Fraud prevention strategies for government agencies Hello, and welcome today. Thank you, everyone, for joining us to discuss fraud prevention strategies for government agencies. I am your host, Jennifer Vucinovich, with U.S. Bank's government banking division. With me today, we have Patrick Graves, director of external fraud investigations at U.S. Bank, and Dawn Papadatos, treasury management regional sales manager also at U.S. Bank. First of all, we're going to talk about the current state of fraud. What are the latest trends? What's happening out there? What are some key takeaways that you can use in your organization? Next, we're going to look at some foundational prevention measures from a fraud prevention standpoint. What are some actionable items that you can do today to help protect your organization? And then we're going to look at some next level and future-state solutions. What is coming down the pike? What technology is coming there to help you through anything that may happen from a fraud perspective? And with that, I'm going to turn over to Patrick to talk about the current state of fraud. All right. Thank you, Jennifer. Hello, everyone. My name is Patrick Graves. And as Jennifer mentioned, I am the director of external fraud investigations here at U.S. Bank. I manage a team of fraud investigators who conduct investigations into large-dollar fraud that's committed against the bank and our customers. So today, what I'm going to do is provide an update on really what we're seeing recently in terms of fraud trends. So my goal over the next 15 minutes or so is really just to raise awareness, get everyone thinking about fraud, and what they can do within their organization to hopefully better prevent fraud. So as you might expect, the COVID-19 pandemic has had an enormous impact on the fraud landscape. So I will spend some time today discussing trends that we are seeing related to the pandemic. I also want to raise awareness on business email compromise fraud scheme. Fraudsters uniquely target governments with this type of fraud. So I feel it is definitely important to educate and raise awareness given the audience. And then lastly, I'll also share some numbers, which will clearly show that fraud is also on the rise for consumers. And so my hope is that, after you listen to the presentation today, fraud prevention will be even more of a priority than it was prior to this presentation. All right. So in the news-- so anyone staying current with the news over the last 12 months probably would notice that there have been many various stories of fraudsters getting arrested all over the country for committing fraud against one of the many different government relief programs which have been rolled out with the goal of helping individuals and companies impacted by the pandemic. Over the last 15 years, I partnered very closely with law enforcement on many different types of financial crime investigations. And I definitely am noticing an increase in attention, urgency, commitment, dedication by law enforcement to combat the fraud that is being perpetrated against these government relief programs. So sadly, I do expect more headlines like the ones you see on the slide here over the coming weeks, months, and years. All right, so let's dig a little bit deeper into the type of fraud that we are seeing related to COVID-19. The slide here outlines three primary programs. But this is definitely not an all-encompassing list. While it is possible that none of these programs are being administered by anyone in the audience here today, I do think it's important to highlight these trends because, in my professional opinion, any and all government relief support programs now or in the future, whether it's related to COVID-19 or other things unrelated, definitely have the potential to be a major target from fraudsters, which could result in major losses and therefore unhappy taxpayers. So the three government programs I want to highlight are PPP, which is the Payment Protection Program, EIDL, Economic Injury Disaster Loans, and unemployment insurance. So PPP and EIDL are programs which were specifically aimed to help small businesses maintain their payrolls and other expenses during the pandemic. Small businesses were able to apply for loans or grants in some cases upwards of $10 million, depending on the size of that company. And these didn't always require collateral. And additionally, if certain criteria was met, these loans may also be forgivable. And banks and governments worked together to get this money into the hands of the companies in short order to limit the economic hardships. So as you can imagine, large loans that are potentially forgivable not requiring collateral and speed was of the essence, these were major targets by fraudsters. Additionally, the state unemployment insurance programs were bolstered by the federal government to get more money into the hands of millions of individuals who lost their jobs as a result of COVID-19. And the goal here was just to ensure individuals, similar to the businesses and the companies, receive money timely so that they could keep up with their individual mortgages, their rents, and other bills. So sadly, these very well-intentioned programs were targeted by criminals. And these fraudsters weren't your typical low-level criminal but rather organized crime, cyber criminals who are very sophisticated, foreign and domestic, capable, and had lots of resources. So just one example that we've seen, in Southern California, there was a CPA who learned how to apply for PPP loans probably for legitimate purposes for legitimate clients. The CPA learned how easy it was to apply for these loans using legitimate documentation but sadly then went down the road of teaching and coaching individuals who were not small business owners on how to apply for PPP loans with forged documentation to obtain these loans illegally and not for a small business. So on the slide, you can see there's many different red flags that we see. Some of the tactics that the fraudster use as I just mentioned-- forging documentation, fake W-2s, fake payroll documentation. They create shell companies, so a company that didn't exist prior to the pandemic, now exists so they could apply for loans. Fraudsters would apply for loans to different banks. And unemployment insurance was being applied for in multiple different states simultaneously. So we're very much still in the middle of many of these programs. The fraud does continue. We're already starting to take a look to see what we can do to prevent the fraud from a banking standpoint. I anticipate that there will definitely be a lookback at some point of the lessons learned to ensure that fraud is better stemmed in the future. I think everyone knew that fraud was inevitable with these programs. But it was important to get the money into the hands of citizens who were suffering as quickly as possible and to help the overall economy. OK, so moving onto business email compromise, I'm sure many people have heard about the business email compromise fraud scheme. This slide outlines the four basic steps of how this fraud works. As you can imagine, just like any type of fraud, these stages can differ and evolve over time. But I'll kind of walk through sort of a high-level example. So the first phase is really the cyber criminal compromises, or spoofs, and employee email. So I'll talk from the perspective of small local government doing business with a vendor, let's say, a construction company who's building a new park for that local government. So the employee email would be the vendor. So the cyber criminal has compromised or spoofed that vendor email account. Next, that compromised or spoofed email is used to send a request for money or information. So the vendor could say, hey, can you please make a payment to this Bank of America account. Previously, it might have been a U.S. Bank account. Now it's Bank of America or any bank for that matter. And they're asking for a payment to be rerouted to a new account. The payment is then transferred to that cyber criminal's account, thereby enabling the theft. And then the cyber criminal receives that money, which obviously leads to financial gain. And usually, they're then sending the money from there usually to a foreign country to a bank account outside of the United States to make it more difficult for law enforcement or the banks to recoup those stolen proceeds. Some of the other things that the criminals are requesting-- and this slide does mention information. They might be setting up for potential other types of fraud. So they're not always reaching out for changing bank account information. They could ask for a change of address. Or they could ask for personally identifiable information such as W-2s. We even see a variation where the BEC scam is used to divert payroll. So in a typical example, HR or payroll representatives will receive emails appearing to be from legitimate employees requesting to update their direct deposit information from the current pay period. The new direct deposit information is then provided to HR, generally actually lead to a prepaid card account. So it's not actually a bank account. It's obviously controlled by the fraudster. And then the payroll is diverted to that prepaid card account. And once again, it's very difficult to recoup those once that money has left. So just how prevalent is a BEC scam? Very prevalent. I pulled up an FBI public service announcement from September of 2019. And on that PSA, they reported that between June of 2016 and July of 2019, there were a total of 166,349 domestic and international incidents of BEC fraud. And this led to a total exposed loss of $26.2 billion in that roughly three-year time period. So what can a local government, a government organization, a company do to protect itself from this BEC fraud? So the first thing-- a lot of this is basic controls that I'm sure most people have had training on in the past. But it's important to be very mindful of this because this is how the fraudsters exploit. So be mindful of what you click on in emails, just basic cyber guidance. Don't click on a link from an unsolicited email. Be careful what you download. If someone calls you and asking for information, be careful. That might be a criminal who's fishing for information. For example, they might want to know who has the ability to pay vendors within a certain department. I would even say that, if someone calls you and you are suspicious and you don't provide information, I would still maybe alert fellow co-workers that there may be somebody fishing for information so that, if somebody else gets a phone call, they're on guard. And people are alert that there may be a phishing attempt occurring. Carefully examine email addresses, URLs, and spelling in correspondence. Sometimes a misspelling might be a red flag that this is not legitimate. Obviously, that's not always the case. But you just want to be careful about who's sending you emails. And then verify payment and purchase requests in person or over the phone. Don't just rely on an email approval. Remember, earlier, we talked about red flags. And the criminal may actually have control of that legitimate vendor email account. So just simply emailing back and saying, hey, is this "change of bank" request legitimate-- if the criminal has control of that email account, they will obviously reply back that, yes, it's legitimate. So it would be more advantageous to call the vendor, the trusted vendor, and talk it over to make sure that they were, in fact, the one who made that request. And then lastly, the extra cost-- if you receive a request with a sense of urgency, criminals will use this technique so that you're less likely to question legitimacy because you're more concerned with making the timely payment. And then the last thing I'll leave you with as regards to BEC is what to do if you do fall victim to a BEC scam. It's very important to act quickly. So contact your financial institution immediately and let them know all the information you have, where the money was sent to. Next, contact your local FBI field office to report the crime. And if you don't have a contact at that FBI local field office, you can just call, look up at the local field office, and call in to report. And then the last thing is file a complaint with the FBI's Internet Crime Complaint Center, which is known as IC3. And the Internet Crime Complaint Center with the FBI has a process in place for BEC fraud where they will try to work with banks to recoup the money. So speed is of the essence because, as I said earlier, a lot of times, the money gets wired overseas. And that's when it becomes much more challenging to recoup the losses. All right. And then lastly, I'll talk a little bit about just fraud on the rise we're seeing in the consumer space. So the first graphic shows a recent poll taken of fraud experts. I believe this was through the Association of Certified Fraud Examiners where 79% of those polled have observed an increase in fraud over the last 12 months. 90% expect an increase over the next 12. And while I was not part of this poll, I definitely agree with the majority in both of those questions. The second graphic contains data from the Federal Trade Commission. So you can see 2.1 million consumers reported fraud totaling losses of $3.3 billion over the last year. So even though we've focused mainly on fraud impacting governments or businesses, individuals continue to be targeted at alarming rates. And we see this often when there are economic hardships. So lastly, you can see the bar graph on the right side of this slide showing a steep increase in the rise of ID theft being reported. And as you can imagine, ID theft can be commingled with other fraud types. We see that in the unemployment insurance space. And so I'll just leave you with I think it's important to highlight this. Local governments may be able to play a role in helping educate and raise awareness for their citizens as this, the fraud landscape, continues to evolve and we see an increase in fraud. And so with that, I will turn it over to Jennifer, who's going to discuss a little bit more about some of the fraud controls in depth. Thank you, Patrick, for that information. Now let's talk about some foundational fraud prevention measures which can help you better protect your organization. First and foremost is implementing dual control. This is looking at your banking security settings and to enforce dual control for ACH and wire transactions. This will really ensure that two separate individuals are required to approve the transaction, one to initiate the request and another to approve the request. Dual control also helps mitigate the risk of any fraudulent transactions happening due to a malware account takeover. If your computer is taken over, by having that dual control, you can really prevent movement of funds. Trust but verify. Patrick really talked about this. And I really want to hammer it home. Please do not use the email that was used to change the addresses. Find another third-party identification method in which to confirm that accounts payable needs to change or payroll needs to change. By applying this further scrutiny on these transactions, you can really help prevent fraud. Communicate quickly. I can't say this enough. We have had clients-- I have had clients with business email compromise scam. If you contact your bank immediately, sometimes we can get back some, if not all, of the money. Not all the time, but it does happen. But you must communicate quickly to your bank and law enforcement officials. Make sure to use strong authentification. This is such as utilizing tokens to log into your banking systems making sure that all of your people that you work with are utilizing tokens for anything related to your online banking platform. And create awareness-- to what Patrick had to say, creating awareness of not only if there's a phishing attempt happening right now but creating awareness around your organization. Make sure that everybody is aware of these so that you can all communicate and act quickly. Make sure to protect your workstations. I think a lot of us have heard, don't click on this link. Don't click on that link. I have some clients that use a secure separate computer just for banking transactions. This really ensures that no links are being clicked on from that computer because that computer is only used for banking transactions. We're going to talk a little bit more on the next slide about implementing blocks and filters on your accounts. Check fraud remains the number 1 fraud type. Anything we can do to protect check and ACH fraud is what we need to look at. And also, timely account reconciliation-- constantly looking at your account and your online banking platform, making sure that what's posting looks accurate and, when you get those month-end statements at the end of the month, timely reconciling everything to make sure that nothing posted that should not be there. Next, we want to look at ACH fraud risk. ACH block is exactly pretty self-explanatory. It just blocks all debits and credits hitting the account. Most clients use it just for debits. ACH filter and ACH positive pay are very similar. This is where you can designate and authorize which ACH transactions you would like black and then the ones that you want to post. You can authorize and say, hey, we would like these, this entity. This is our ACH company ID. They're always able to debit our account. And with that, you can also set up dollar parameters for those authorizations as well. And lastly, I want to talk about Universal Payment Identification Code, or known as UPIC. This is receiving ACH credit payments without revealing your bank information. So you are able to give this masked account number out. You can post it on your website. You can email it out to all of your vendors, anyone that's going to be sending you money. When the money comes in, the bank will decode that mapping and then send the money directly to your account. And lastly today, I want to talk about payee positive pay. Payee positive pay-- a lot of you are probably familiar with positive pay. But a quick refresher is this is where you as an entity sends the bank the payee name of the check, the check dollar amount, and the check number. The bank receives that information whenever those checks go to clear your account. We double-check that all three of those items match. If they match, then we send it through for payment. If they don't match, they will come back to you and ask you if this is a legitimate payment or not. This protects a lot of fraud from occurring. And I'm especially seeing the payee name-- I'm seeing that getting lost a lot and reinserted. So I know a lot of people have the check number and the dollar amount but don't quite have that payee portion yet. And that payee portion is really where we're seeing a lot of fraudsters utilizing to get checks through. So with that, I'm going to turn it over to Dawn to talk about the future state. Great! Thank you so much, Jennifer. I think those were great ideas that kind of get us back to the basics on preventing fraud. So in this next section, I wanted to go over some future solutions that we are seeing out in the market and seeing really accelerate over the past couple of years but really since the start of COVID. So first, I wanted to start with account validation. And this solution allows our clients to get status updates on certain aspects of the account. So think of things like account ownership or if an account is open or active. And these are real-time responses work for any type of transactions, so including things like ACH, wires, checks, and even real-time payments. So not only will it verify the information. But it also helps to lower risk by ensuring that the payment you are sending is associated with that individual. So as Patrick mentioned earlier, we are seeing this as a red flag with the unemployment payments as maybe the account ownership does not match the claimant. This account validation service will help put that into perspective and help you identify if those match or if they do not match. And the solution will also help you avoid any rejected transactions, which we all know is a ton of work on the back end. So it may actually help streamline the process if you can verify some of this information up front. So shifting gears a little bit and moving the conversation to digital payments, one new type that is gaining popularity is using Zelle for disbursements. The Zelle network allows clients to send money to almost any bank account within the US. And it is done by using a specific email or mobile phone number that is associated with that customer. Usually, we see these type of transactions being used to where a refund is needed and is needed quickly. So not only does that help streamline the payment process. But you also do not need to gather or store any account information as the payee's bank information is not needed prior to sending any payments. So not only will it help reduce disbursement costs. But it will also help reduce any risk associated with sending the wrong payment to the wrong recipient or storing bank information in your system when you think of what happens if your system is compromised. So right now, this is available to over 140 million consumers through their mobile banking. So it is definitely taking off at this point. And very similar to Zelle, we are also seeing real-time payments being used for disbursements. And this solution allows you to send refunds or settlement payments in real time. So by utilizing real-time payments, it does help reduce exceptions and maybe the payment uncertainty. And it also helps with any type of manual processing, which we know, any time you have a manual process in place, you're probably open to more internal fraud within the organization. So although this solution is not at ubiquity yet, we are definitely seeing the trend to more real-time payments, which means we need to start to think about how this is going to affect fraud in the future. And right now, there's around 100 banks participating in the program. And it definitely continues to grow. So I wanted to end the conversation today and talk about a couple of key takeaways. First, understanding your fraud risk-- as you saw at the beginning of a presentation, there are so many avenues where fraud is occurring. So it is important to understand how this is going to affect your organization. Implementing the right fraud prevention measures and acting quickly if you do uncover fraud is so important. And we can't stress that enough. I think you've heard it a few times throughout the presentation. Maybe it's reviewing your internal controls or implementing some of the bank's solutions that we spoke about today. All of these measures are going to help protect against fraud. And it's only going to help as we start to move into this future of digital payments. So not only will these help you mitigate risk. But it may also help create efficiencies throughout the whole payment flow. So with that being said, thank you for your time today. And this concludes our session. [MUSIC PLAYING]