A CHECK IS A CONTRACT TO PAY THE HOLDER of the check to be negotiated through a financial institution. It is the instrument by which the payor provides directions to the financial institution to provide the funds to the payee. In the event that the financial institution does not make the payment for any reason such as insufficient funds in the account or due to an error on the check, the check continues to be acknowledgment of the obligation of debt by the payor.

Even with today’s technology, with more and more payments being made electronically online, the physical hardcopy checks will remain as the business currency for some time to come. The sheer volume of business payments still made by check today will maintain this as the preferred method of payment. The traditional check-tampering fraud schemes will continue to exist as long as check payments exist. Electronic-payment systems open the door to new types of fraud that must be guarded against. Many organizations use both traditional checks and electronic transfer payments. It is not unusual that an organization would use electronic direct deposits for their payroll and checks as payments for everything else. It is also not unusual for a business to use a hybrid system for receiving payments. Checks sent into the organization are scanned and then deposited electronically into their account. The original checks are maintained for a period of time pursuant to the agreement with their financial institution before being destroyed.

In the United States, the Automated Clearing House (ACH) electronic network clears electronic payments between financial institutions. The Electronic Payments Association (NACHA) manages ACH’s governance, development, and administration.

In Canada, the Canadian Payments Association (CPA) operates the clearing and settlement of both electronic payments and checks.

Payments made electronically by organizations require access to the system that requires a user identification and password. Some systems include a security or authentication token—a hardware device used to log into payment systems. A secret personal identification number (PIN) must first be entered into the token. If the PIN is correct, then the token displays a number that allows the user to access the system. The number changes frequently and the token must be used for each log-in.

In order to manipulate payments, the fraudster needs to gain access to the payment system. Once this difficulty is overcome, the fraudster does not have to be concerned with some aspects that are associated with traditional check-tampering schemes that may necessitate producing counterfeit or altered checks, gaining access to physical checks, forging or obtaining authorizing signatures, and the endorsement of the checks.

The fraudster may have authorized access to the payment system so, while making legitimate payments, they can also make electronic payments to their own benefit. Passwords may also be obtained by coworkers who spy (“shoulder surf”) by watching an authorized user enter their password. If an authorized user leaves his computer momentarily while still logged into the payment system, a coworker may seize the opportunity to make payments or changes.

Outsiders may target an authorized employee with a spear-phishing e-mail. Spear phishing is the sending of a spoofed e-mail that appears to come from a trusted source. The message content seems reasonable and logical when it instructs the recipient to click on the embedded link. The link downloads spyware or a key logger that later captures the target’s login information. A less sophisticated version of the spoofed e-mail asks the target to log into a bogus website that requires the employee’s user name and password.

Once that information is available to the fraudster they have unfettered access and the payment system is compromised.

ELECTRONIC PAYMENTS FRAUD PREVENTION

CHECK TAMPERING