What's your fraud IQ?

The inherent and evolving risks in the banking environment—especially concerning online transactions—command that account holders keep abreast of threats to their accounts, understand their rights and responsibilities as account holders, and take appropriate security measures to protect themselves from fraudulent bank account activity. Are you prepared to help your clients or employer confront these daunting tasks? Take this quiz to find out.

1. A fraudster used a keylogger to steal the logon credentials and challenge-question answers of Sitting Duck Co. He then used this information to initiate fraudulent wire transfers from the company’s bank account. In which of the following ways might the company’s computer have fallen victim to keylogging?

a. A user of the target computer unwittingly visited an infected website or clicked on an infected banner advertisement.
b. A user of the target computer unwittingly opened an infected email attachment.
c. The fraudster, or an accomplice, plugged a keylogging hardware device into the target computer.
d. All of the above.

2. The Universal Payment Identification Code (UPIC) recently obtained by Some Co. from its bank can be used in which of the following ways?

a. By Some Co. to receive payments via wire transfer from customers without divulging its bank account information.
b. By Some Co. to receive Automated Clearing House (ACH) payments from customers without divulging its bank account information.
c. By Some Co.’s authorized suppliers to initiate direct debits against its bank account without knowing its bank account information.
d. All of the above.

3. Buford, the controller of Bait Taker Co., received an unexpected yet seemingly legitimate email from the company’s bank prompting him to renew his security token. Following the renewal instructions in the email, he clicked on an embedded link to log in to the company’s online banking site and renew the token. Buford should enter his logon credentials only under which of the following conditions?

a. The web address in his browser matches that of the bank.
b. The term “https” precedes the web address, indicating a secure web session.
c. A secure lock icon appears in the status bar at the bottom of the browser window.
d. None of the above.

4. Prudence was fired from Fake Corp. for insubordination. Angry and concerned about making ends meet, she altered her final paycheck, changing the amount to $5,547.30 from $547.30, and cashed it for the inflated amount through a teller at the company’s bank. The company’s failure to use high-security check stock, along with the teller’s inattention to the obvious, visible evidence of alteration, made it easy for Prudence to execute her scheme. Which of the following outcomes regarding liability for the loss under the Uniform Commercial Code (UCC) is most likely given the failure of both Fake Corp. and its bank to exercise ordinary care?

a. The bank is strictly liable for the entire loss.   
b. The bank’s liability for the loss is limited to $500.
c. The bank will share liability with Fake Corp. for the loss based on comparative fault.
d. Fake Corp.’s liability for the loss is limited to $500.

5. In setting up her online access to Pigeon Inc.’s bank accounts, Petunia, the company’s controller, is being asked to select several challenge questions as an added layer of security. Which of the following is likely to be an effective challenge question?

a. What is your mother’s maiden name? 
b. From what high school did you graduate?
c. What is your father’s middle name?
d. None of the above.

6. On Monday, a thief stole Ishmael’s debit card, which was linked to Ishmael’s personal checking account. The thief used the card to purchase $400 worth of electronics and $200 worth of groceries over the next several days. On Wednesday, Ishmael realized that his card had been stolen, but he failed to report the theft to his bank until Tuesday of the following week. Under Regulation E of the Electronic Fund Transfer Act (EFTA), what is Ishmael’s maximum liability for the fraudulent transactions?

a. $0 
b. $50
c. $500
d. $600

7. Safe Corp. wants to enjoy the benefits of ACH debit transactions while mitigating the risk of fraudulent debits. Which of the following measures would be the LEAST effective in minimizing Safe Corp.’s ACH debit fraud risk?

a. Placing an ACH filter on its account to eliminate the possibility of automatic transactions.
b. Creating an authorized-user list and rejecting ACH debit requests received from parties not on the list.
c. Performing monthly account reconciliations of ACH debits.
d. Using one-time authorizations so that every transaction must be authorized before it is processed.

8. Pretend Co.’s bank account was taken over after its controller was duped by a phishing email that appeared to be from the company’s bank. Through the phishing scheme, cybercriminals obtained the controller’s logon credentials for online banking and the random number from his security token and then used this information to initiate 40 wire transfers, totaling $1 million, to co-conspirators in six countries. Which of the following statements regarding these fraudulent wire tansfers is true?

a. The wire transfers would likely be easier to recover than would fraudulent ACH transactions.
b. Pretend Co. can be held liable for any resulting loss even though it did not authorize the transfers.
c. Pretend Co. can escape liability for any resulting loss by reporting the fraudulent wire transfers to its bank within two banking days of their occurrence.
d. The wire transfers are processed through a clearinghouse.

9. To protect against check fraud, Any Co. uses Some Bank’s positive-pay service. Yet, a fraudulent check cleared Any Co.’s account. Possible explanations for this situation include all of the following EXCEPT:

a. Some Bank presented the check to Any Co. as an exception item but then was instructed by Any Co.’s authorized representative to clear it.
b. The positive-pay service used by Any Co. does not include payee validation, and the fraudulent check was an altered one on which only the payee had been changed.
c. Any Co. failed to enhance its positive-pay service with reverse positive pay.
d. The positive-pay service used by Any Co. does not include teller-line protection, and the check was cashed through a teller at Some Bank.

10. Skeptic Co. incurred a $10,000 loss after cyberthieves stole its logon credentials for online banking and used them to send a fraudulent wire transfer. The company blames the loss on its bank’s inadequate security measures and seeks to move its accounts to a more secure bank immediately. In evaluating different banks, Skeptic Co. should keep in mind that it will gain the MOST protection from online banking fraud through which of the following bank security measures?

a. Out-of-band verification.
b. Layered security programs.
c. Transaction-value thresholds.
d. Dual-customer authorization.

Answers

1. (d) Keylogging can be accomplished through a variety of means. One method involves plugging a keylogging hardware device directly into the target computer to capture data. Of course, this requires the fraudster, or an accomplice, to have physical access to the target computer. Other options involve installing keylogging malware on a target computer when its user unwittingly visits an infected website, clicks on an infected banner advertisement, opens an infected email attachment, or downloads an infected program. To help guard against keyloggers (and other malware), companies that use online banking services can implement several security measures, including providing antifraud training to employees, installing up-to-date, anti-malware software, using multilayered security controls, and setting up a computer dedicated to online banking (e.g., never used for reading email or surfing anywhere else on the web). 

2. (b) A UPIC is a unique identifier an organization can use to receive electronic ACH credits without divulging its bank account information. (Wire transfers cannot be received using a UPIC.) UPICs are convenient in that they can be used with any cash management or accounts payable systems. Additionally, they are portable and stay with an organization even if its banking relationship or account structure changes. More important, because a UPIC cannot be used to electronically debit an account (via ACH or wire transfer) or to create a check or demand draft, its use reduces the organization’s exposure to unauthorized payments.

3. (d) Buford should not have clicked on the embedded link in the first place, let alone enter his logon credentials into the purported bank website, lest he fall victim to a phishing attack. This is true regardless of how legitimate the email appears. In a phishing attack, a phisher sends out fraudulent emails, which usually contain embedded links or attachments, in an attempt to collect confidential information or to load malware onto end users’ computers. Some of the more sophisticated attacks don’t appear “phishy” at all; rather, the sender, content, and attachments—along with any embedded links and their corresponding websites—all appear bona fide and frequently claim to be from commercial financial institutions, the Federal Reserve Bank, the IRS, or another well-known organization. For this reason, Buford should access Bait Taker Co.’s online banking only by typing the bank’s web address directly into his browser. Also, because the email was unexpected, he might consider contacting the bank about it.

4. (c) Under the UCC, because both Fake Corp. and its bank failed to exercise ordinary care, the loss can be allocated based on the extent to which each party’s failure contributed to the loss. Section 406 of Article 3 of the UCC states, “A person whose failure to exercise ordinary care substantially contributes to an alteration of an instrument ... is precluded from asserting the alteration ... against a person who, in good faith, pays the instrument. ... ” However, under Section 406, “if the person asserting the preclusion fails to exercise ordinary care in paying ... the instrument and that failure substantially contributes to the loss, the loss is allocated between the person precluded and the person asserting the preclusion according to the extent to which the failure of each to exercise ordinary care contributed to the loss.” Account holders can reduce their chances of being held liable for check fraud losses for failing to exercise ordinary care by:

• Using positive pay (with payee validation and teller-line protection) or reverse positive pay, and ACH positive pay.
• Placing ACH filters or blocks on accounts as appropriate.
• Placing accounts for which no check activity is authorized into “no check activity” status.
• Using high-security check stock.
• Reconciling bank accounts promptly.
• Immediately notifying the bank in the event payment has been made using a counterfeit or forged check.
• Encouraging employees to sign up for direct deposit of their paychecks.

5. (d) Challenge questions can provide an added layer of protection against online banking fraud for both business and consumer accounts; however, to be effective, they should be sophisticated questions whose answers aren’t easily uncovered by a fraudster. Challenge questions such as “What is your mother’s maiden name?,” “From what high school did you graduate?,” and “What is your father’s middle name?” have answers that might readily be ascertained via an internet search engine or a visit to a few social networking websites. If Petunia has the option of writing her own challenge questions, she should do so, creating questions for which the answers are ones that she can easily remember yet would be difficult for others to uncover, such as “What is your favorite constellation?” If Petunia is not given the option of selecting her own challenge questions, she could provide nonsense or crafty answers to the questions provided to increase their security effectiveness. For example, for the answer to “What is your favorite color?,” Petunia could select “Dinosaur,” “green*green,” “forest green,” or “green0845.” However, Petunia should only use nonsense or crafty answers if she is confident in her ability to remember them.
 
6. (c) Under Regulation E, which governs electronic funds transfers (EFTs), Ishmael’s maximum liability for the fraudulent transactions is $500. Had he notified his bank of the theft of his debit card within two business days after learning of it, his liability would have been limited to $50. Regulation E, issued by the Board of Governors of the Federal Reserve System, aims to protect consumers (not businesses) who engage in EFTs such as point-of-sale and automated-teller-machine transfers, direct deposits or withdrawals, telephone transfers, and transfers initiated through debit card transactions. Section 205.6 of the regulation states that a consumer’s liability for unauthorized EFTs is determined as follows:

• If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device (e.g., a debit card), his or her liability is limited to the lesser of $50 or the amount of unauthorized transfers that occurred before he or she gave notice.
• If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, his or her liability is limited to the lesser of $500 or the sum of: (1) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less; and (2) the amount of unauthorized transfers that occur after the close of two business days and before notice to the institution (provided the institution establishes that these transfers would not have occurred had the consumer notified it within the two-day period).
• A consumer must report an unauthorized EFT that appears on a periodic statement within 60 days of the financial institution’s transmittal of the statement to avoid liability for subsequent transfers. If he or she fails to do so, he or she can be held liable for up to the amount of the transfers that occur after the close of the 60 days and before notice to the institution (and that the institution establishes would not have occurred had he notified it within the 60-day period). When an access device is involved in the unauthorized transfer, he or she may also be liable for other amounts, as mentioned in the previous two bullet points.

7. (c) Of the choices provided, monthly account reconciliations of ACH debits would be the least effective in minimizing Safe Corp.’s ACH debit fraud risk. Under National Automated Clearing House Association (NACHA) Operating Rules, which govern the exchange of ACH payments, a corporate customer must notify its bank within two banking days of an unauthorized, or fraudulent, ACH transaction or risk being liable for the loss. Therefore, Safe Corp. could more effectively mitigate its risk by reconciling ACH debits daily, in addition to using an ACH filter and an authorized-user list or one-time authorizations. The following are further steps Safe Corp. could take to protect against ACH debit fraud:

• Use ACH positive pay.
• Maintain a separate account for ACH debit transactions, particularly a clearing account that is funded just before an ACH debit will occur.
• Place an ACH block—to automatically reject all ACH transactions—on any account for which ACH activity is unlikely to be used.

8. (b) Under the UCC, Pretend Co. can be held liable for the fraudulent wire transfers even though it did not authorize them. According to Section 202 of Article 4A of the UCC, a payment order accepted in good faith and in compliance with both a commercially reasonable security procedure and the customer’s instructions is “effective as the order of the customer, whether or not authorized.” And if the order is “effective,” the customer can bear the loss associated with the transfer. For the best chance of recovering its funds, Pretend Co. should report the fraudulent wire transfers to its bank immediately; however, doing so does not relieve the company of liability for any resulting loss. Unlike with fraudulent ACH transactions, businesses do not have a reporting window in which they can avoid liability for fraudulent wire transfers. Also, unlike ACH transactions—which are processed through a clearinghouse and usually have a two-day settlement period—wire transfers can move funds directly from one account to another within a few minutes, making their recovery more difficult. Finally, although banks are required, under the UCC, to attempt to recover stolen funds, they are not always successful—particularly when the funds have been transferred to a foreign country uncooperative with U.S. banks and the FDIC.

9. (c) Many U.S. banks offer positive pay, which is an electronic check-matching service designed to protect companies and banks against fraudulent checks. In a standard positive-pay service, as a company issues checks, it provides its bank with an issued-check file containing details about those checks, such as the account number, issue date, dollar amount, and serial number. Then, each day, the bank verifies this information as checks are presented for payment, marking any discrepancies as exceptions for the company to review and decide whether they should be paid or returned. Payee verification and teller-line protection are enhancements to positive pay offered by many—but not all—banks. Without these enhancements, Any Co. would not be adequately protected against altered payee schemes or fraudulent checks cashed through a teller at its bank. Reverse positive pay is similar to positive pay but designed for companies with a small check volume that are unwilling or unable to transmit issued-check files to their bank. In reverse positive pay, the bank provides details of checks presented to the company’s account. The company then reviews the checks presented for payment against its check-issuance data to determine whether they should be paid or returned. Because reverse positive pay is not an enhancement to positive pay, but rather a lower-cost alternative, Any Co. would not use both services for the same account.

10. (b) Because no one control is likely to provide absolute protection from online banking fraud, Skeptic Co. should keep in mind that it will gain the most protection through a layered security program. In a layered security program, different controls are used at different points in the transaction process to reinforce, enhance, or compensate for other controls. The Federal Financial Institutions Examination Council, in its Supplement to Authentication in an Internet Banking Environment, offers the following controls as part of a layered security program:

• Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
• The use of dual-customer authorization through different access devices;
• The use of out-of-band verification for transactions;
• The use of positive pay, debit blocks, and other techniques to appropriately limit the transactional use of the account;
• Enhanced controls over account activities, such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times);
• Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities;
• Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud;
• Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels; and
• Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.

Scoring

If you answered 10 questions correctly, congratulations. Your solid knowledge about fraudulent banking transactions will assist you in protecting the accounts of your clients or employer. Keep up the good work. If you answered eight or nine questions correctly, you’re on the right track. Continue to build on your antifraud knowledge. If you answered fewer than eight questions correctly, consider strengthening your understanding of fraudulent bank activity to help ensure that you have what it takes to battle criminals determined to drain the accounts of their targets.

Dawn Taylor ( dawn@dawntaylorcpa.com ) develops educational materials for the Association of Certified Fraud Examiners, where Andi McNeal ( amcneal@acfe.com ) is director of research.

To comment on this article or to suggest an idea for another article, contact Jeff Drew, senior editor, at jdrew@aicpa.org or 919-402-4056.

AICPA RESOURCES

JofA articles

• “What CPAs Need to Know About Organized Crime,” April 2012, page 38
• “What’s Your Fraud IQ?” Feb. 2012, page 36
• “What’s Your Fraud IQ?” Nov. 2011, page 42
• “Ferret Out Fraud,” Aug. 2011, page 20
• “What’s Your Fraud IQ?” Aug. 2011, page 32

Letter from the SEC

See "More on auditors' reporting duties to the SEC," in Letters, for comments from SEC officials regarding a question about the Foreign Corrupt Practices Act that appeared in the February 2012 version of “What’s Your Fraud IQ?” (page 36).