04:58 PM
Connect Directly

J.P. Morgan Stepping Up Fight Against Corporate Payments Fraud

Corporate payments fraud is becoming a pressing issue for banks as the recession progresses and the sophistication of attacks increase. In light of all this, J.P. Morgan Chase (New York) has issued a new white paper designed to raise corporates' fraud awareness and suggest best practices.

"Payments Fraud: How it Happens and What You Can Do to Protect Your Organization" examines check, ACH and credit card fraud, sharing tips on protecting treasury operations from advanced phishing techniques. It explores key areas of fraud vulnerability and proliferation, and reviews available products and services.

According to Iqbal Khan, executive director, J.P. Morgan Treasury Services, the white paper was meant to be neutral and nonbiased in order to best convey the importance of this issue to corporates.

"We wanted to raise general awareness of corporate payments fraud and help people get a better understanding from a corporate perspective," Khan told BS&T. "We're also using [the white paper] internally as collateral for our bankers and sales team to help them educate clients on their responsibilities and how to prevent fraud."

Although corporate payments fraud had been on the rise, Khan doesn't doubt the recession has helped it along. "The economy is softening so people are looking for an easy way to make a buck," he says, adding, "Corporates and banks can't afford to cover these losses like they used to."

A study issued by the Association for Financial Professionals earlier this year showed more than 70 percent of organizations polled experienced attempted or actual payments fraud in 2008. Thirty percent of respondents also showed an increase in payments fraud over the previous year, and the majority of respondents expect these illegal activities to grow.

He says as banks push more responsibility onto clients by offering self-service functions, they are also having to build more powerful security around these service platforms. However, Khan points out that in the end, the security comes down to the person using the platform—all the more reason to increase education at corporates.

J.P. Morgan clears a significant amount of the world's payments transactions and Khan says the bank has definitely seen a pick up in phishing . It's also trickling down to smaller and smaller businesses. These clients lack much of the resources and sophistication in terms of the tools they have to fight payments fraud. One thing banks can do to help commercial clients of this size is to simplify their fraud offerings. Something like Positive Pay works fine for large corporates, but small businesses often don't have the capability to support this. As a result, Khan suggests banks simplify their anti-fraud offerings.

J.P. Morgan did just that when it introduced Reverse Positive Pay. "We worked with the Chase Commercial Online team and Chase Business Banking (which caters to very small businesses) and put self-service fraud solutions on those applications to leverage the Reverse Positive Pay used for our large clients," he explains. "We gave them the ability to onboard themselves and we changed the price point."

J.P. Morgan's Reverse Positive Pay solution is Web-based and presents images of the checks to the clients on a daily basis before they pay them. It was integrated with a check return capability so that if a client sees a check is fraudulent, they can tell the bank right away and return the check.

"Traditionally, when a client finds a fraudulent check, they'd call their bank service officer, but by then, the check is out of the return window and not as easy to recover," says Khan. "It was also an expensive service for banks to maintain."

Apparently the word is getting out about fraud protection, at least among J.P. Morgan's business customers. Khan says the bank had 75,000 new accounts signed up for Reverse Positive Pay in the last four to five months. The bank expects over 1 million accounts to be signed up for the service next year.

Another way businesses can protect themselves is by segregating their accounts. Khan says 80 percent of the bank's accounts are not used for checking. Rather, there is more activity around ACH, wire, lockbox and similar payment mechanisms.

"You're leaving those account exposed to fraud," he relates. "So we rolled out fraud protection to these account to prevent checks from being posted to them."

Khan believes automation will help to at least curtail fraud in the future. "Things like EBAM [electronic bank account management] are being developed as we move more toward automation—it will be harder to commit fraud."

Some of the best practices highlighted in J.P. Morgan's report are:

  • Check Fraud. To prevent check fraud, take practical defensive measures such as securing check stock and implementing dual control around key treasury functions such as check issuance and account reconciliation. Using high-quality check stock with built-in security features will reduce the likelihood of check manipulation. Industry tools such as Positive Pay reduce the possibility of fraudulent check payment.
  • ACH Fraud. To minimize ACH or electronic payments fraud, sensitive information needs to be protected. Masking account numbers and Tax ID numbers in your written correspondence, and utilizing encrypted email for confidential, nonpublic information are both critical steps to reducing fraud. ACH debit blocks or ACH debit filters guard against unauthorized ACH debit transactions.
  • Corporate Credit Card Fraud. Misuse of corporate payment cards by employees is not typically considered fraud by card issuers. The company is usually responsible for any loss, so organizations must have prevention programs in place. Protective controls, such as setting transaction limits and monthly limits for all cardholders, as well as blocking unauthorized vendors will greatly reduce misappropriation. Companies should also use Web-based payments tools that provide enhanced reporting and real-time visibility into spending.
  • Phishing Fraud. Phishing spammers establish fake emails and Web sites in an attempt to steal security information, such as login names, passwords and other personal data. Organizations should ensure that browser and security software information is continually updated, and that spam blocking filters and surfing block controls are maintained companywide. Privacy locks should be utilized to restrict access to sensitive data.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.