when you aren’t you: corporate identity theft corporate identity … greg... · 2015. 4. 22. ·...
TRANSCRIPT
1
1
When You Aren’t You:
Corporate Identity Theft –
A New Snake in the Grass....
(and Check Fraud – Still #1….)
Presented at
2015
Greg Litster, President
SAFEChecks
Corporate Identity Theft Corporate Identity Theft
is one of the newest financial threats
facing businesses and organizations.
There are two major types of
Corporate Identity Theft.
In one major type,
fraudsters target and imitate
a legitimate business.
Targeting businesses can be much
more profitable for fraudsters than
personal identity theft.
Dun & Bradstreet has reported cases
of corporate identity theft in at least
22 states, and predicts this crime will
spread across the country.
Corporate identity theft
is the unauthorized use of a
company’s name and information
by criminals in order to illegally
obtain money, goods, or services.
The Internet has made it easy to
create a non-existent business that
looks legitimate – no organization is
immune from the threat of corporate
identity theft.
Some losses have reached a
half-million dollars before the
crime was discovered.
2
2
When banks or other commercial
lenders evaluate a business, they
look for evidence that the company
is what its officers say it is, and that
it has the legal and financial capacity
to conduct its business.
Evidence = “Proof of Right”“Proof of Right” can include…
● financial statements
● business addresses
● telephone numbers
● government licenses
● credit history
● etc.
Each Proof of Right that can be
verified increases the appearance
of a company’s legitimacy.
Thieves can create fraudulent
Proofs of Right by gaining access
to state government records of
legitimate businesses, and then
altering company information,
such as the registered agents’
names and addresses.
Criminals open new bank accounts
and obtain loans and credit cards
in the name of the business, often
using the compromised identity of
business owners or officers.
They use falsified financial
statements to even lease offices,
furniture and equipment, creating
the illusion of a successful business.
They use bank loans and retailer
lines of credit to purchases items
that can readily be sold for cash.
Often, this leaves the unwitting
victimized business awash in debt
and legal fees defending itself
against creditors….
3
3
Criminals tend to target smaller
and midsize businesses with strong
credit ratings that are easily
identified through credit rating
agencies.
Business credit reports are intended
to promote “buying and selling,” and
help managers make risk assessment
decisions, so business credit reports
are readily available to virtually
anyone.
Family businesses, churches, and
inactive companies have been targeted.
Smaller businesses with strong
credit ratings are tempting targets
for criminals because they often
have fewer legal and financial
defenses than large corporations. Real Life Examples….
In California: A seafood company received
an order for $500,000 worth of goods.
After completing a credit check, the
company shipped the order and billed the
customer.
The customer responded that it had never
placed nor received the order.
It was discovered that the customer's
credit information and a different address
had been given by a fraudster.
By that time, both the goods and the thief
had already vanished.
In California, identity thieves moved
into the same building as a law firm
—under the firm's own name! — and
billed the firm for $70,000 worth of
computers and furniture.
When the products arrived, they hired
a moving truck and disappeared….
4
4
In Oregon, identity thieves reinstated old mining companies to steal their corporate identity.
(Oregon recently established limits on how long a company can be dormant before it is reinstated.)
In Colorado: Criminals updated or
altered the registration information on
file with the state.
After the registration information was
changed, the criminals used the altered
corporate identity to make online
applications for credit from various
retailers, including Home Depot, Office
Depot, Apple and Dell.
Colorado authorities became aware of
the scam after one of the targeted
companies was contacted by a major
retailer regarding nearly $250,000 in
purchases made in its name.
In Colorado: A small business owner
learned of his company’s identity theft
when he contacted Dun & Bradstreet to
ensure an address change was recorded
properly.
That's when he learned of a new
registered agent and address - an Aurora
mail drop that was set up to forward
everything to California.
The thieves also had changed key
information about his company on
Dun & Bradstreet's database, such as
increasing the number of his employees
from 15 to 150 and his company's
annual revenues by a factor of 10!
In Florida: An aviation company had been
dissolved by the owners. It was then
reinstated by corporate identity thieves.
Soon after, they applied for a $140,000
federal fuel tax credit, which was delivered
as a check.
The scammers and the money disappeared
and the previous owners only learned
about it when “the IRS came knocking on
their door."
Solutions to this type of Corporate Identity Theft….
Many state governments
are actively working to
help better protect
government controlled
and regulated business
data.
5
5
The biggest challenge is alerting and
educating organizations about this
new type of crime, and motivating
them actively self-monitor.
Defensive strategies include using
better passwords, dual-authentication
controls, and checking business legal
filings regularly.
Organizations should protect their
business EIN / TIN as they would
a Social Security number.
Businesses should verify atypical large
purchases and change of shipping
address from current clients.
Businesses should verify unusual
large purchases from new clients.
Keep all documents containing
business information or business
identifiers in a secure place that is
not accessible by
unauthorized persons.
Shred them when
discarded.
Use caution when completing a credit
application.
Criminals post fake credit applications,
and after a legitimate company has
filled it out, the criminals have all the
information they need to defraud the
business, or obtain loans or lines of
credit in the business' name.
Review your commercial and business
banking agreements – understand the
time frames for reporting fraud,
anomalies, etc.
Monitor your business accounts daily.
Many banks provide email and text alerts
regarding your account activity, which
can help alert you to suspicious
transactions.
6
6
If your business provides or maintains a
list of trade or credit references, request
each reference to notify you if they are
contacted by a third party.
If you are not applying or planning to
apply for new credit, you can place a
security freeze on your personal credit to
prevent businesses with whom you do not
already have an existing relationship from
accessing your credit file.
Training!!
Protecting your business, and the
sensitive information of your business,
your customers, and employees is the
responsibility of everyone in your
organization.
In the second major category of Corporate Identity Theft,
criminals target an organization’s clients or vendors through
Corporate Hacking.
� Hackers target Accounts Receivable List� Hackers target Accounts Receivable List
� Send bogus change-of-bank notifications
to customers
� Hackers target Accounts Receivable List
� Send bogus change-of-bank
notifications to customers
� New PO Box controlled by hackers
� Hackers target Accounts Receivable List
� Send bogus change-of-bank notifications
to customers
� New PO Box controlled by hackers
� New Bank R/T and account controlled by
hackers
Solutions to this type of Corporate Identity Theft….
7
7
� Banks: Monitor bank changes on
outgoing repetitive wires� Banks: Monitor bank changes on
outgoing repetitive wires
� Companies: Confirm ALL bank change
notifications from vendors
� Banks: Monitor bank changes on
outgoing repetitive wires
� Companies: Confirm ALL bank change
notifications from vendors
� Buy cyber crime and check fraud
insurance
� Banks: Monitor bank changes on
outgoing repetitive wires
� Companies: Confirm ALL bank change
notifications from vendors
� Buy cyber crime and check fraud
insurance
� Use payee positive pay and high
security checks
RESOURCES:
businessidtheft.org
Dun & Bradstreet
Bloomberg BusinessWeek,
The Council of State Governments
Also, review information and resources offered
by your state and local government.
Check Fraud
Why talk about Check Fraud?
Check Fraud
Produces more $ Losses
than all other types of payment fraud!
50% of organizations
still issue checks.
Check fraud is not going away!
AFP 2015
Payments Fraud Survey “Checks remain the most-often targeted
payment method by those committing
fraud attacks. Check fraud also
accounts for the largest dollar
amount of financial loss due to
fraud.”
AFP 2015 Payments Fraud Survey
8
8
Fraudulent Payments by Method(Respondents were hit multiple ways; total > 100%)
0
20
40
60
80
100
Percentage
CHECKS 77%
Corporate
Cards 34%
Wire Tranfers
27%
ACH Debits
25%
ACH Credits
10%
Fraud Losses by Method
How Dollars were actually lost
0
20
40
60
80
100
Percentage
CHECKS 45%
Corporate
Credit Cards
25%
Wire
Transfers 20%
ACH Debits 7%
Corporate
Debit Cards 2%
ACH Credits
1%
The newest twists on Check Fraud….
Mobile Banking and Deposit Fraud:
Double Debits
Mobile Banking Deposit Fraud
Scenario: A check is mailed to Dishonest Don
• Don deposits the check using smart phone app
Digitized check is paid at drawer’s bank
• 10 days later, Don cashes the same check at a
check cashing store
2nd check hits the drawer’s bank account
(check is presented for payment twice)
Who Takes The Loss?
The answer is found in the Rules
governing Check 21
Liability for the loss falls to the bank that allowed
its customer to use its smart phone app.
Bank can charge the loss against its customer
(assuming $$ is still there)
Under the § 229.56 Warranty… Mobile Banking and Deposit Fraud:
Holder in Due Course
Scenario: A title insurance company gives
John Doe a check at closing. John Doe
deposits the check via a mobile app,
then comes back to office and returns the
check, asking that it be made payable to
John Doe or Jane Doe.
9
9
The company doesn’t think to place a
Stop Payment on the first check
because they have the check in hand.
1. If a physical check is returned for a replacement,
place a stop payment on the returned check. It
may have been deposited remotely.
2. Recipient MUST sign an affidavit stating the
check was not “deposited.”
3. An Affidavit does not provide protection, only a
right to sue and collect legal fees.
Strategies to Prevent
Check Fraud
Don’t Write Checks!
• Use Commercial Purchase Cards
• Pay electronically (ACH)
But, if you are going to
write checks…
#1. Positive Pay
Positive Pay...
...a powerful tool!
PositivePay.net#2. H
igh Security Checks
Effective check fraud
prevention strategies begin
with a high security check.
10
10
High Security Checks
1. Deter the forger (psychological warfare)
2. Thwart forgers’ attempts to replicate or
alter the check
3. Provide legal protection from some Holder
in Due Course claims (UCC § 3-302)
What makes a check
secure?
10+ safety features
Important Security Features
� Controlled Check Stock
� Dual-tone True Watermark
� Thermochromatic Ink (reacts to heat)
� Warning Bands worded correctly
� Toner Anchorage
� Copy Void Pantograph
� Chemical-reactive Ink + Paper
� Inventory Control Number on Back (laser)
� UV Ink + UV Fibers
� Microprinting
� Laid Lines www.safechecks.com
� Is a critical security feature
� Checks should be unique in some way to every other
organization’s check stock
� No two organizations should have the exact, identical
check stock
www.safechecks.com
Controlled Check Stock
• Checks ARE NOT uniquely designed or
customized for every end-user
• It is sold entirely blank to countless entities,
organizations, and fraudsters, by print brokers
all over the USA
Uncontrolled Check Stock
www.safechecks.com
How is
Uncontrolled Check Stock
a problem?
Counterfeit Cashiers Checks Counterfeit Cashiers Checks Counterfeit Cashiers Checks
11
11
Counterfeit Cashiers Checks Counterfeit Cashiers Checks
Holder in Due Course
and
Uncontrolled Check Stock
Web: FraudTips.net
Robert Triffin v.
Somerset Valley Bank and
Hauser Contracting Company
HIDC & Uncontrolled Check Stock
1. Custom-manufacture checks using an
ORIGINAL design, true-watermarked paper,
and at least 10 security features, OR
2. Buy from a supplier that only sells controlled
check stock that has never been replicated
or used in a check fraud scam.
SAFEChecks.com
Obtaining Controlled Check Stock Other Important Security Features
� Dual-tone True Watermark
� Thermochromatic Ink (reacts to heat)
� Warning Bands worded correctly
� Toner Anchorage
� Copy Void Pantograph
� Chemical-reactive Ink + Paper
� Inventory Control Number on Back (laser)
� UV Ink + UV Fibers
� Microprinting
� Laid Lines www.safechecks.com
Robert Triffin v.
Pomerantz Staffing Services
HIDC & High Security Checks AFP 2014 Payments Fraud Survey
Check Fraud Methods – Alterations:
1. Payee Name Alterations = 52%
2. Dollar Amount Alterations = 37%
This is up from 49% and 22% respectively, in the 2013 Survey….
AFP 2014 Payments Fraud Survey
1. Payee Name Alterations = 52%
2. Dollar Amount Alterations = 37%
Most of these alterations could have been prevented with check security features!
12
12
� High-security checks
� 14 point font for Payee Name
� High-quality toner
� Hot laser printer
� Payee Positive Pay
Frank Abagnale’s Fraud Bulletin on Laser Check Printing
Preventing Altered PayeesPositive Pay Provides
NO PROTECTION
Against
Added Payee Names!#3. S
ecure Check W
riting
Software
To Prevent Added Payees
Open Areas Where Forgers Add A New Payee Name
Typical Check Layout
Secure Name Font
Secure Name Font printed above original payee name
helps eliminate Added Payee Name Risk
Fix it: Use a Secure Name Font
No room for an Added Payee
Secure Name Font printed above original payee name
helps eliminate Added Payee Name Risk
Leaves No Room for Adding Bogus Payee
Identical data is printed on both checks.Which check would forgers prefer to attack?
Greg Litster, President
SAFEChecks
(800) 949-BANK
(818) 383-5996 cell
# # # #