Keeping Fraud Out of Your Business

BECU business members and employees in every organization play an important role in preventing fraud and protecting against scams. We’ve gathered information about business-related fraud and scams and how you can help safeguard the source of your livelihood.

Every business is susceptible to fraud, regardless of its size or industry. Business fraud can refer to a broad range of crimes like check or wire fraud, embezzlement, or social engineering scams. It almost always involves someone stealing from someone else under the guise of a business relationship.

Fraud doesn't just hurt a business's bottom line — it can seriously damage its reputation and erode trust with customers and other stakeholders. We sometimes hear from members who think their business is too small to be targeted, or that they don't have enough staff or time in the day to focus on preventing fraud. It seems like there is always something more important and fraudsters count on that. But if you don't take protective measures, you're leaving the business exposed. Addressing vulnerabilities and knowing what to watch for can help you mitigate the risks.

Recognizing Scams

Most often, criminals use social engineering scams, including business email compromise, to target businesses. In these scams, fraudsters send phishing emails, text messages. or phone calls posing as a known sender like BECU or another financial institution, a trusted business partner, or even one of the business's leaders. In the messages, the fraudster might mention the names of the company executives as a way to build trust, while asking or insisting that processes or controls be skipped. The messages are intended to create a sense of urgency, fear or intimidation to convince individuals within the business to act quickly and follow their instructions.

Some examples of how a scammer might target your business include:

• Prompting an employee to log in to a business account through a fake web page, which allows the scammer to capture the username and password.
• Impersonating payroll staff and providing fraudulent account information to misdirect employee direct deposits.
• Impersonating accounting staff and providing altered wire-transfer instructions to misdirect deposited funds to a fraudulent account. Learn more about wire transfer scams.
• Posing as existing partners and requesting changes to payment information that will route immediate or future disbursements to a fraudulent account. Learn more about payment scams.

Signs of Fraud

Business fraud can be committed by employees, customers, or anonymous scammers. It's important to investigate further if you discover any of the following:

• New or unrecognized accounts on your business credit report.
• Incorrect information on your business credit report.
• Altered checks, counterfeit checks or stolen check stock.
• Unrecognized transactions on your bank accounts.

Business Security Strategies

Our Business Services team shared the following recommended security measures, practices and controls that work together to help shield your business from potential threats.

Training employees to detect and prevent fraud is the most important and effective tool you have to protect the business.

• Discuss security topics with employees and provide regular trainings on risk mitigation best practices, the latest fraud schemes, etc. Check out this free cybersecurity course BECU offers members.
• Lead by example: Ensure that transparent and ethical behavior are modeled and rewarded at every level to promote a "do the right thing" business culture.
• Reinforce the importance of paying attention and question any suspicious behaviors, requests or payment activity. Reward employees if they notice and report concerns.
• Establish a whistleblower process for anonymous reporting. Make it easy for employees to report suspected fraud with no threat of retaliation.
• Encourage employees to communicate with each other about anything out of the ordinary or concerning. Criminals often target multiple people in an organization, so an alert from one person can help prevent others from being deceived.
• Require employees to change passwords regularly (e.g., every 60 or 90 days). Learn more about creating strong passwords.
• Conduct background checks at employee onboarding and at random to identify potential changes in behavior, financial stress, etc.
• Consider mandatory vacation policies (e.g., five consecutive days per calendar year) and surprise audits. Encouraging employees to use their vacation time is good for preventing burnout and fostering a healthy work-life balance. But requiring a period of paid time off can also help discourage employees from engaging in fraud activity. Knowing that co-workers will be covering their assigned duties and are likely to recognize any patterns of bad behavior is a good way to deter such activity.

Accounts and Records

Structuring: Setting up multiple accounts for separate purposes makes it easier to detect fraud, manage access and monitor activity. Follow these best practices for managing all your business accounts:

• Reconcile accounts daily to help you quickly identify suspicious activity.
• Regularly review and monitor all accounts. Learn how setting up alerts can help.
• Conduct frequent audits and independent reviews.
• Understand the laws and regulations related to business fraud.
• Maintain a close partnership with BECU and any other financial institutions where your business holds accounts.

Access Levels: Consider who should have access to your business accounts and how much access they need. For example, your bookkeeper or accountant may need access to all accounts, but a payroll clerk may only need the account used to draw employee paychecks. Here are a few steps to prioritize in managing account access levels:

• Annually review employee access to banking services and disable unused or unnecessary services for each employee.
• Make sure user entitlements and limits are still correct.
• Notify BECU when employees terminate or change roles so that banking services, signature cards, etc. can be updated.

Payments: Policies and Procedures

Establishing policies, procedures and controls for the business's payment processes is essential for protecting the company from fraud. Here are some best practices for keeping payments secure.

Payment methods: How is the business sending and receiving money? You may need to make some of the following changes:

• If you frequently use checks, consider using a credit card or electronic payment that doesn't unnecessarily expose your account number.
• Set up separate accounts to process payroll checks and other transactions that require you provide the account number.
• If you do incorporate other forms of payment, be sure to review your account structure to make sure all channels of payments are considered.

Verification process: Establish clear policies and procedures for verifying requests and changes to payment instructions that are out-of-band (e.g., via a different channel/medium). Employees authorized to process payments should understand and adhere to these verification procedures. This reduces the potential for a fraudster to intercept communications with false account information and payment instructions.

Separate duties: Use a segregation of duties (SoD) model for all banking and payment-related activities. This means that individuals have control of a single business process only, which makes it difficult to conceal deliberate fraud. For example, separating employees who transact on accounts from those who review periodic statements provides a control to help deter and identify embezzlement schemes.

Dual control: Implement procedures that require more than one person to process a payment (such as a wire transfer or ACH transaction) or to access Business Online Banking, check stock, systems and other financial accounts or sensitive information. Dual-control procedures minimize a fraudster's ability to gain full access to your system in a breach. To learn more about using the Dual Control feature in Business Online Banking to help mitigate the risks associated with online wires, watch this video or refer to the Business Online Banking Domestic Wire User Guide.

Systems, Equipment and Information

Money isn't the only thing you need to protect - intellectual, physical and digital property is also at risk and includes proprietary information and customer data. Cybersecurity is the practice of defending your computers, servers, mobile devices, online systems, networks and data from malicious attacks. Below are some tips for maintaining strong physical and cybersecurity protocols to help protect the business from potential threats.

Property:

• Store paper files, sensitive information and electronic devices securely.
• Limit access to sensitive information stored physically or digitally - and know who has access.
• Only keep files and data you need.

Systems:

• Install and maintain fraud detection tools, systems and software.
• Maintain current and up-to-date antivirus software.

Logins:

• Create and require unique, complex passwords for each banking service.
• Never share IDs, passwords, security codes or any confidential information.
• Change passwords frequently.
• Enable multifactor authentication (MFA) whenever possible.

Internet access: Implement policies for using company equipment (e.g., restrict social media platforms and non-essential websites).

Social media platforms: Scrutinize the information shared on social media or your website, and consider what a fraudster could do with that information.

Ongoing Fraud Mitigation

Fraudsters are always coming up with new schemes. In addition to staying up to date on fraud trends, be sure to:

• Monitor your business accounts and credit report.
• Develop a plan for responding to fraud and assign responsibilities as appropriate.
• Consider engaging professional fraud prevention services or security consulting.

Other Resources

• BECU Business Membership
• Business Email Compromise
• Wire Transfer Scams
• Social Engineering Scams