Safeguarding Your Dealership from Fraud Fraud continues to be a problem at dealerships and the risks are only getting greater. Today s fraud schemes are more elaborate than ever and often employ an astonishingly high level of technical sophistication. However, while no amount of planning and oversight will ever completely eliminate fraud, you can take important steps to protect your dealership. Key takeaways The numbers are in: Fraud attempts are on the rise According to the 2017 AFP Payments Fraud and Control Survey, 74% of organizations report that they were victims of payment fraud attempts in 2016. This is the largest share on record, and significantly higher than the percentages reported between 2011 and 2014. The message is clear: Fraudsters are continuing their relentless attack on businesses like your dealership. Percentage of organizations that experienced attempted and/or actual payment fraud, 2006-2016 Payment fraud is on the rise in the U.S. as thieves continue to attack businesses. Fraud attempts arise from both external and internal sources, with fraudsters using increasingly sophisticated physical and electronic tools. 80% 70% 60% 50% 40% 30% 20% 10% Dealerships can safeguard their businesses from fraud by employing the right blend of process and technology. 0% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Source: 2017 AFP Payments Fraud and Control Survey 1 of 5
Of those companies that experienced attempted or actual payment fraud, the survey found that: 75% of organizations reported check fraud in 2016, an increase from 71% in 2015 and a reversal of the declining trend in check fraud since 2010. Wire transfers were the second most-often payment method used in attacks by fraudsters, with 46% of organizations reporting this method, a dramatic increase from only 5% in 2009. Fraud via corporate/commercial credit cards accounted for the third largest share of fraud, with 32% of organizations having been affected, followed closely by ACH debits (30%) and ACH credits (11%). 74% reported that their organizations were exposed to business email compromise, up 10% from the prior year. Percentage of organizations attacked by fraudsters by method: 11% ACH credits 30% ACH debits 32% Corporate/ commercial credit cards 75% Checks 46% Wire transfers The fact that overall payments fraud is currently at its highest level is troubling. All organizations can certainly be targets of fraud, and it is important for them to take the necessary steps to make it as difficult as possible for criminals to succeed in their attacks. 2017 AFP Payments Fraud and Control Survey Sources of payment fraud Today s fraudsters: Often belong to an organized group Stalk their victims and know how to attack their weak points Have access to very sophisticated physical and electronic tools Fraud can originate from both external and internal sources. External fraud against a company covers a broad range of schemes, including billing for goods and services not provided, bad check writing, and falsified account information for payment and security breaches. Internal fraud also known as occupational fraud continues to be a major concern for businesses. The Report to the Nations on Occupational Fraud and Abuse a 2016 Global Fraud Study by the Association of Certified Fraud Examiners reported that: A little more than three-fourths of occupational fraud cases came from seven key departments: accounting, operations, sales, executive/upper management, customer service, purchasing, and finance. Nearly half of the cases in the study involved multiple perpetrators colluding with one another to commit fraud. The greater the number of fraudsters involved, the higher the losses tended to be. The vast majority of internal fraudsters (95%) have no history of fraud convictions, although almost 40% had been involved in some form of non-fraud workplace violation. The median duration of the frauds in the study was 18 months, and losses rose as the duration increased. 2 of 5
In addition to the losses incurred by fraud, there are hidden costs that include: Insurance claims Police reports Internal investigations and audits Affidavits Negative impact on public image Combating dealership fraud examples While you can t eliminate fraud threats, there are tools you can use to safeguard your dealership. Consider these examples of checking fraud attempts: A dealer writes a check to an individual for a refund of a portion of estimated fees for an auto purchase. The customer takes a photo of the check and tries to cash it multiple times in various locations. A fraudster washes a dealership check by chemically erasing the printed details of a check and rewriting the check to himself/herself. A bank service called Positive Pay can help dealerships avoid these and other fraudulent check-writing schemes, said Brian Bateman, senior vice president of KeyBank Dealer Finances. With Positive Pay, as you issue checks, you provide the bank with the check number, issue date, and dollar amount of your checks. When your checks are presented to the bank for payment, each check is electronically compared to your issue information. The dealership is notified any time an item doesn t match, and you then have the ability to view an item and make a payment decision. Dealers can protect themselves from check fraud the largest single area of fraud attempts by moving checks to automated services. For example, some dealers still issue checks for payroll, said Bateman. By shifting payroll to ACH and direct deposit of employee checks, they can avoid this form of check fraud. Unauthorized debits to an ACH account can also be a source of fraud. A thief, posing as the owner of your account, provides information to a creditor and requests that funds be withdrawn to pay a debt. This creditor s bank submits an electronic transaction requesting that the account be debited. All of this can happen without your knowledge or consent. You can protect your dealership from this form of electronic fraud by using an electronic payment authorization (EPA) service to block, filter or identify any unauthorized transactions attempting to post to your account, Bateman said. Fraud attempts via email are rising, and wire transfers are the main target for business email scams. For example, a thief may submit an email instruction to a dealership s finance staff to wire funds to a certain account. The email may look very much like the email of an authorized dealership employee, but with one minor tweak the addition of a letter tucked away in the address, for instance. If your staff is not vigilant, funds may be wired to a fraudster s account. A dealership s personnel needs to be trained in how to spot suspicious email requests and to be wary of unusual demands. Social engineering is the practice of obtaining sensitive information by tricking people into breaking established security procedures. Phishing is a type of social engineering in which a fraudster falsely claiming to be a legitimate entity tries to scam someone into surrendering passwords, financial or personal information, or by infecting the target s computers with malware. Scams involving the IRS are one of the most prominent forms of phishing. Claiming to be the IRS, scammers may use email and text messaging to set up their victims. The government doesn t initiate contact with taxpayers via email, texting, or other social media to request personal information or financial information, nor does it use these channels to threaten taxpayers with lawsuits, fines, and imprisonment. 3 of 5
Dealers can take several steps to train staff and protect themselves from social engineering fraud, which include the following warnings: Be suspicious of any unsolicited emails, phone calls, or text messages with an urgent request for personal or financial information, from both known and unknown senders. Never provide system credentials or any other personal information on an unsolicited inbound call. Always verify the identity of an unsolicited caller by insisting on calling him/her back at a trusted phone number listed for that company. Never click on an embedded link or attachment, or fill out forms asking for personal information in an unsolicited email or text message. Ensure that your operating system, security software, and mobile apps updates are current. Schedule anti-virus software to automatically run on a regular basis. Report any unsolicited attempts that appear to be scams. EMV chip technology enables cards to incorporate security features to help build a sophisticated defense against fraud. While most dealers have moved to smart-card terminals, those dealers who are still using a magnetic stripe terminal and swiping cards are taking unnecessary risks. That s because all liability for fraud losses falls on them and not the card issuer. The solution: Convert to smartcard payment technology. Protecting your digital identity is critical, but don t overlook the security of your physical documents. Dumpsters divers are still out there, and they re going through your garbage to find sensitive information. Establishing a protocol for paper shredding is one of the simplest and most effective ways to protect your dealership and customers. Steps to take to protect your dealership Effective fraud protection is the right blend of process and technology, including the following. Be aware and be safe Monitor your dealership s accounts daily and closely. Be suspicious of any unsolicited emails, phone calls, or text messages from either known or unknown senders with an urgent request for personal or company financial information. Never log in to your dealership s online banking account via a link or Internet address provided in an email or text message. Never use favorites to access a website where you plan to disclose private information type the URL into your browser s address bar. Only enter financial or account information on sites that have the lock icon displayed in the browser and https preceding the URL. Be vigilant with emails Do not open unsolicited, suspicious emails or emails from unknown senders delete them. If you do inadvertently open one, never click on links or open attachments. If you receive a message from a known sender, do not open an attachment before checking with them through a known phone number/email address. Emails appearing to come from a trusted source could be fraudulent and contain a virus, Trojan horse, worm, or other malware. 4 of 5
Be vigilant with emails Do not share your email address except with trusted sources. Never provide personal information requested via pop-up windows or email. Never initiate ACH (automated clearing house) or wire transfer transactions or change accounts based solely on email requests always confirm the action via a trusted phone number or in person. Encrypt your emails. Review computer security Use strong passwords and change them often. Ensure that antivirus programs are updated daily. Maintain and review your dealership s computer operating systems and web browsers, and install the recommended security updates as they become available. Limit administrative rights. Ensure employees at your dealership lock their computers when away from their desks. Consider using a dedicated computer for all banking transactions. Communicate with and educate dealership employees Routinely discuss how to identify fraud. Develop/evaluate internal fraud policies and controls. Prepare a contingency plan for dealership operations with your banker in the event of a payment system disruption. Read Consumer Affairs reports, as these often post alerts about new scams. Provide ways for employees to report suspected fraud. Set up fraud controls Work with IT/Security to develop a plan for responding to fraud. Limit the use of your dealership s ACH system to dealership employees who need to use the system. Use dual controls and ensure separation of duties. Verify employee access rights and credentials regularly. Establish and maintain document shredding/destruction protocols. How KeyBank can help KeyBank s specialists can work with your dealership to maintain an effective fraud prevention program. For more information, contact your KeyBank Dealer Services Relationship Manager. 5 of 5 As a service to our clients, KeyBank is providing this brief overview to raise client awareness. KeyBank does not make any warranties regarding the results obtained from the use of this information. The information and recommendations contained herein is compiled from sources deemed reliable but is not represented to be accurate or complete. In providing this information, neither KeyBank nor its affiliates are acting as your agent, broker, advisor, or fiduciary, or is offering any tax, accounting, or legal advice regarding these instruments or transactions. All credit, loan, and leasing products subject to credit approval. 2017 KeyCorp. KeyBank is Member FDIC. 170828-281895