Fraud prevention checklist

One constant in the struggle against payments fraud is that criminals keep getting more innovative every day. And the best way to protect your business against losses? Nothing new there, either — it’s still using appropriate fraud-prevention tools and partnering with your bank.

In the 2024 Association for Financial Professionals (AFP) Payments Fraud and Control Survey, 80% of companies reported experiencing actual or attempted payments fraud. With that finding, it’s clear that a fraud prevention plan, featuring increased diligence and preventative measures, is essential if treasury and finance professionals want to stay ahead of fraudsters to mitigate business interruptions and financial losses.

Your efforts in preventing fraud need to begin by establishing controls and scheduling periodic reviews. Use the checklist below to help maintain a strong company fraud prevention program.

View a PDF version.

Internal procedures and controls

Establish fraud prevention best practices and responsibilities

• Educate personnel regularly on the importance of safeguarding sensitive information, following established procedures and preventing fraud losses
• Ensure your staff understand they have the most important role in preventing fraud losses
• Refresh company fraud prevention training regularly
  

Establish clear division of duties and access

• Separate accounts receivable and accounts payable functions and processes
• Allow financial data access to employees only when there's a business need; follow the need-to-know principle

Ensure procedures are being followed

• Conduct surprise audits
• Review transactions before they leave the company
• Verify out-of-pattern payment instructions from internal employees
• Review downstream processes for cyber security and fraud mitigation

Use a second communication channel to validate payment-related requests, including:

• Payment requests from customers and company personnel, including senior officials
• Requests from vendors to change payment instructions

Update signing authority

• Review and update bank signature cards routinely
• Remove executive signatures from your annual report to prevent illegal scanning and use

Limit the number of users for each type of transaction, but train everyone

Even if some of your employees are multifaceted in their skill sets, it’s best practice to allow as few hands as possible on a transaction. Just from a security standpoint, a large user base increases the chance of human error and adds more touch points for scammers to target.

This doesn’t mean that the rest of your team should be kept in the dark. Effective fraud protection rests largely on an educated and informed workforce. Here are a few lessons that you’ll need to solidify with your payments management team:

• Segregate duties between payment types (check, wire, ACH, etc.)
• Reinforce business email compromise (BEC) risk best practices, which can include how employees open emails, click on links and reply to emails

While no single control or set of controls will prevent your organization from being a target, we suggest these five tips to prevent your organization from falling victim to BEC:

1. Confirm and verify email requests for funds transfers
2. Use dual control for money movement activities
3. Use multi-factor authentication for web-based email accounts
4. Communicate quickly when fraud or security events occur
5. Evaluate staff compliance with internal controls by using real-world security awareness testing

Read more: Business email compromise: Recognize a BEC scam.

Online fraud protection and controls

Protect your workstations

• Update operating system, software, anti-virus and malware protection
• Limit personal email and internet use on computers used for online banking activities
• Back up data on separate servers regularly as this helps mitigate ransomware attacks

Prevent malware infection

• Use caution when downloading applications and documents, installing software and opening email attachments
• Beware of download requests from pop-ups or advertisements
• Consider using an anti-malware application, as well as a firewall
• If you believe that your cyber environment was compromised, engage an outside cyber forensics firm to complete a comprehensive review

Safeguard your communications and confidential data

• Avoid using email to send confidential information, but if you must, consider using encryption software
• Truncate all but the last four digits of account numbers in communications

Establish separate controls for your business online banking application

• Require approvals to authorize ACH, wires, remote deposits and adding users or changing user profiles
• Ensure initiators and approvers use different workstations and require dual approvals
• Require use of security tokens, with strong authentication, for payment applications
• Review employee access privileges and limit system administrative rights
• Remove privileges for terminated employees
• Ensure user access and entitlements are up to date and accurate
• Ensure users know their system webpages and functionality, so suspicious content is easier to spot and is reported quickly to the bank

Monitor account balances and activity daily

• Report any suspicious activity immediately to your bank and alert your users
• Activate notification features in online banking applications

Review your tech infrastructure and security patches

Even the best-laid fraud prevention plans won’t succeed if your IT infrastructure falls behind on security updates. As new real-time payment options arise, those back-end systems must adjust to handle new venues for malware and spyware to infiltrate.

Consider the following short-term steps to shore up your back-end security:

• Ensure all systems are current with security updates and anti-virus software
• Review password policies for best practices in security
• Expand multi-factor authentication processes, including the use of security tokens and biometric authentication
• Validate any request to add or update customer information

Combating these risks may require your organization to refresh more traditional fraud prevention infrastructure and practices.

Paper check controls

Check approval practices

• Preauthorize high-dollar-value checks before the checks are written
• Do not sign checks without the recipient and amount information completed

Review your check stock controls

• Select a highly qualified, established check vendor
• Use a different style of checks for each account for easy recognition
• Incorporate security features into check design
• Store blank checks and check printing equipment securely
• Limit the working supply of checks removed from the secure area

Check processing controls

• Monitor check orders to ensure receipt of exact quantity

U.S. Bank fraud prevention solutions

Ensure dual approval verification practices

No matter which solutions you choose, you must be confident that the people on the other end of your transactions are the rightful recipients. Fraud — both external and internal — can occur in any transaction, but the increased speed of modern payment solutions often means less time to catch fraudulent requests.

Fraud risk affects both payers and payees, in financial and non-financial terms. Even if payments are revocable (with some modern payment options), fraudsters might empty the recipient accounts before a revocation attempt. Reputational risks can also arise in these cases.

Banking partners and modern payment providers have measures in place to prevent and mitigate losses, but the burden to build verification best practices falls to organizations that choose to use the payments method. And most of the platform-specific fraud risks trace back to the goal of ensuring payer/payee account authenticity. Below are U.S. Bank fraud prevention solutions.

For SinglePoint^® online access

• Install IBM^® Trusteer Rapport^® to detect and eliminate malware (free to SinglePoint users)
• Receive payment service alerts by email, text or fax: SinglePoint Alerts & Notifications

For paper check disbursements

• Review exceptions daily and make payment decisions: SinglePoint Positive Pay
• Review payee exceptions daily, make payment decisions: SinglePoint Positive Pay – Payee Option
• View check images online, eliminate storing cancelled paper checks: SinglePoint Image Access and SinglePoint Image File Delivery
• Reconcile accounts daily or monthly: U.S. Bank Account Reconciliation (ARP)
• Outsource check processing to eliminate the storage of check supplies: SinglePoint Check Payables

For deposit-only

• Place blocks on accounts to prevent unauthorized debits: U.S. Bank Check Filter Service
• Reconcile deposits weekly or monthly: U.S. Bank Deposit Reconciliation Service

For ACH transactions

• Use Account Validation to ensure the account you are being asked to send a payment is open and owned by the intended payee.
• Ensure dual authorization is required: SinglePoint ACH Origination
• Ensure approvers are vigilant in their final review and approval of all outbound monetary transfers
• Set appropriate transaction limits for each initiator and approver of monetary transfers
• Review exceptions online for incoming ACH (debits): SinglePoint ACH Positive Pay
• Track ACH Positive Pay authorization status: ACH Filter Rejected Item report, ACH Filter Authorizations report, SinglePoint Information Reporting
• Prevent ACH originators from debiting your account: ACH Block, Business Check Block
• Control access to your account by customer ID and dollar amounts: ACH Filter

For wire transfers

• Ensure dual authorization is required, especially for non-repetitive transfers: SinglePoint Wire Transfer

For regular review of your account information

• Review your accounts online, at any time: SinglePoint Information Reporting.

U.S. Bank is committed to helping you meet your treasury management needs including fraud prevention. To learn more, contact your U.S. Bank Relationship Manager or Treasury Management Consultant.