Most fraud against businesses from bad checks, not electronic payments

Association for Financial Professionals survey notes online payment fraud attacks are common too

When it comes to financial fraud against businesses, it's old-fashioned paper checks that wreak more monetary damage than fraud committed through electronic payments, such as debit/credit, corporate cards, or Automated Clearinghouse (ACH) payments.

US Cyber Chief: We are fighting a "tide of criminality"

Stolen encryption key the source of compromised certificate problem, Symantec says

That's according to the survey published by the Association for Financial Professionals (AFP) this week in which about 500 businesses were asked how monetary fraud hit them in 2011. Eighty-five percent of the respondents said their organizations were impacted by fraudulent checks, while only 23% mentioned ACH debit, 20% mentioned corporate and commercial cards, 12% cited consumer debit/credit and 5% cited wire transfers.

"With 60% of respondents citing checks as the greatest source of fraud losses, checks also remain the most lucrative payment method target for criminals," the report, entitled the "AFP Payments Fraud and Control Survey" states.

David Bellinger, director of payments at Bethesda, Md.-based AFP, said business can be seen in contrast to consumers, who have shifted much of their payments away from checks to electronic methods. But for business, old-fashioned paper checks still account for greater than half of business-originating payments, he said.

"Criminals can get hold of information on the actual check and create a counterfeit check," Bellinger said, adding there's considerable interest among financial professionals to move beyond paper checks but it's been hard to shake a sense of dependence on the remittance information on it. No popular electronic means has yet overcome the check's dominance for business.

According to the survey, 62% of all fraud loss is via checks, and the typical annual fraud loss is $19,200, with criminals attacking larger organizations far more frequently than smaller ones and with a greater success rate.

"Larger companies have greater numbers of checks distributed and available for interception, and their brand names can mean that tellers, check cashers and other individuals may be less suspicious when negotiating checks from better-known organizations," the report says.

However, the good news is that organizations of all sizes, which have access to much of the same anti-fraud controls, are often successful in stopping fraud attempts in their tracks through fraud controls known as "positive pay" and daily reconciliations, the report says. Fraud occurs mainly when they don't follow their own guidelines for timely reviews. Organizations are pushing for 100% electronic payroll to avoid a main source of check-fraud problems, the report notes.

For all fraud types, paper and electronic, outside individuals seem to be the culprits most of the time. But organized crime rings — and even third-party outsourcers who were trusted -- were blamed about 16% of the time. Eleven percent is attributed to rogue insiders.

Online fraud still happens, though

Last year, 12% of the organizations in the survey, which hail from diverse industries including manufacturing, retail, transportation, high-tech and the energy sector, were subject to at least one online payment fraud attack.

This involved attackers compromising access credentials for computer systems. In the wake of these attacks, organizations often made changes to strength internal controls, sometimes setting up a dedicated PC for payment origination. Sometimes these businesses replaced proprietary bank connections with secure access through the SWIFT network.

"Just under half of organizations have changed their employee's access to their internal network and to bank-provided electronic service as a result of rising concerns over corporate account takeover fraud," the report says.

In additional to upgrading authentication procedures, 15% also said they took steps to remove employee access to social networking sites and 12% said they restricted company network access to company-issued computers. The 17% that were subject to at least one ACH fraud attempt last year did suffer a financial loss as a result.

When it comes to the corporate/commercial cards that employees commonly use to pay other businesses for goods and services, 38% of the fraud committed with them is committed by the organization's own employees. But "16% of the fraud was committed by a known third-party, such as a vendor, professional services provider or business trading partner," the report concludes.

While financial liability typically doesn't occur when an organization's own checks are used to perpetrate fraud, the same is not usually true in cases involving corporate/commercial cards, the report notes. A third of the organizations subject to that type of fraud last year suffered financial losses, as did the bank or financial institution that issued the card and the merchant where the card was used. Most of this was "employee-caused loss" because of insider fraud.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.

IT Salary Survey: The results are in