LAS VEGAS -- If anyone knows a thing or two about payments fraud, it’s Frank Abagnale, the reformed check forger whose life story was the basis for the popular Leonardo DiCaprio film, “Catch Me if You Can”. While Abagnale’s criminal specialty was check fraud, in recent years, he’s become quite the expert in more advanced fraud methods.
Abagnale works as a security consultant for the federal government and Fortune 100 companies, training people on how to identify fraud schemes. The federal government is a particularly easy target, he explained. For example, at the end of last year, Medicare and Medicaid paid out more than $100 billion in fraudulent claims. He noted that he used to work in losses that totaled up to millions of dollars in losses. “I only work in the billions now,” said Abagnale, who was speaking at the MRC Vegas conference. “The dollar amounts that are stolen just from the federal government alone are absolutely amazing, and those losses continue to rise. Who’s the easiest person to rob? The federal government.”
The majority of that money is stolen by criminals in Russia, India, China and other regions where U.S. authorities have no jurisdiction. That money actually ends up “coming back” to the U.S. in the form of drug and human trafficking, child pornography and other insidious crimes. Abagnale is adamant, however, that it doesn’t have to be this way. “It’s amazing that we allow billions of dollars to leave the country when we have the technology to prevent it,” he said.
Abagnale noted that today’s cyber breaches typically are much worse than when initially reported. He brought up the 2015 breach of the Office of Personnel Management (OPM), in which it was originally believed that more than 1 million federal employees’ identities were stolen. In reality, it was 21.5 million. Furthermore, the OPM said that 1.1 million fingerprints had been compromised; it turned out to be 10.2 million.
Abagnale also touched on 2012 incident in which 3.8 million tax returns were stolen after criminals hacked into the South Carolina Department of Revenue by sending phishing emails to department employees. They stole the entire return, so they obtained not only the social security numbers of the taxpayers, but also spouses and dependents. Hackers also obtained payment information like credit card numbers and check images. When that incident occurred, the tax revenue office said that it did “absolutely” nothing wrong. Abagnale stressed that was impossible. “Every breach occurs because someone did something they weren’t supposed to do,” he said. “Hackers don’t cause breaches. People do.”
Fans of the current TV series “Mr. Robot” may recall an episode in which hackers break into a police precinct’s computer systems by simply walking through the parking lot and dropping flash drives all over the place. Eventually a police officer picks up one of the drives and puts it into his work computer, thus enabling the hack. Abagnale has actually performed this activity to test security practices at a number of businesses and it has worked every time. “I have yet to be at a company—and they’re all Fortune 100 companies—where someone didn’t look at it,” he said.
This of course relates to business email compromise (BEC) scams, which have become the bane to treasury and finance professionals’ existence. These scams, Abagnale stressed, can be thwarted if the employee visits the executive’s office or calls and asks if this is a legitimate request. Often, however, employees do not. It’s especially important to train employees to recognize phishing emails, because these scams typically begin with a phishing email. “Ninety percent of all attacks start with phishing,” he said. “[Criminals] are not looking for a challenge; they’re looking for an opportunity.”
Despite the proliferation of much more advanced fraud methods check fraud is still a big problem for businesses. Abagnale said he thought he’d be done with this by now, but it won’t go away. In fact, many companies are going back to paying by check, which is something AFP saw in its latest Electronic Payments Survey.
The best way to thwart check fraud, Abagnale emphasized, is to use positive pay, in which a bank refuses to pay for a check it receives that does not match its records. “Positive pay, in my opinion, is probably the best technology in the world to prevent forgery,” he said. “There’s no excuse today not to have a secure check.”
Abagnale showed attendees how they can create a check that looks completely legitimate in just 15 minutes. However, the most important part of the process involves social engineering—human error.
Using an airline as an example, Abagnale said a forger would first call the main number and ask to speak to someone in accounts receivable. “Accounts receivable answers, the forger says, ‘We’re getting ready to pay this invoice you sent us but we’d prefer to wire you the funds. We just need your wiring instructions,’” he said. So the AR employee gives the bank name and the account number. After that, the forger calls the airline’s corporate communications and requests the company’s annual report. Page three of that report contains the signatures of the chairman of the board, the CEO, the CFO, the treasurer and the controller. From there, the forger has everything they need to create a fake check.
Added Abagnale: “What I did 50 years ago is 4,000 times easier today.”