Fraud: Don’t Be a Victim
-
bookmark
-
print
In their 2018 Global Fraud Study, the Association of Certified Fraud Examiners (ACFE) found that organizations lose 5 percent of revenue each year as a result of fraud. Extrapolating this statistic to a global point of view, based on 2017 estimated Gross World Product (GWP), would result in a staggering $4 trillion dollars of loss relating to fraud.
Financial cost associated with the loss isn’t the only concern for organizations in dealing with fraud. Other costs are: morale, productivity and organizational reputation. Additionally, based on the 2018 AFP Payments Fraud and Control Survey, 78 percent of U.S. organizations surveyed report being exposed to actual or attempted fraud in 2017—the largest percentage on record. In addition, 65 percent of organizations reported that cheques were the primary target for fraud attacks and 54 percent of organizations reported being exposed to wire payments fraud via business email compromise (BEC) scams.
Although not an exhaustive list of the types of cybercrime, the following are common types of cybercrime.
Malware
Malware infiltrates computer systems and performs unauthorized activities and transactions, such as email takeover, corporate account takeover/identity theft, data breaches and theft, and denial of service.
Some ways to protect information are:
-
Regularly update anti-virus and anti-malware software.
-
Always verify the source of fund transfer requests.
-
Ensure website is legitimate. If in doubt, type the URL into a browser to verify.
-
Be aware of any changes to regularly accessed financial services websites and unusual experiences, including unusual URLs appearing in the browser window.
-
Verify and validate requests to validate credentials.
-
Note unusual slowness of banking session.
-
Beware of requests for sign-in credentials on any page other than the sign-in page.
-
Beware of emails requesting account information, account verification or banking credentials (such as usernames and passwords).
Phishing and spear phishing
Phishing is one of the most common ways to infect computer systems with malware. Typically, phishing comes as unsolicited emails that appear legitimate with real company names and logos, such as banks and insurance companies. The email may request personal or financial information, request that a link be clicked, or have a redirection to another website. By divulging information, malware can infect email accounts, company email addresses and corporate networks, which can lead to identity theft, corporate email takeover and facilitate hacking into databases.
Other kinds of phishing
-
Spear phishing is where criminals search social media sites, such as Facebook, Twitter and LinkedIn to identify individuals who can authorize payments. These individuals are then targeted with emails containing malware.
-
Vishing is the same process, however, uses telephone calls.
-
Smishing is also the same process, however, uses text messaging.
Beware of any communication requesting confidential financial information. Also:
-
Be suspicious of requests by email, phone or text for confidential information regardless of real company logos or letterheads.
-
Never divulge or share personal identity credentials or any financial information such as account information, usernames, passwords and PINs.
-
Never divulge or share security tokens and token passwords.
-
Never click on a link in a suspicious email, which may be a redirection to a fraudulent site; or by clicking, enable malware, such as spyware, to monitor keystrokes and gain access to financial information.
-
Be social media savvy. Be wary of making too many professional details public on a social media site; it sets you and the organization up as targets for spear phishing.
With potential fraud becoming an increasing concern for all businesses across the globe, smaller organizations have a greater probability of being targeted as well, because they generally are under-protected when it comes to anti-fraud controls and technology security. Actions can be taken to protect smaller organizations from fraud relating to financial transactions. Where possible, seek to implement automation to processes and where automation is not possible; consider implementing Dual Control Review and Approval processes and segregation of duties. Having those able to initiate transactions separate from those able to approve transactions, in our view, lessens the probability of being the victim of fraud. Also, consider reviewing and reconciling transactions daily. Taking these steps will help identify normal patterns and allow for unusual activity to be identified more quickly.
Fraud protection starts with you and your employees. Here are a few final tips:
-
Do not respond to an email requesting personal identification or financial information.
-
Do not open any attachments or click on any links with which you are not familiar. The same applies to communications via telephone or text.
-
Be cautious in handling websites, and verify that the site is secure by chequing for the https:// designation in the browser. Look for the lock icon on the screen.
-
Have tools in place for managing pop-ups and educate staff to stay away from scareware tactics or diversion to other websites requesting your information.
-
Never download a program from an “unofficial” site, no matter how good the deal appears. Free programs can sometimes infect computer systems with malware.
-
Do not store credit card information on websites.
-
Do not use software to memorize passwords.
-
Exit websites securely and clear the computer’s cache.
-
Keep user identifications, PINs and passwords safe at the workplace.
-
Never leave the computer while sensitive information could easily be obtained.
-
Be wary of making too many professional details public on social media sites; it sets you and the organization up as targets for spear phishing.
Report to the nations on Occupational Fraud and Abuse, 2018 Global Fraud Study, Association of Certified Fraud Examiners, 2018. 2018 Association for Financial Professionals Inc., Payments Fraud and Control Survey, Report of Survey Results, URL: afponline.org
Managing Risk: A Practical Guide to Payment Fraud. BMO Financial Group. March 2017
In their 2018 Global Fraud Study, the Association of Certified Fraud Examiners (ACFE) found that organizations lose 5 percent of revenue each year as a result of fraud. Extrapolating this statistic to a global point of view, based on 2017 estimated Gross World Product (GWP), would result in a staggering $4 trillion dollars of loss relating to fraud.
Financial cost associated with the loss isn’t the only concern for organizations in dealing with fraud. Other costs are: morale, productivity and organizational reputation. Additionally, based on the 2018 AFP Payments Fraud and Control Survey, 78 percent of U.S. organizations surveyed report being exposed to actual or attempted fraud in 2017—the largest percentage on record. In addition, 65 percent of organizations reported that cheques were the primary target for fraud attacks and 54 percent of organizations reported being exposed to wire payments fraud via business email compromise (BEC) scams.
Although not an exhaustive list of the types of cybercrime, the following are common types of cybercrime.
Malware
Malware infiltrates computer systems and performs unauthorized activities and transactions, such as email takeover, corporate account takeover/identity theft, data breaches and theft, and denial of service.
Some ways to protect information are:
-
Regularly update anti-virus and anti-malware software.
-
Always verify the source of fund transfer requests.
-
Ensure website is legitimate. If in doubt, type the URL into a browser to verify.
-
Be aware of any changes to regularly accessed financial services websites and unusual experiences, including unusual URLs appearing in the browser window.
-
Verify and validate requests to validate credentials.
-
Note unusual slowness of banking session.
-
Beware of requests for sign-in credentials on any page other than the sign-in page.
-
Beware of emails requesting account information, account verification or banking credentials (such as usernames and passwords).
Phishing and spear phishing
Phishing is one of the most common ways to infect computer systems with malware. Typically, phishing comes as unsolicited emails that appear legitimate with real company names and logos, such as banks and insurance companies. The email may request personal or financial information, request that a link be clicked, or have a redirection to another website. By divulging information, malware can infect email accounts, company email addresses and corporate networks, which can lead to identity theft, corporate email takeover and facilitate hacking into databases.
Other kinds of phishing
-
Spear phishing is where criminals search social media sites, such as Facebook, Twitter and LinkedIn to identify individuals who can authorize payments. These individuals are then targeted with emails containing malware.
-
Vishing is the same process, however, uses telephone calls.
-
Smishing is also the same process, however, uses text messaging.
Beware of any communication requesting confidential financial information. Also:
-
Be suspicious of requests by email, phone or text for confidential information regardless of real company logos or letterheads.
-
Never divulge or share personal identity credentials or any financial information such as account information, usernames, passwords and PINs.
-
Never divulge or share security tokens and token passwords.
-
Never click on a link in a suspicious email, which may be a redirection to a fraudulent site; or by clicking, enable malware, such as spyware, to monitor keystrokes and gain access to financial information.
-
Be social media savvy. Be wary of making too many professional details public on a social media site; it sets you and the organization up as targets for spear phishing.
With potential fraud becoming an increasing concern for all businesses across the globe, smaller organizations have a greater probability of being targeted as well, because they generally are under-protected when it comes to anti-fraud controls and technology security. Actions can be taken to protect smaller organizations from fraud relating to financial transactions. Where possible, seek to implement automation to processes and where automation is not possible; consider implementing Dual Control Review and Approval processes and segregation of duties. Having those able to initiate transactions separate from those able to approve transactions, in our view, lessens the probability of being the victim of fraud. Also, consider reviewing and reconciling transactions daily. Taking these steps will help identify normal patterns and allow for unusual activity to be identified more quickly.
Fraud protection starts with you and your employees. Here are a few final tips:
-
Do not respond to an email requesting personal identification or financial information.
-
Do not open any attachments or click on any links with which you are not familiar. The same applies to communications via telephone or text.
-
Be cautious in handling websites, and verify that the site is secure by chequing for the https:// designation in the browser. Look for the lock icon on the screen.
-
Have tools in place for managing pop-ups and educate staff to stay away from scareware tactics or diversion to other websites requesting your information.
-
Never download a program from an “unofficial” site, no matter how good the deal appears. Free programs can sometimes infect computer systems with malware.
-
Do not store credit card information on websites.
-
Do not use software to memorize passwords.
-
Exit websites securely and clear the computer’s cache.
-
Keep user identifications, PINs and passwords safe at the workplace.
-
Never leave the computer while sensitive information could easily be obtained.
-
Be wary of making too many professional details public on social media sites; it sets you and the organization up as targets for spear phishing.
Report to the nations on Occupational Fraud and Abuse, 2018 Global Fraud Study, Association of Certified Fraud Examiners, 2018. 2018 Association for Financial Professionals Inc., Payments Fraud and Control Survey, Report of Survey Results, URL: afponline.org
Managing Risk: A Practical Guide to Payment Fraud. BMO Financial Group. March 2017
What to Read Next.
Why Timely Financial Data is a Key to Your Growth Plans
Susan Witteveen | August 08, 2018 | Manage Cash Flow
Your cash position is more complicated than just payables and receivables. In fact, most Treasurers or CFOs will tell you that the current environmen…
Continue Reading>Related Insights
Tell us three simple things to
customize your experience
Banking products are subject to approval and are provided in Canada by Bank of Montreal, a CDIC Member.
BMO Commercial Bank is a trade name used in Canada by Bank of Montreal, a CDIC member.
Please note important disclosures for content produced by BMO Capital Markets. BMO Capital Markets Regulatory | BMOCMC Fixed Income Commentary Disclosure | BMOCMC FICC Macro Strategy Commentary Disclosure | Research Disclosure Statements
BMO Capital Markets is a trade name used by BMO Financial Group for the wholesale banking businesses of Bank of Montreal, BMO Bank N.A. (member FDIC), Bank of Montreal Europe p.l.c., and Bank of Montreal (China) Co. Ltd, the institutional broker dealer business of BMO Capital Markets Corp. (Member FINRA and SIPC) and the agency broker dealer business of Clearpool Execution Services, LLC (Member FINRA and SIPC) in the U.S. , and the institutional broker dealer businesses of BMO Nesbitt Burns Inc. (Member Canadian Investment Regulatory Organization and Member Canadian Investor Protection Fund) in Canada and Asia, Bank of Montreal Europe p.l.c. (authorised and regulated by the Central Bank of Ireland) in Europe and BMO Capital Markets Limited (authorised and regulated by the Financial Conduct Authority) in the UK and Australia and carbon credit origination, sustainability advisory services and environmental solutions provided by Bank of Montreal, BMO Radicle Inc., and Carbon Farmers Australia Pty Ltd. (ACN 136 799 221 AFSL 430135) in Australia. "Nesbitt Burns" is a registered trademark of BMO Nesbitt Burns Inc, used under license. "BMO Capital Markets" is a trademark of Bank of Montreal, used under license. "BMO (M-Bar roundel symbol)" is a registered trademark of Bank of Montreal, used under license.
® Registered trademark of Bank of Montreal in the United States, Canada and elsewhere.
™ Trademark of Bank of Montreal in the United States and Canada.
The material contained in articles posted on this website is intended as a general market commentary. The opinions, estimates and projections, if any, contained in these articles are those of the authors and may differ from those of other BMO Commercial Bank employees and affiliates. BMO Commercial Bank endeavors to ensure that the contents have been compiled or derived from sources that it believes to be reliable and which it believes contain information and opinions which are accurate and complete. However, the authors and BMO Commercial Bank take no responsibility for any errors or omissions and do not guarantee their accuracy or completeness. These articles are for informational purposes only.
Bank of Montreal and its affiliates do not provide tax, legal or accounting advice. This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any transaction.
Third party web sites may have privacy and security policies different from BMO. Links to other web sites do not imply the endorsement or approval of such web sites. Please review the privacy and security policies of web sites reached through links from BMO web sites.
Please note important disclosures for content produced by BMO Capital Markets. BMO Capital Markets Regulatory | BMOCMC Fixed Income Commentary Disclosure | BMOCMC FICC Macro Strategy Commentary Disclosure | Research Disclosure Statements