Learning from Financial Fraud Series Episode 13: Constant Fraud Attempts Across Multiple Payment Rails

Announcer  00:05

Welcome to the Treasury Update Podcast presented by Strategic Treasurer, your source for interesting treasury news, analysis, and insights in your car, at the gym or wherever you decide to tune in.

Jonathan Jeffery  00:20

Welcome back to the Learning from Financial Fraud Series on the Treasury Update Podcast. In this series, we explore multiple major financial fraud cases. We discuss how each one occurred and was kept hidden for a period of time, and we’ll dissect how it was eventually discovered and get insight and guidance on how to prevent this type of situation from happening to you and your organization. I’m Jonathan, media production specialist here at Strategic Treasurer, and I’m here with Craig Jeffery, managing partner. Welcome back to the podcast, Craig.

Craig Jeffery  00:47

It’s good to be here, particularly for this series. Thanks. Jon.

Jonathan Jeffery  00:49

Yeah, so in this podcast, we are looking at an anonymous firm that had constant fraud attempts. Do you want to walk us through what the situation was?

Craig Jeffery  00:57

They attacked them against three primary payment rails, electronic funds transfer, the ACH network, card activity and checks. This was a series of frauds perpetrated against them, attempts perpetrated against them. Some had success, but they would present information that would either directly attack the payment rail, or even try to circumvent some of the controls that were put in place for electronic transfers by using codes. We believe that it was combined with the capture of specific internal information through capturing someone’s email information. So they were monitoring someone inside the organization, they were and they gathered quite a bit of information. There was a known breach. They eventually moved that off, but there was so much information that had been shared, the criminals were able to leverage that across several different ways, several different payment channels. They also did this in a very persistent manner. Over time, they altered the amounts, the frequency, they would pause certain activities and then restart them up in an attempt to I can go through some of the examples, or however you’d like to discuss it, yeah.

Jonathan Jeffery  02:12

Can you go through some of the attack methods?

Craig Jeffery  02:15

Yeah, so ACH, I mean, in the US, quite a few banks offer electronic pre authorization, or some other name for this positive pay for ACH is where codes are set up, amounts and limits may be established. And you know, debit, debit filtering, debit blocking can be done, but the criminals were able to get access to a bunch of the codes. They would submit some of these transactions using some of those codes, which is a fairly sophisticated because those are codes that are set up when you establish your your ACH activity. They also did ones that were were not using those codes. So they would, they would submit them at different times with different amounts, largely targeting just a couple accounts, not targeting all of the accounts. So this was a fairly persistent there were some losses from that. The company established a full block for every transaction with double review for a time, and then moved it to a single review to ensure that only approved transactions made it through, not just ones that met the test of the data. That was something we haven’t, we haven’t seen before, where someone had captured the codes were passing, that basically the authorization codes that were coming through. And so it was fairly, fairly involved for that.

Jonathan Jeffery  02:17

Is that something that’s that was found through the compromise of the email or brute force or?

Craig Jeffery  03:32

The codes? I think it had to have been by compromising a person’s computer and an email, they were able to gather information, see code, see account numbers, and then use that to, you know, try to get the fraud going. So very sophisticated cyber fraud, capturing information, and then enough sophistication to know how to use that on the ACH side.  The check side, check fraud is fairly, you know, innocuous, but they would continue to submit checks at different times. Eventually, just led to having to close the account because there were so many activities, so many fraudulent items presented. They they closed the account. It was pervasive. It was, you know, constantly hitting the hitting the filter, and it’s just, let’s, move it to another account. That’s how they handled the check items.

Jonathan Jeffery  03:33

Yeah. If the criminals are sophisticated enough to get to this point, is there a way that they would know that there’s a certain time period that the transactions are going under a double review, and that they would know when that loosens up and start their attacks again, make it seem like they’re gone, but.

Craig Jeffery  04:44

I don’t believe so, because I the compromise of the systems, and you know, a particular person in finances, emails, once that was stopped, new accounts and new information was set up was never compromised, so they weren’t able to monitor the currentactivity after that point, after that was stopped, prior to that, they could see, they could read emails. Hey, we got a fraud problem. I don’t know if that was the case, but once the access was stopped, it was defense was much easier. The other thing John that that happened was car transactions and other debits, particularly returns. Most frequently they would put through fictitious returns for different amounts, nothing massively large, but they’d put those through and then and then get funds out of the organization. And then there would be this, you know, what is this applied to? So they use that on the card side, you know, to handle it. The other thing that happened on the ACH side is that they where they when they didn’t have the codes, or when those codes were removed or blocked or changed, they would put transactions through that looked like a MasterCard charge, a bank fee charge. They would put codes that came through that it looked like this is a transaction. It’s just, you know, MasterCard is charging this, Visais charging this. And those would come through on the on the statement, which makes the person look at it and say, Hey, maybe this is, maybe this is a real charge. We’ll figure it out. It’s not a huge sum. And there’s, there’s a number of these items, so that those had to be rejected as well. But we saw those come through, you know, with this, this level sophistication to make it look like, hey, this could be right. Let’s not just return it, but many of those were returned.

Jonathan Jeffery  04:44

Yeah, I could see how that would be hard getting it looks like it’s coming from one place, but it’s really not being able to identify that with 1000s and 1000s of transactions you’re reviewing. So what did the company end up losing?

Craig Jeffery  06:36

The attempts were for more than $5 million and there were many, many dozens of attempts.  The loss, the loss was less than a million. They lost less than a million, less than half a million, in actual funds that that went out the door. It was a significant loss, but compared to everything that came through, it was, you know, fairly, fairly small.

Jonathan Jeffery  06:57

It seems like we see that a lot where the original attempt is much larger than what actually makes it out, like the the Bangladesh case study that we covered.  A lot of it was blocked. A lot of it was blocked here as well. So that’s, that’s one step that’s done pretty well.

Craig Jeffery  07:09

Yeah and you can, you can see, and we can only assume what they’re what they’re thinking was, but they would put certain charges to very small so that they wouldn’t raise a red flag in someone’s mind. Here’s a large amount to see if it would get stopped. They would say, if we blocked, you know, three or four in a row, they would not use that for a while. They would wait and then try it again later. So they would recognize that, you know, these debits would would get blocked. You know, after about three or four, they would just wait and then maybe a month or two months later they would try it again.

Jonathan Jeffery  07:38

So looking back on this, what actions need to be taken, not only for this company, but for listeners’ companies.

Craig Jeffery  07:45

Well, one of the things they did, and something that certainly could be done, is for the inbound payments, they added a U pick, which is a one way account number that if the originator sends a donation in, it goes to that account. That account is not something can be debited. It’s set up for the clearinghouse, and so you can share that information publicly. That account, you know, stuff comes in, and then if you have a problem with the underlying account because there’s fraud, you can redirect the U pick where it settles, to a different account or a different bank and account number, so that you’re not disrupting those that are making payments to you, whether they’re donors or or customers. So they did that so that it was here’s a an account that can’t be debited. It can only receive funds. So that helped them protect it. They also opened up new accounts to isolate certain types of activity. And this is something that can be done for fraud purposes. Can also be done as part of the overall concentration structure design and strategy for an organization to say we’re gonna have these type of accounts for collection activity receiving funds, these types of accounts for disbursement, these for concentration or mobilization of cash, and we don’t allow other types of activity on concentration accounts. We don’t allow this type of activity on collection or this type of activity on disbursement accounts, and that makes it easier to spot those distinctions. So that’s a that’s a fairly common process, originally designed for good control, cash movement, visibility and reconciliation, but it has a significant benefit, and many companies use that for a control feature. So I would summarize that in that your banking structure must support good cash management, both in terms of cash concentration and controls. That’s a fundamental recommendation for everybody, wherever you are. Second is employee training and testing on payment security is essential, because when fraud items come through, there’s that initial This is just like so many other reconciling items. You have to find out who did it. It takes 5, 10, days, and then you’ve lost funds. But employee training will help to protect data, protect the activity and account. It’ll enforce things like treasury proof to make sure you’re you’re validating every single day, everything, every single day, people that are involved in payments, people in treasury and AP, and if you’re an IT and a security group, you should understand the different pages or options in the criminal playbook, how they seek to get data, remove data, remove funds. They’re trying to get to value, they’re trying to remove funds, remove data that they can sell, and so understand the different options they have and their their different techniques. And the last one is is related to the banking structure that we want to closely monitor accounts and reject any fraudulent items as quickly as possible for any amount, not just say anything over a certain amount receive attention, but anything that’s anomalous, anything that’s fraudulent, needs to be captured immediately and blocked, and then you take whatever additional steps are necessary, usually contacting your banks too for them to place an additional alert on the account. But those are some of the key areas, how you structure accounts, the security features you put in place from the bank, how your team is trained, and how they monitor the accounts, and, you know, understanding the attack methods.

Jonathan Jeffery  11:12

These episodes are interesting to hear some of the stuff that’s that’s gone wrong with companies, and how you can just be aware of what’s happening out there.

Craig Jeffery  11:21

Yeah, it is. And sometimes it’s, you know, you see this increase in fraud attacks and attempts that surpasses what we’ve seen prior to that in different companies. I always find that a little bit surprising. It’s like, okay, they’ve gotten a little more sophisticated. They either try to remove security layers, you know, or they find, you know, you know by, in this case, you know finding codes to get around the security features that exist, that is becoming a larger part of the criminal playbook. How I, how I get past the security features or remove security features?

Announcer  11:58

You’ve reached the end of another episode of the Treasury Update Podcast. Be sure to follow Strategic Treasurer on LinkedIn. Just search for Strategic Treasurer. This podcast is provided for informational purposes only, and statements made by Strategic Treasurer LLC on this podcast are not intended as legal, business, consulting, or tax advice. For more information, visit and bookmark StrategicTreasurer.com.