Fraud Protection Strategies - SunTrust...Fraud comes from many sources, some internal and some external to your company. Regardless of the source, when you have assets on the move

The fight against fraud can neither be ignored, nor won. Over half of North American companies experienced fraud and/or economic loss within the last 24 months, a 50 percent increase from incidents reported in 2016.1 While fraud can take many forms, from asset misappropriation to cybercrime, it continues to attack companies from a multitude of directions. When it comes to payments, paper-driven processes and checks are still the number one form of business payment fraud,2 but as technology advances, an upsurge in electronic fraud schemes are appearing in an increasingly digital financial environment. Criminals have adapted new ways to exploit system weaknesses with advanced phishing schemes, business email compromise, and other creative fraud plots. Fraud prevention should play a leading role in your organization’s payment strategy, meaning that understanding common types of fraud, the risks involved, and the best prevention measures has never been more important.

UNDERSTANDING AND ATTACKING THE SOURCES OF FRAUD

Attacking fraud includes deploying process and technological solutions while boosting the portion of payments sent electronically. It involves working with a team who understands your business, the threats and countermeasures to defend against those threats and how to guide you through recovery from a fraud event. The SunTrust OneTeam Approach® delivers end-to-end financial solutions that help simplify financial management and point to ways your business can grow and succeed, while making suggestions about systems and payment methods that can help reduce your fraud risk. Visit the Fraud Protection section of the SunTrust Resource Center for the latest strategies.

Employee morale

Business relations

Reputation/brand strength

Relations with regulators

Share price 16%

30%

36%

38%

48%

Share price

Relations with regulators

Reputation/brand strength

Business relations

Employee morale

Impact of fraud across the business1

% of organizations that rated level of impact as high to medium:

FRAUD PROTECTION STRATEGIES

loss up to .5% of total revenue

experience losses greater than $1,000,000

no fraud loss fraud loss greater than .5%

SunTrust Bank, Member FDIC. © 2019 SunTrust Banks, Inc. SUNTRUST, THE SUNTRUST ONETEAM APPROACH and the SunTrust logo are trademarks of SunTrust Banks, Inc. All rights reserved.

UNDERSTANDING FRAUD

Businesses of all sizes are at risk for fraudulent activity, especially when their cash flow relies on paper payments. In total, 82 percent of organizations have experienced actual or attempted fraud, with one-third of those companies reporting an increase in fraudulent activity and less than 10 percent reporting a reduction in fraud.2

FRAUD BY THE NUMBERS

Losses when fraud strikes2

% of organizations that experienced payments fraud:

ACH debit and credit fraud attempts on the rise2

% organizations experienced actual or attempted ACH fraud:

Sources of fraud by payment method2

% of organizations that experienced attempted and/or actual payments fraud:

Ass

et

Mis

app

rop

riat

ion*

Con

sum

er F

rau

d**

Cyb

ercr

ime

Consumer ★ ★ ★ ★ ★ ★

Financial services ★ ★ ★ ★ ★ ★ ★

Industrial products ★ ★ ★ n/a ★ ★

Professional services ★ ★ ★ n/a n/a

Technology ★ ★ ★ ★ ★ ★

8% 66% 26%

17%

45% 43%

70%

Prevalence of paper check fraud incidents2

% of organizations that experienced check fraud:

experienced actual or attempted check payment fraud

Wire transfer fraud attempts2

% of organizations that experienced actual or attempted wire fraud:

exposed through Business Email Compromise (BEC)

experienced wire payment fraud

2018 2017

1 Pulling Fraud out of the Shadows, Global Economic Crime and Fraud Survey 2018, PricewaterhouseCoopers (PwC)2 2019 AFP Payments Fraud and Control Survey Report, Association for Financial Professionals (AFP)

*Third parties or employees who steal funds or actual assets from company**Includes mortgage, credit card, claims and check fraud

1-5 incidents

6-10 incidents

21+ incidents

11 – 20 incidents

Most frequently reported fraud across industries1

% of organizations reporting this method of fraud in last 24 months

★ ★ ★ High risk ★ ★ Medium risk ★ Low risk

Check fraud

Wire fraud

ACH debits fraud

Corporate card fraud

ACH credit fraud

16%

20%

25%

38%

11 – 20 incidents

21+ incidents

6-10 incidents

1-5 inciden ts

28%

13%

33%

20%

ACH Debit

ACH Credit

20%

29%

33%

45%

70%

ACH credit fraud

Corporate card fraud

ACH debits fraud

Wire fraud

Check fraud

2

As technology advances, it is easier for companies to digitize their payments and financial tasks. Unfortunately, that means new opportunities for enterprising fraud criminals. External threats are still the primary fraud source; however, more than two-thirds of external fraud is conducted by “frenemies” – those vendors, suppliers and other businesses with whom you have a working relationship.1 These threats can materialize directly through a "frenemy's" illegal actions or as a result of a trusted vendor being manipulated by an outside fraudster. The threat from non-related cyber criminals is also on the rise, as fraud-as-a-service (underground fraud hosting services purchased as a subscription or for flat-rate fees) continues to proliferate with the rapid sharing and sale of information through underground channels.

The fraud threat doesn’t end with payments. Simple but lucrative social engineering attacks, such as phishing and ransomware along with more sophisticated data breaches and account takeovers, require vigilance. The good news is that technologies that protect against these increasingly frequent schemes are more common and more sophisticated. The bad news is that fraud criminals are innovating faster in the development and deployment of scams than countermeasures are being purchased and deployed by businesses.

Impact of business email compromise (BEC) fraud% of organizations that experienced BEC attacks:3

lost between Oct 2013 and May 20182

increased rate of incident4

$12.5B 200%

of that:

Experienced BEC

80%

Check fraud

20% Wire transfer

43%

FRAUD PROTECTION STRATEGIES

NEW AND RISING THREATS

BUSINESS EMAIL COMPROMISE (BEC)

Spoofed emails have become one of the most prevalent schemes used to hack into a business, accounting for a 136% increase in global dollar losses in less than two years.2 Criminals study a top executive’s email behavior, and with access to company directories, online calendars and email schedules, create an email that closely mimics the language and style of the executive. They send an

3

email instructing a subordinate to wire transfer money to a certain account – at a time when the “real” executive is in a meeting, traveling or simply unable to be contacted to confirm the instructions. For help combatting BEC, visit the Fraud Protection section of the SunTrust Resource Center.

BUSINESS IDENTITY THEFT

Consumer identity theft often takes center stage when breaches occur, but business identity theft is increasing at an astonishing rate – 46 percent year over year during 20174 – becoming an ongoing and growing concern for companies of all sizes. Fraud criminals steal company information, such as Employer Identification Number (EIN) and other identifying data, to commit a variety of financial, tax, website or trademark frauds. Most common are schemes to open card accounts, initiate wire transfers and commit tax fraud in the company’s name. Increased awareness, strong internal controls and vigilance in accounts review can help minimize identity theft. Conducting a risk assessment with your company's auditor, accounting or advisory firm can help identify weaknesses as well as point out the best ways to mitigate them.

SYNTHETIC FRAUD

Like business identity fraud, synthetic fraud combines real information, often stolen EIN or other business identifiers, and falsified information to create a completely new company identity. Harder to find and trace than business ID fraud, this new “synthetic” company can conduct many fraudulent activities, including becoming a guarantor for loans or lines of credit, before disappearing with its ill-gotten funds, leaving the unsuspecting company with the ensuing debt/liability. The SunTrust Resource Center Fraud Protection section provides additional strategies to fight fraud.

SunTrust Bank, Member FDIC. © 2019 SunTrust Banks, Inc. SUNTRUST and the SunTrust logo are trademarks of SunTrust Banks, Inc. All rights reserved.

1 Pulling Fraud out of the Shadows, Global Economic Crime and Fraud Survey 2018, PricewaterhouseCoopers (PwC)2 “Business E-mail Compromise, The 12 Billion Dollar Scam,” January 2018, Federal Bureau of Investigation3 2019 AFP Payments Fraud and Control Survey Report, Association for Financial Professionals (AFP)4 Business Identity Theft in the U.S., 2018 Report, The National Cybersecurity Society (NCSS)

increase in number of fraudulent business returns to IRS 2016 - 2017

250%

increase in losses 2015 to 2016

200%

RISE OF BUSINESS IDENTITY THEFT4

4

Fraud comes from many sources, some internal and some external to your company. Regardless of the source, when you have assets on the move in the form of payables and receivables, your company is more vulnerable to fraud. Awareness of the tactics and scams that fraudsters commonly use and a thoughtful control environment around your payments processes make the best fraud deterrents.

HOW PREPARED IS YOUR COMPANY?

The prevalence and increasing incidence of fraud puts your company at risk every day, yet nearly half of organizations have not performed a general fraud risk assessment, and more than half have not assessed their cyber-attack vulnerabilities in the last 2 years.1 “Helping our clients reduce the risk of a financial loss due to fraud is paramount,” explains Michael Maza, Head of SunTrust Treasury & Payment Solutions. “Our solutions incorporate preventive measures such as account monitoring, identification of suspicious items and alerts to the client to make decisions on questionable transactions. The best defense is always a great offense, so we strive to detect potential fraud before it occurs.”

SUCCESSFUL FRAUD PREVENTION

Payment fraud prevention measures2

% of organizations using these measures:

Positive pay

Payee positive pay

88% 68%

You can put in place many simple procedures to help protect your company from fraud. The SunTrust Resource Center Fraud Protection section provides additional helpful information in the fight against fraud.

From a payment perspective, increasing the penetration of electronic payments and collections can be an asset in combating check fraud. “Many CFOs realize that they can mitigate paper payment risks as well as electronic fraud with a series of basic controls, such as automatic reconciliation of accounts, blocks and filters on ACH payments or instituting UPIC (Universal Payment Identification Code),” emphasizes Katie Saez, Head of Sales for Treasury & Payment Solutions at SunTrust.

FRAUD PROTECTION STRATEGIES

FRAUD PROTECTION STRATEGIES

Segregation of accounts

72%

Daily reconciliations/other internal

processes

68%

5

USING TECHNOLOGY TO YOUR ADVANTAGE

More advanced technology brings an efficiency boost to payments and financial processes; however, those improvements come at the price of increased risk of attack by fraudsters. This is the double-edged sword of technology: no matter how many improvements are made, there will always be fraud criminals out there ready to try to beat your systems with newly-engineered attacks. As new technologies and systems are deployed, their weaknesses haven’t been mapped and defensive strategies have yet to be devised. It is precisely for this reason that it is vital that companies partner with their accounting, audit or advisory professional services firm to assess new technologies for their impact on fraud risks.

Fighting fraud needs a combination of process and technological solutions. The first step involves staff education about the importance of fraud detection and prevention. According to David Sawyer, a Certified Fraud Examiner and Managing Director at Sawyer & Co.,

“Many organizations don’t train managers or employees to understand why rules are put in place. Sometimes employees will override policies and procedures that were put in place for a reason that they don’t understand.” Workers often just want to get the job done and may see protective procedures as barriers. One-time “workarounds” to circumvent these barriers can, over time, become business as usual, providing weaknesses for fraud criminals to exploit.

Managers are responsible for addressing internal fraud by setting up the controls and designing fraud training. Responsibility extends equally to employees who must follow fraud prevention procedures and be on the lookout for signs of fraud. “Internal controls have to be embraced, not only from the board room, but they have to extend all the way down to the mail room,” says Sawyer.

The second step in thwarting fraud reduces opportunity by separating duties, reconciling accounts daily and using positive pay or reverse positive pay services for all paper checks. Don’t neglect the “frenemies” threat either. Pay close attention to vendor on-boarding and compliance to ensure fraud protection controls are in place within vendor organizations. Your strategic and operational partners

should have business practices that mirror yours; monitor technology connections and data access; and use strong security defenses.

Accept and make more payments electronically as one means to reduce vulnerabilities from human touches. Innovative solutions such as Virtual Cards, which remove the need for a physical card by providing the payee with a unique secure token to access payment, improve the likelihood of more secure payments. Adding restrictions and controls to electronic debits from your accounts also helps create a more secure environment for payments. The SunTrust Resource Center Fraud Protection section provides additional strategies to prevent and detect fraud.

SunTrust Bank, Member FDIC. © 2019 SunTrust Banks, Inc. SUNTRUST and the SunTrust logo are trademarks of SunTrust Banks, Inc. All rights reserved.

1 Pulling Fraud out of the Shadows, Global Economic Crime and Fraud Survey 2018, PricewaterhouseCoopers (PwC)2 2019 AFP Payments Fraud and Control Survey Report, Association for Financial Professionals (AFP)3 Report to the Nations on Occupational Fraud and Abuse Global Study, Association of Certified Fraud Examiners (ACFE), 2018

Red flags of occupational fraud3

1. Living beyond means

2. Financial difficulties

3. Unusually close association with vendor/customer

4. Control issues, unwillingness to share duties

5. Divorce/family problems

6. “Wheeler-Dealer” attitude

Identifying occupational fraud3 % of organizations experiencing fraud identified these employee behaviors:

*Acct. reconciliation, document examination, surveillance, confession, and others

Fraud detection methods3

% of U.S. organizations where this method initially detected fraud:

Tip

Other*

Management review

Internal audit

Accident

Multiple red flags

At least one red flag

No flags

50%35%

15%multiple red flags

at least one red flag

no flags

37%

27%

14%

13%9% Tip

other

Management Review

Internal auditAccident

DETECTING FRAUD SCHEMES

6

LIMITING THE FIVE PRIMARY FRAUD THREATS

Check fraud The threat:

• #1 in fraud attempts

• 70% of companies targeted noted check fraud #1

• # of check fraud incidents: 38% 1-5 incidents 25% 6-10 incidents

Solution Positive Pay

How it provides fraud protection

Flags discrepancies against company-supplied, check-issued files to verify the authenticity of checks presented

How it works• Validates against issued date, check number and amount; verifies payee name • Provides automatic pay/return defaults

What it solves

• Quickly identifies check fraud, reducing losses • Notifies of discrepancies through online banking • Provides for online banking pay or return decisions • Reduces staff workload

Wire fraud The threat:

• #2 in fraud attempts

• 45% of companies targeted noted wire fraud

Solution SunView Treasury Manager®

How it provides fraud protection

Execution through online banking provides for multiple levels of control: • Names of wire requestors must match the authorities designated in writing and stored

within the bank's wire facility • Requires user ID and password for login • Requires Trusteer Rapport with keystroke encryption and malware deactivation • All wires require dual approval

How it works

• Wire transfer authorities are approved by the company’s designee (account signer) and submitted to the wire facility

• Wire transfer capability is set up through SunView Treasury Manager giving access to approved initiators/approvers in accordance with the wire facility instructions

What it solves

• Reports are available in real time • Both incoming and outgoing wire information can be pushed to designated staff through

SunTrust Online Courier® at pre-defined thresholds • Allows for the building of wire templates for repetitive wires, decreasing errors and fraud

Account fraud The threat:

• 82% of organizations have experienced fraud

Solution SunTrust Online Courier®

How it provides fraud protection

Provides real-time notification of transaction and balance detail

How it works• Creation of online profiles allows selection of reports, alerts and desired format • Automatic “push” via FTP, PC download, dial-up or fax • Optional wireless alerts to smartphone

What it solves• View transaction detail for potential fraud detection • Monitor account balances for significant changes

ACH fraudThe threat:

• 33% of ACH fraud was due to ACH debits; 20% due to ACH credits

Solution ACH Fraud Control

How it provides fraud protection

Places blocks and filters on all or specifically-identified ACH transactions in designated accounts

How it works

• Ability to block all debits, credits, or both • Approve/decline ACH transactions on occurrence date with Online ACH Control • Reporting via SunTrust Online Courier each morning • Set up specific standing authorizations at the transaction level to allow for payments

like federal taxes, corporate healthcare and other self-insured payments managed by a third party

What it solves• Reduces losses • Improves control over ACH transactions and enhances ACH usage • Minimizes cost

Solution UPIC — Universal Payment Identification Code

How it provides fraud protection

Provides user with a universal routing transit number and a unique proxy account number that can be supplied to payers for incoming ACH payments

How it works• Bank issues a UPIC to relay to trading partners • Transactions using proxy account number automatically routed to correct account upon

receipt of incoming ACH payments; systematically blocks debits

What it solves

• Provides receivables alternative • Accommodates clients who want to remit payments electronically and provide payment

data through EDI (Electronic Data Interchange)• No change in payment routines for trading partners • Blocks sensitive proprietary account information

Source for fraud threat statistics: 2019 AFP Payments Fraud and Control Survey Report, Association for Financial Professionals (AFP)

7

SunTrust Bank, Member FDIC. © 2019 SunTrust Banks, Inc. SUNTRUST, ENTERPRISE SPEND PLATFORM, ESP EXPRESS, SUNTRUST ONLINE COURIER, SUNVIEW TREASURY MANAGER, and the SunTrust logo are trademarks of SunTrust Banks, Inc. All rights reserved.

Source for fraud threat statistics: 2019 AFP Payments Fraud and Control Survey Report, Association for Financial Professionals (AFP)

Corporate card fraud The threat:

• #4 in fraud attempts

• 29% of companies targeted noted corporate card fraud

Solution Enterprise Spend Platform®

How it provides fraud protection

Provides a comprehensive online card management application for managing Travel & Entertainment (T&E), procurement and payables processes for Corporate and Purchasing cards

How it works

• Enhanced reporting to: - Implement pre- and post-purchase controls - Audit spending - Manage program

• Allows for: - Customizable business rules and workflow - Transactional review and “decisioning” - Electronic attachment of receipts/expense reports

What it solves

• Improved spending controls with online account monitoring • Increased control with built-in alerts, email rules and audit features • Online access to automatically activate/deactivate cards and raise/lower individual

spending limits

Solution ESP Express®

How it provides fraud protection

Provides an easy-to-use online card management application for Commercial One Card

How it works• View and manage cardholder detail and accounts • View both transaction detail and statements at the card level

What it solves • Improved spending controls with online account monitoring • Online access to automatically activate/deactivate cards and raise/lower individual

spending limits

Solution Virtual Card

How it provides fraud protection

Provides protection of a client’s Real Card Number (RCN) by creating a unique 16-digit Virtual Card Number (VCN) for a single transaction payment

How it works

• Supplier submits invoice to Buyer• Buyer submits a payment request through Enterprise Spend Platform• An authorization and its associated VCN is created for the total amount of the invoice• Secure email notifications with payment data are automatically triggered and sent

to Supplier• Supplier processes approved amount through Point of Sale (POS) system• Transaction is matched using the VCN, and posted in Enterprise Spend Platform via RCN

What it solves

• Removes the need for a physical card• Eliminates loss or theft of card• Enhanced control over cards and spend with specific authorization limits• VCN expires after 60 days if unused• Reduces exceptions with one to one match of invoice(s) and payment

The SunTrust Resource Center Fraud Protection section provides additional strategies to fight fraud. (suntrust.com/resource-center/commercial-corporate/fraud-protection)

8

SunTrust Bank, Member FDIC. © 2019 SunTrust Banks, Inc. SUNTRUST, THE SUNTRUST ONETEAM APPROACH, ENTERPRISE SPEND PLATFORM, ESP EXPRESS, SUNVIEW TREASURY MANAGER, SUNTRUST ONLINE COURIER, and the SunTrust logo are trademarks of SunTrust Banks, Inc. All rights reserved.

Contact your SunTrust Relationship Manager or Treasury Sales Officer to discuss your business plans for smart growth and your payments needs. The SunTrust OneTeam Approach® delivers end-to-end financial solutions that help simplify financial management and point to ways your business can grow and succeed.

GETTING HELP TO KEEP FRAUD AT BAY

TO FIND OUT MORE , call your SunTrust Relationship Manager or visit the SunTrust Resource

Center for more information at suntrust.com/resource-center/commercial-corporate.

9