(L-R) Jordan Bennett, Pamela T. Rodriguez and Tim Thorson

LAS VEGAS—Underestimate the fraudsters at your own risk.

“These guys are really, really smart,” said Tim Thorson, AAP, CTP, Senior Vice President, Payments Risk, at Regions Bank. That’s why the rest of us—from bankers and businesses to consumers and governments—need to be atop our game to thwart them. That was the focus of the April 19 session “Nacha’s Vision for the Future of Risk Management” at Smarter Faster Payments 2023. 

Nacha unveiled its new “Risk Management Framework for the Era of Credit Push Fraud” last year. Jordan Bennett, AAP, APRP, Nacha Senior Director, ACH Network Risk Management, said it reflects the “profound change” in risk management from the original 2005 version, which focused on debit fraud. 

One increasingly common scam the session focused on was business email compromise (BEC).

“They look so real,” Pamela T. Rodriguez, AAP, CIA, CISA, President and CEO of Southern Financial Exchange, said of the emails bad guys send out. Fighting it is “all about education,” said Rodriguez. “I don’t want to get the email that says you’ve just been phished.” When she asked how many in the room do simulated phishing attempts at their institutions, the overwhelming majority of hands went up. 

While the FBI reports that BEC losses increased to $2.7 billion, Bennett says there’s reason to believe BEC is “way, way underreported,” as victims try to avoid reputational damage. “That is still a staggering number, and we want to try and get that down significantly.”

Vendor impersonation fraud is another common scourge today. Governments are particularly vulnerable, because their contracts are typically made public, giving fraudsters all the information they need to spoof the victim and try to get the money redirected to their own accounts. 

“It is pretty amazing the value of the losses when you’re looking at vendor impersonation,” said Bennett, noting that contracts can often run to the “hundreds of thousands or millions of dollars.” 

Thorson said payors must be suspicious of any changes to payment instructions by default. 

“Any attempt to change where you’re paying people that’s been the status quo needs to be looked at as an absolute attempt at fraud. And until you prove otherwise, don’t pay it again. Just don’t,” said Thorson. He urged calling contacts and verifying any changes to not just payments, but to contact and other information. Otherwise, he cautioned, “After it’s done, that’s when it gets messy.”

Rodriguez urged financial institutions to keep their information updated in the ACH Contact Registry—something that also happens to be a Nacha Rules requirement. 

“There’s another homework assignment. When’s the last time you looked at it? Are there people in there that don’t work there anymore?” asked Rodriguez. 

Bennett noted that fraud is not exclusive to any one payment rail—and education shouldn’t be, either.

“The fraudsters don’t care how they get paid—if they take it over credit card, if they take it over ACH, any other rail,” said Bennett. “The education that you can give to your Originators can apply much more broadly than to just ACH.”

“None of these schemes are new,” said Bennett. “But it’s going to take all of us working together to fight them.”

Nacha’s new Risk Management Framework is available on Nacha.org, where you can also find the Nacha booklet “Protecting Against Cyber Fraud.” Each is available as a PDF download.

The ACH Contact Registry is housed on Nacha’s secure Risk Management Portal.

For additional guidance, visit Nacha’s Risk Management Advisory Group (RMAG) page.