LAS VEGAS—There are numerous frauds today putting your institution and its customers at risk. It’s a long list, and participants at Smarter Faster Payments 2023 heard from someone who knows only too well: Detective Jefferson Grace of the Las Vegas Metropolitan Police Department, who is also on the FBI Cybercrime Task Force. 

At the session “Practical Tactics for Fighting Cybercrime Financial Fraud,” Grace made several points, including this blunt warning: “Email attacks are getting better and better all of the time.” Payroll and escrow redirects are among some of the most common email scams, he said, adding that some retro techniques are among the best ways to fight back.

“What did we do before email? It’s going to become ever increasingly important for us, because of security, to go back to what we did before. We need to verify these things. Whether it’s snail mail, whether it’s by the phone,” said Grace. “And if it did come from the real source, and it did come from the actual real email address, how do I know that account hasn’t been taken over?”

Grace believes there’s no such thing as too suspicious, noting, “There’s so much trust that we put into email that was never designed to be there.”

But for financial institutions there’s a fine line to walk, as Mark Dixon, AAP, APRP, NCP, Vice President of Education at NEACH noted.

“You need to balance out your security against your end-user experience. That’s always one of the biggest challenges—adding friction into the experience. And as you can tell, there are some legitimate reasons to add that friction to help protect you and also help protect your customers,” said Dixon. 

Dixon also recommended effective fraud monitoring controls “looking at things like anomalous behavior, what’s normal activity for your businesses and consumers.” For example, logging in overnight to initiate payments could be a sign that their account was compromised.

Still, things happen, and Grace said if you don’t know your local law enforcement, meet them now. “Be a resource for them, and allow them to be a resource for you,” said Grace.

If your financial institution spots something suspicious and needs to reach someone at another bank or credit union, the ACH Contact Registry is a great place to find the right contact. Jeanette A. Fox, AAP, Nacha Senior Director, Risk Investigation & ACH Network Risk Management, noted that the Nacha Rules require entering—and keeping up to date—contacts for ACH operations and risk and fraud. 

“You will need to get hold of another institution,” said Fox. “And this is the best way to do it.”

There’s also the ability to add optional contacts for several other categories including wires and checks. Filling those in, Fox said, “will help other institutions trying to get hold of you.”

Much more was discussed during “Practical Tactics for Fighting Cybercrime Financial Fraud,” including ransomware, social media concerns, elder fraud, and UCC 4A, Regulation E and Nacha Rules considerations for financial institutions. The complete session will be available during Remote Connect, May 8-10. Learn more at the Remote Connect website.

Nacha’s new Risk Management Framework is available on Nacha.org, where you can also find the Nacha booklet “Protecting Against Cyber Fraud.” Each is available as a PDF download.

The ACH Contact Registry is housed on Nacha’s secure Risk Management Portal.

For additional guidance, visit Nacha’s Risk Management Advisory Group (RMAG) page.