 60
5
Continuing Increase in the Number of AttemptsBecoming More Concentrated?
2009
+13%2010
+10%2011
+8%2012
+11%2013
+11%Net Increase in Attempts
2013 27% of organizations reported
an increase in attempted fraud 16% reported a decrease 57% reported similar activity
2014 AFP Payments Fraud and Control Survey
6
Continued Prevalence of Check-based FraudAren’t Check Volumes Declining?
12013 Federal Reserve Payment Survey22014 AFP Payments Fraud and Control Survey (actual and attempted)
ACH Credit
Wire
ACH Debit
Card
Check
0 10 20 30 40 50 60 70 80 90
9
14
22
43
82
% of Organizations2
Total Checks Written1
2003
2012
37.3B
18.3B
7
Increasing ImpactAverage Fraud Losses Continue to Grow
2014 AFP Payments Fraud and Control Survey
2009$17,100
2010$18,400
2011$19,200
2012$20,300
2013$23,100
8
Fraud Impact by Payment TypePayment Method Responsible for Largest Dollar Loss
2014 AFP Payments Fraud and Control Survey
Check Card ACH DebitWire ACH Credit
Check
57%Card23%
ACH Debit10%
Wire9
ACH Credit1%
9
Fraud Impact by Payment TypeAverage Value of Unauthorized Transaction ($)
2013 Federal Reserve Payment Survey
Check ACH ATM Credit Card Debit Card0
200
400
600
800
1000
1200
1400
1221
730
207138
105
Series 1
Source of FraudWho and Why?
11
Sources of Attempted Payment FraudWho is initiating?
12014 AFP Payments Fraud and Control Survey22013/14 Kroll Global Fraud Report
Compromised Mobile
Lost Laptop
Account Takeover
3rd Party Processor
Internal
External Ring
External Individual
0 10 20 30 40 50 60 70 80 90
1
3
7
8
11
20
80
Series 1% of Organizations1
A difference of opinion?2
“72% of those surveyed have been hit by a fraud
involving at least one insider in a lead role” within
… 32% involved a senior or middle manager
12
Check-based Fraud LossesOrganizations Suffering Loss from Fraud Attempt
2014 AFP Payments Fraud and Control Survey
Suffered Loss?
Yes No
YES17%
NO83%
Processed by Check Cashing Agency (38%)
Lack of Timely Recon or Positive Pay Review (28%)
InternalFraud (21%)
Lack of Positive Pay Utilization (17%)
Lack of Timely CheckReturn (10%)
Lack of Post No Check Services on EFT Acct (10%)
Identified Reasons For Loss
13
ACH Fraud LossesOrganizations Suffering Loss from Fraud Attempt
2014 AFP Payments Fraud and Control Survey
Suffered Loss?
Yes No
YES19%
NO81%
Lack of Debit Block or Filter (50%)
Lack of Timely Reconciliation (38%)
Lack of TimelyReturn (38%)
Lack of ACH Positive Pay Utilization (38%)
Internal Fraud (13%)
Identified Reasons For Loss
14
Card Fraud LossesOrganizations Suffering Loss from Fraud Attempt
2014 AFP Payments Fraud and Control Survey
Suffered Loss?
Yes No
YES31%
NO69%
Source of Fraud
Yes No
Employee57%
Unknown External
43%
15
Card Fraud LossesPurchasing and Travel Cards
12012 RPMG Purchasing Card Benchmark Survey22013 RPMG Corporate Travel Card Benchmark Survey
PURCHASING CARD1 Employee Misrepresentation
Internal Fraud
External Fraud
Median $ per Incident $200 $350 $100
Loss as a % of spend .004% .001% .002%
TRAVEL CARD2 Employee Misrepresentation
Internal Fraud
External Fraud
Median $ per Incident $100 $67 $100
Loss as a % of spend .003% .002% .004%
Internal ProcessesBest Practice Activities for Creating a Strong Control Environment
17
Organizational (Internal) FraudPrimary Fraudulent Disbursement Activities
Association of Certified Fraud Examiners (ACFE): 2012 Global Fraud Study-Report to the Nations on Occupational Fraud & Abuse
Category Examples % ofAll Cases
MedianLoss
Ave. Duration
BillingEmployee creates a shell
company and bills employer for services not actually rendered.
24.9% $100,000 24 Months
Expense Reimbursement
Employee files fraudulent expense report, claiming
personal travel, nonexistent meals, etc.
14.5% $26,000 24 Months
Check Tampering
Employee steals an outgoing check to a vendor and deposits
it into his/her own bank account.
11.9% $143,000 30 Months
Payroll Schemes
Employee adds ghost employees to the payroll.
9.3% $48,000 36 Months
18
Internal Control Foundation
5A/P Masterfile
Control
2Sourcing and
Invoice Processing
ESegregation of
Duties
Confirmation of Beneficiary Changes
<Approval and
Execution
6Timely
Reconciliation
External SupportServices and Solutions to Mitigate Payment Fraud Risk
20
Primary Methods of Check Fraud% of Organizations that Suffered Attempted Check Fraud
Check Stock Theft (5%)
Payroll Check Theft (16%)
Dollar Amount Alteration (37%)
Payer Name Alteration (52%)
Counterfeit Check with MICR (62%)
2014 AFP Payments Fraud and Control Survey
Positive Pay
Positive Pay
Positive Pay
Payee Positive Pay
21
Primary Procedures to Guard Against Check Fraud
12014 AFP Payments Fraud and Control Survey
Non-bank Fraud Control
Reverse Positive Pay
Post No Checks
Payee Positive Pay
Segregate Accounts
Daily Reconciliation
Positive Pay
0 10 20 30 40 50 60 70 80 90
7
20
46
56
68
78
81
Series 1% of Organizations Deploying1
22
Primary Procedures to Guard Against ACH Fraud
12014 AFP Payments Fraud and Control Survey
Reconcile Accounts Daily, Identify and Return Unauthorized Debits (78%)
Block ACH Debits Except on a Single Account With ACH Debit Filter/ACH Positive Pay (64%)
Block ACH Debits on All Accounts (31%)
Consumer Debit Block and Commercial Debit Filter (24%)
Separate Account for all 3rd Party Debits (18%)
23
Powerful Bank Services to Mitigate Payment Fraud
:Positive Pay
<ACH Positive Pay
OACH Debit Block
OPost No Checks
24
Are Physical Check Security Features Still Needed?
Thermochromatic Ink
Chemical Reactive Paper
Copy Void Pantograph
Dual Image Numbering
Image Survivable Barcode
Warning Bands
Fourdrinier Watermark
Secure Name Font
F Abignale Fraud Bulletin – Vol 12
Online BankingBest Practice Activities for Securing Information and Controlling Payment Execution
26
Account Take-overDissecting an Attack
:Target Victims
u
Install Malware
v
Operator Logon
w
Capture Login Data
x
Initiate Funds Transfer
y
Fraud Advisory for Businesses: Corporate Account Take Over - United States Secret Service, FBI, IC3, and FS-ISAC.
How Would You React to This Email?
PNC Bank USAPittsburgh, PA Member FDIC 2014
Dear Valued Customer:
We noted that your account transferred $10,000 to Nigerian financial institution on June 15, 2014. Given the suspicious nature of this transaction, we have frozen all transaction activity on your account. Please access the link below to verify your credentials, review this transaction and restore your account to an active state:
http://pncbankUSA.com/suspendedaccount/secureverification
Once you have completed this, PNC’s Fraud team will work to promptly restore these funds.
Thank you for doing business with PNC!
28
Gone Phishin …
Spear Phishing
Phishing - attempt to acquire information such as user name,
passwords, and other financial details by masquerading as a trustworthy entity
… in electronic form
Waterholing
Whaling
Clone Phishing
Social Engineering
29
Account TransferPay Close Attention to Wire Transfer Activity
Fraud Advisory for Businesses: Corporate Account Take Over - United States Secret Service, FBI, IC3, and FS-ISAC.
2.11
Per 1000 Commercial Customers have experienced an account take-over
9%Of all account take-overs resulted in funds being transferred
82%Of fraudulent transfers involved Wires
30
Controlling the Risk of Cyber Fraud
$Education and
Awareness
:Insulate
Workstation
ESeparate
Approval Station
Malware and Virus Protection
<FFIEC
Authentication
+Mobile Threat
Vectors
Card UsageBest Practice Activities for Managing Commercial Card Programs
32
What are Other Organizations Doing?Primary Controls Utilized
Preferred Provider Blocks
MCC Blocking
Dedicated Administrator
Compliance Audits
Cardholder Agreements
Receipt Requirements
Defined Spending Limits
0 10 20 30 40 50 60 70 80 90 100
22
57
62
66
71
81
88
Series 1% of Organizations1
2012 RPMG Purchasing Card Benchmark Survey
33
Controlling Commercial Card Activity
OPoint of Sale
Controls
:Online
Submission and Approval
.Receipt/Proof of
Purchase
Card Security
LAudit and Inspection
POther
34
Who has Borne Card Losses?Parties that Suffered Loss on Commercial/Corporate Card Fraud
Sponsoring Organization (31%)
Merchant (14%)
Issuing Bank (44%)
2014 AFP Payments Fraud and Control Survey
35
Expected Improvement from Migration to EMV Standard
Expected Effec-tiveness1
Major ReductionSome ReductionNo Change
Some Re-duction
72%
Major Re-duction
20%
No Reduction
8%
12014 AFP Payments Fraud and Control Survey
EMV(Europay, Mastercard, Visa) – global standard for integrated chip-based card design
‒ Unlike other countries, the US continues to be dominated by magnetic stripe POS terminals
‒ Estimated cost of upgrades > $12B
• Merchant Processing‒ When mag-stripe cards are swiped at POS terminal, data, such as primary
account number and expiration date, are transmitted to the card issuer‒ The data—known as static data—remains the same for each transaction‒ EMV relies on dynamic authentication - use of changing variables unique to
each individual card transaction‒ PIN vs. Signature authentication
Liability Shift‒ Effective October, 2015 liability will shift for domestic and cross-border
counterfeit card-present POS transactions‒ Fuel selling merchants have until 2017‒ Shift from issuing bank to accepting merchant‒ Will not immediately extend to web and phone-based purchases‒ Expected to positively impact POS card fraud
36
Disclaimer
This presentation was prepared for general information purposes only and is not intended as legal, tax or accounting advice or as a recommendation to engage in any specific transaction, including with respect to any securities of PNC, and does not purport to be comprehensive. Under no circumstances should any information contained in this presentation be used or considered as an offer or commitment, or a solicitation of an offer or commitment, to participate in any particular transaction or strategy.
Any reliance upon the presentation is solely and exclusively at your own risk. Please consult your own counsel, accountant or other professional advisor regarding your specific situation. Any opinions expressed in this presentation are subject to change without notice.