Don’t fall prey to Electronic Funds Transfer (EFT) fraud
There has been a substantial increase in EFT fraud attacks, specifically by way of a method known as social engineering. Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. These EFT fraud attacks usually start with a phishing email or a phone call. Phishing is the fraudulent practice of sending emails purporting to be from a reputable company or trusted person in order to trick individuals into revealing sensitive information, such as passwords or financial information.
EFTs include Automated Clearing House (ACH) transactions, wire transfers, electronic checks, credit/debit card payments, and payroll direct deposits. All these fund transfer methods are fast and generally safe for sending and receiving payments. The danger comes in the act of setting up and making changes to the bank account information for each of these.
Tips to avoid EFT fraud
- The most important protocol you can adopt: If you receive an email request to change or set up bank account routing information, always call the requestor using your known contact information (not the contact information in the email) to confirm authenticity, even if it looks like it’s coming from someone inside your entity.
- Beware if someone says they need to change the way they receive payments due to the COVID-19 pandemic.
- Occasionally remind your vendors and staff that your Finance and HR departments will never ask for any financial or personal information via email.
- Implement a two-factor authentication process to approve any financial transaction changes by having a second staff person call to verify changes.
- Implement dual control when processing any EFT transaction by requiring that at least two people are involved in the process.
- Always perform a validation transfer (or test deposit) with a blind confirmation.
- Always require a signed Form W-9 from every new payee in advance of making any payments. Also require a signed Form W-9 if they are changing their mailing address. You can confirm this information online with the IRS taxpayer identification matching tools or directly with the IRS.
- Implement Positive Pay for both checks and ACH transactions, as well as placing an ACH Debit Block on your accounts. Positive Pay is an automated fraud detection tool offered by most banks.
It is essential that your city adopt a policy for safe electronic transfers and payments.
View a model Safe Electronic Transfers and Payments policy (doc)