Preventing Electronic Funds Transfer (EFT) Fraud

As the treasurer of the association, I often get emails regarding approval to transfer funds to pay the invoices, etc. We have a system that ensures that the requests are vetted before it is sent and approved and only a few staff handle the transactions. In November 2017, I was at a conference in India, when I received an email request to transfer funds from none other than our president at the time, Melissa Martin. Initially, I was surprised since it is unusual to get such a request, hence I tried to contact our president for more clarification, the reply to which was further disturbing. Meanwhile, since we both were at the same conference, I called her to verify the request which was untrue (read the email conversation here). So, I wanted to discuss this new type of email phishing fraud and share with you what AAPM is doing to avoid such frauds. I would also like to warn many of you who are involved with various committee tasks not to get tempted by such requests which appear very realistic.

When AAPM was first founded in 1958, one of the greatest banking threats was that a member or staff might be robbed when making a bank deposit. Through the years, as time has evolved and more of the Association's banking has become electronic, the risk has changed.

In the late 1980s, online banking started to gain traction throughout the country. Online banking has opened a new world of ease and comfort. The ability to receive funds, pay bills, review transactions, transfer funds and perform many other banking duties has all but eliminated the need to visit the local branch. However, these enhancements have also come at a price. The potential for cyber-crimes, chief among them fraudulent electronic funds transfers (EFT), has increased. On a personal basis, this is often done by attaching a skimming device to an ATM machine or gas station pump and stealing one's debit or credit card information. The thief will subsequently sell or use this information to execute fraudulent transactions. Often, the risk associated with fraudulent EFT is much greater. If a hacker can access one's account, they can easily divert funds to their own personal accounts.

Another potential area of risk is from fraudulent ACH debits. Often a thief will submit a fraudulent ACH debit for a relatively small amount to see if it is processed. If the transaction is approved, the thief will continue to submit transactions in ever increasing amounts. There are two sources of these threats. The first is a dishonest company employee. The dishonest company employee can divert funds by making payments to fictitious vendors that the employee sets up. The second source of threat is external hackers around the world.

Earlier I mentioned the threat imposed from fraudulent ACH debits. In addition, there are threats from malicious programs designed to take over one's computer. Thieves and hackers will also emulate valid email addresses of an organization's leadership in an attempt to request a fraudulent bank transfer or payment. In many cases these payments are for services never rendered but lately thieves are using valid events and activities to request payments. This is similar to what is shown in the box, especially since the email mentions existing events/activities of AAPM.

Many businesses believe they are afforded the same coverage by their bank that individuals receive when it comes to absorbing losses from fraudulent EFTs. However, while in many cases a bank will absorb a loss if the transaction is reported timely, corporations are not afforded that same coverage and bear the burden for absorbing the loss from fraudulent EFTs.

Prevention is the Key

The key to avoid becoming a victim to cyber-crime whether internal or external is to develop a strong, robust system of internal control such as what we have at AAPM. The system is reviewed for three weaknesses by our external auditors and audit committee. There are three types of key controls within the AAPM system of internal control: preventative, detective and corrective controls.

Preventative Controls

Preventative controls are designed to prevent fraudulent activities. Examples of preventative controls include segregation of duties, dual signatures on checks and restricting access to online accounts to name a few. These controls are designed to prevent fraud from happening by denying one access to the organization's assets.

Detective Controls

Detective controls do not prevent fraudulent activities from taking place but bring it to the attention of management when they have taken place. In the case of fraudulent EFTs, an example of a detective control would be performing routine bank reconciliations. The bank reconciliation would detect the fraudulent activity. Since detective controls do not prevent the fraud from happening but merely report when it does occur, detective controls are not as robust as a preventative control in terms of preventing losses. They can however help mitigate any losses which do occur by bringing them to the attention of management in a timely fashion.

Corrective Controls

When detective controls identify an irregularity, corrective controls kick in to see what could or should be done to fix the problem. Frequently many of the corrective controls involve IT, such as performing back-ups so in the event of a crash or disaster—the back-up can then be used to get the systems up and running again. However, in our example here of fraudulent EFTs a good example of a corrective control would be insurance. An organization can take out insurance to help mitigate the risk of the theft of some of its assets.

Without divulging the steps that AAPM has taken and potentially exposing its blueprint to potential thieves, I want to assure that we are taking all necessary steps to prevent any type of frauds. The main purpose of my column is to warn fellow colleagues to watch out for such fraudulent emails and like in any other situation, when in doubt please do verify.

I would like to thank Robert McKoy, AAPM Finance Director, for his subject matter contribution to this report. Please feel free to reach out to me by mmahesh@jhmi.edu, @mmahesh1, or call me at 410-955-5115, if you have any questions concerning this report.