Three Practices to Protect Yourself from EFT Payment Fraud

Using EFT to make payments eliminates the hassles and costs of using paper checks, but it introduces new avenues for fraud. While consumers have up to 60 days to identify fraudulent activity on an account and recover the funds, the rules for businesses are different, and you can have as little as one or two business days. That short time for identifying fraud, and the reality that wire fraud is on the rise, means it’s especially important for companies to implement practices that will protect them.

Some of the practices that you use to protect your paper-based payment process, such as Positive Pay and separation of duties, can be applied to electronic payments with a few tweaks. In addition to those standard steps, you’ll want to take additional measures to minimize your risk. Here’s a look at three practices that will help protect you from EFT fraud.

Secure Your Payment Hardware and Software

You keep checks locked up; the computer hardware used to run your EFT payments process needs to be equally secure. If possible, restrict access to EFT applications to a single machine used only for that purpose. Use standard measures such as firewalls and antivirus software to block inbound connections and prevent malware from being installed.

Implement multifactor authentication rather than relying on a password to prevent unauthorized access and limit the number of authorized users, particularly those with admin privileges.

Keep account information and data needed for EFT encrypted.

Define a Secure Payments Process

Implement a funds management and payment process that reduces your risk. Authorize EFT from only one account, and limit the balance in that account to the amount needed to cover the authorized transactions.

Separate the authority for transferring funds to the EFT-enabled account from the authority to execute EFT transactions. When possible, require dual authorization for adding or deleting users and for transferring EFT files.

Work with your bank to implement protections on your account. ACH Blocks and ACH Filters provide controls over whether payments are allowed from an account. Some banks may allow you to set restrictions using criteria such as the dollar amount or number of payments. Positive Pay lets you review and approve each ACH item before it is paid.

Log all activity and review it daily. Go beyond reconciling payments to reviewing all admin changes in the payments software, such as adding users or modifying privileges. The reconciliation and activity review should be conducted by someone who isn’t involved with executing the EFT transfers; make sure they know how to report any unusual activity.

Train Your Payments Staff

Not all insider threats come from deliberate malicious actions by employees. While the dual controls and reconciliation process may make employee fraud easier to detect, you also need to train your staff on safe computing practices to avoid accidental compromise of payments.

Emphasize that employees should not share passwords. Even if the intent is to “help out” even if releasing payments would be delayed because someone is locked out of their account, shared passwords eliminate the separation of responsibilities and add vulnerability. Don’t allow your staff to write down passwords; if there are too many to reasonably remember, provide a password manager.

Make sure employees are trained to recognize phishing software. While all employees should be aware of phishing attacks in general, employees with payment responsibilities should be made aware of the targeted phishing attacks known as business email compromise scams. These emails appear to be legitimate requests from a senior executive or vendor authorizing a transfer of funds; ironically, your most diligent, reliable employees are likely to fall victim to these requests. The FBI reports a 270 percent increase in these attacks since 2015, with losses over a three-year period totaling more than $2 billion.