Don’t let this happen to you!

Unfortunately, we hear about the fraud that our clients and others experience. We thought we’d share some stories about what’s happened and how it might have been prevented to help you plan. We’re here to look at your situation and help determine measures to help prevent losses.

You balance the account! No, you do it!

Two sister companies that are clients of ours shared a health care reimbursement account. Each thought the other entity was reconciling the account when, in fact, for more than six months neither was. When the companies reconciled the account, they discovered that an employee had used the bank information on a reimbursement check to pay personal bills via ACH out of the company account. Not only that, the employee shared the information with friends who did the same. We were able to recover some of the lost dollars, but because of the long time frame, the client incurred a loss on many of the transactions that had occurred.

What should I do?

Best practices call for accounts to be reconciled at least monthly. With sharing an account, the companies should determine who is responsible for reconciling, and how contacts from each entity will communicate with one another. Adding ACH Positive Pay provides an extra layer of protection. ACH Positive Pay permits only authorized vendors from debiting your bank accounts with an ACH. When a non-authorized vendor attempts an ACH debit from your account, we send an alert (email and/or text message) to you and your authorized users so you can authorize the transaction. With ACH Positive Pay, you can also set dollar limits per vendor for future transactions.

The check is in the mail—sort of

One of our clients mailed 66 checks to pay vendors. Two weeks later, one of the vendors contacted the company looking for a missing payment. Our client investigated and found that someone had changed the payee names on six of the checks and cashed them. In a single day, those altered checks resulted in nearly $10,000 in losses.

What should I do?

With Positive Pay, you use Business Online to send us a file of checks for disbursement. As checks come in, we match them to your list and notify you if any information doesn’t match, so you can make a pay or return decision for each check that contains an exception. We match on check number and dollar amount. In addition, we can also match by payee name, which would have caught this fraud before the losses happened.

Wire the money—stat!

A client’s controller received an email from someone impersonating the CEO of her company, requesting that she wire $9,000 to a vendor so that equipment could be shipped. The wire was properly authorized and approved. Four hours later, the controller found out that the request was fraudulent and contacted us. Luckily our persistent Client Protection Services team was able to recover the funds within two business days, but that’s not always the case.

What should I do?

This example of Business Email Compromise—or BEC—is typical of this type of fraud and illustrates that email isn’t secure. We encourage verifying that any email request to wire money is legitimate before money is released. While we try, we can’t guarantee that we can recover the money after a wire is sent.

I’m calling from the bank and I want to help. Not.

While signing on to Business Online, a client received multiple error messages, with instructions to try back later. After several attempts, a fraudster called our client, claiming to be Bank Tech Support. The fraudster convinced the client, and a second client, to share their login information, including PIN/password and token code. Armed with credentials from the two clients (fulfilling dual control requirements) the fraudster was able to initiate a wire transfer.

What should I do?

This type of fraud is called account takeover, because the fraudster is able to gather enough information to take over an account and access money and more personal information. Fraudsters are clever and good at creating a sense of urgency that can convince you to reveal information that provides access to your account. Anyone at your company with responsibility for account access needs to know that the bank will NEVER ask for user IDs, passwords, PINs or other credentials via phone, email or text. When this happens, disconnect and call us.