Shouldn’t check fraud be a thing of the past? As someone who follows all the latest trends in cybercrime and security protections, I’m left scratching my head whenever I hear about a company losing a large sum of money due to check fraud. But I’m just a journalist.
When perhaps the top check fraud expert in the world says that he’s surprised that it’s still a major problem, there has to be a disconnect somewhere.
Still a major threat
During a keynote speech at the MRC Vegas conference last spring, Frank Abagnale, the reformed check forger whose life story was the basis of the popular Leonardo DiCaprio film, “Catch Me if You Can”, said bluntly that he thought that check fraud would be “done” by now. Instead, it simply won’t go away. No one knows more about check fraud than Abagnale, who now works as a security consultant for the federal government and Fortune 100 companies. So if he says it’s still a problem, then it’s a problem.
Indeed, the 2017 AFP Payments Fraud and Control Survey revealed that 75 percent of organizations experienced actual or attempted check fraud in 2016, an increase from 71 percent in 2015. AFP had been observing a declining trend in check fraud since 2010—but that all changed last year.
This is a major concern, considering that the 2016 AFP Electronic Payments Survey revealed that check payments increased by 1 percentage point for business-to-business (B2B) transactions. Again, this was an important trend reversal. “While 1 percentage point might not sound like a lot, you have to understand that we’ve observed check use to be declining since 2004, back when it was at 81 percent,” noted Magnus Carlsson, AFP’s manager of treasury and payments.
All of that sheds a light on why AFP decided to focus on checks in our latest Payments Guide. Checks might be antiquated, expensive and easily susceptible to fraud, but they’re also commonly used by many companies for B2B transactions. Therefore, corporate treasury departments need to know how these schemes are occurring, and what to do about them.
Forging a check
According to Abagnale, a skilled fraudster can create a check that looks completely legitimate in just 15 minutes. However, the most important part of the process involves social engineering, i.e., human error.
Using an airline as an example, Abagnale said a forger would first call the main number and ask to speak to someone in accounts receivable. “Accounts receivable answers, the forger says, ‘We’re getting ready to pay this invoice you sent us, but we’d prefer to wire you the funds. We just need your wiring instructions,’” he said. So the AR employee gives the bank name and the account number. After that, the forger calls the airline’s corporate communications department and requests the company’s annual report. Page three of that report contains the signatures of the chairman of the board, the CEO, the CFO, the treasurer and the controller. From there, the forger has everything they need to create a fake check.
“What I did 50 years ago is 4,000 times easier today,” he said.
Fortunately, there are many ways to thwart check fraud. Positive pay is the most prevalent; according to the 2017 AFP Payments Fraud and Control Survey, 74 percent of organizations and 82 percent of organizations with annual revenues over $1 billion use the protection.
Positive pay matches a list of issued checks from an organization with those presented for payment. If the bank finds any discrepancies, it sends them back to the issuer. “Positive pay, in my opinion, is probably the best technology in the world to prevent forgery,” Abagnale said.
But standard positive pay only matches the amount and the check number. For corporate treasury departments that make a lot of payments by check, it is absolutely critical to use payee positive pay, also known as payee name authentication (PNA). This technique verifies the payee name, amount and check number.
While some changes to the payee information are obvious—such as a criminal using Wite-Out and changing the payee name to their own—others are much more subtle. These more complex schemes, which tend to go after larger sums of money, begin with a fraudster opening an account under a name that is a slight variation of the company’s actual name, such that it may not be noticed by less sophisticated, more manual detection protocols, explained Bill Booth, former executive vice president of treasury management for a major bank.
From there, they’ll steal or create a check—through the mail, via a corrupt employee, etc.—and they’ll use that similar name on the payee line and cash the check. “It can be very, very subtle—a word might just be spelled wrong. And to the naked eye, it might not look like anything and the check will be cashed, and off it goes,” Booth said.
But if the company has set up payee positive pay, the bank’s system should be unable to match it against acceptable payees listed in its database and the check will be kicked out as an exception to review. “Payee positive pay might be more expensive at some banks, but it’s a very important protection,” Booth said.
Not going away
Check fraud is here for the long run. While treasury professionals should continue to prompt vendors and clients to move to safer and cheaper payment methods, they must take checks seriously. That means investing in the proper protections to thwart would-be fraudsters.
For more tips on stopping check fraud before it starts, download Not Going Anywhere: Why Checks Still Matter here.