December 14, 2015Steve Hazan

Small BusinessFraud

Who is SECU?

• Maryland’s largest Credit Union

• 22 Branches

• Over 225,000 members

• $2.8 billion in assets

• …and yes, we bank MD businesses!

Overview

1. Who Pays For Fraud?

2. The Fraud “Triangle”

3. How Do I Protect My Business?

3

“If you make it easy for people to steal from you they will”

-Frank Abagnale

4

Catch Me If You Can

5

Who Pays for Fraud?• We All Do

– Higher prices for goods & services– Higher interest rates– Lost time & Resources– Reputational Risk

• Target, Home Depot breaches

6

Sobering Statistics• 5% of All Revenues are lost to fraud*

• World wide $3.7 trillion lost in revenues*

• Companies with<100 Employees are particularly vulnerable*

• Small businesses make up 31.8% of fraud, highest percentage of any business category*

• Median small business loss of $155K vs. $120K loss for larger businesses*

– *Source: Association of Certified Fraud Examiners (ACFE)– **Bureau of Justice Statistics

7

The Fraud “Triangle”

Motive Opportunity

Rationalization8

Motive• Greed

• Financial Pressure

• Employee Disenfranchisement

• Entitlement to more compensation

9

Opportunity • Employees may yield to temptation when

faced with personal financial stress• Ex. Drug, Divorce, Gambling

• 87% of perpetrators have never been charged with or convicted of a fraud related offense

10

Rationalization

• Many people rationalize fraud by telling themselves that they will only “temporarily” borrow the money and eventually return it

• Attitude created by management or owners can create rationalization.

11

Why are small businesses a target?

• Lack of security

• Longer shelf life

• Lack of preparation

• Unaware of the risks

13

Check Fraud• 82% business owners indicated that checks were

targeted at their companies*

• Checks were the payment instrument with the highest average value of unauthorized transactions in 2012**

• The average unauthorized check transaction was $1,221 in 2012**

*2014 AFP Payments Fraud and Control Survey by JP Morgan**Federal Reserve Payments Study

14

Check Fraud Schemes

• Altering Checks

• Counterfeit Checks

• Forged Signatures

• Checks drawn on closed accounts

15

How do I Protect My Business from Check Fraud?

• Destroy unused checks from closed accounts

• Separate responsibilities for employees handling checks

• Verify and reconcile bank statements and transactions frequently

• Store check stock in secured and locked area

16

Small Business Credit Card Fraud

• 43% of financial business owners were exposed to debit / credit card fraud attacks in 2013*

• Credit / Debit cards were the payment instrument with the second highest average value of unauthorized transactions in 2012*

*2014 AFP Payments Fraud and Control Survey by JP Morgan

17

How do I Protect My Business from Credit Card Fraud?

• Starting October 2015, merchants must upgrade their systems to “chip and signature” aka EVM

• Companies who fail to adopt EVM will be held liable

• Laws transfer the risk to the business owner from the banks

18

How is the Chip Card Method More Secure?

A unique one-time code is generated behind the scenes that is needed for the transaction to be approved, a feature that is very difficult to replicate in a counterfeit card.

19

Cyber Crime • 83% of Small Businesses have no formal measures

against cyber threats*

• About 50% of all attacks are aimed at Small Businesses*

• 44% of fraud incidents involved cybercrime in 2013 and 2014**

• Courts seldom hold banks liable for cyber attacks, burden of responsibility is on business owner to protect themselves

• *Forbes Entrepreneurs• **Price Waterhouse Cooper 20

Types of Cyber Crime

• Phishing• Spoofing• Corporate Account Take Over• Theft of sensitive information or client

information• Theft of intellectual property

21

Phishing Emails

• Emails that appears to come from a legitimate business requesting “verification” of information and warning of some adverse consequence if it is not provided

• The email usually contains a link to a fraudulent web page

22

Phishing Email Examples

23

Phishing Email Examples

24

Spoofing

• A malicious party impersonates another device or user on a network in order to launch attacks against network hosts, steal data, spread malware or bypass access controls

• Most commonly done by hacking an account and making it appear as though an email came from a legitimate source

25

Target Hacking Incident• Target HVAC sub-contractor was hacked

• Hackers installed malware onto the contractor’s computer, who had access to Target computer system

• Hacking software was actively collecting data from live customer transactions at Target

• Hackers stole the credit card numbers and other personal information of up to 70 million customers.

• Target agreed to a $39 million settlement with several U.S. banks*

*Money.cnn.com

26

How Do I Protect My Business from Cyber Crime?

1. Identify and shape up weak points2. Designate a banking only computer3. Back Up Information4. Educate Employees5. Get Insured

27

How Do I Protect My Business from internal fraud?

• Institute Policies to segregate accounting duties or outsource functions to 3rd parties

• Conduct background checks/review credit history before hiring employees with access to cash or accounting duties

• Dual Signatures for payments over a certain threshold

28

How Do I Protect My Business from internal fraud?

• Vacation Policy• Positive Pay• ACH Blocks/Filters• Migrate payments to Purchasing Card Platform• Code of Conduct/Policies in place• Employee Assistance Program for those

struggling with emotional, health or financial issues

29

Combating Business Fraud1. Be Proactive

2. Establish Hiring Procedures

3. Train Employees to identify fraud

4. Conduct Regular Audits

5. Call in an expert

30

Strike Back!• The IRS considers embezzled funds as

income. Failure to report it constitutes tax evasion.

• Issue 1099 to perpetrators

31

Resources• Your Financial Institution• Your CPA• www.abagnale.com• www.irs.gov• www.sba.gov• www.aicpa.org• www.forbes.com• www.bankofamerica.com• Association of Certified Fraud Examiners (AFCE) www.acfe.com• www.visa.com• www.pwc.com• www.jpmorgan.com

32

Questions?

33

Certificate of CompletionThis Certifies That

___________Attended the 2 Hour Seminar

Small Business Fraud

_________________

DatePresenter

*Note: It is the primary responsibility of each licensee to fulfill the requirements of the law (CPE) and to be able to document, to the Board’s satisfaction, such fulfillment. All active licensees must maintain, for 4 years, records sustaining (proof of attendance, course outline & expertise of instructor) the continuing education credits claimed by them as a prerequisite for renewal of their license. For more information PLEASE refer to Continuing Education Policies from the State Boards (410) 333- 6322

34