What’s your fraud IQ?
The inherent and evolving risks in the banking
environment–especially concerning online transactions–command that
of threats to their accounts, understand
their rights and responsibilities as account holders, and take
to protect themselves from fraudulent bank
account activity. Are you prepared to help your clients or employer
tr.v. daunt·ed, daunt·ing, daunts
To abate the courage of; discourage. See Synonyms at dismay.
[Middle English daunten, from Old French danter, from Latin
tasks? Take this quiz to find out.
a person who commits a fraud; swindler
used a keylogger to steal the
challenge-question answers of
An easy target or victim.
Informal a person or thing in a defenceless or vulnerable position
Co. He then used this
information to initiate fraudulent wire transfers from the
company’s bank account. In which of the following ways might the
company’s computer have fallen victim to keylogging?
a. A user of the target computer unwittingly visited an infected
website or clicked on an infected banner advertisement.
b. A user of the target computer unwittingly opened an infected
c. The fraudster, or an accomplice, plugged a keylogging hardware
device into the target computer.
d. All of the above.
2. The Universal Payment Identification Code (
obtained by Some Co. from its bank can be used in which of the following
a. By Some Co. to receive payments via wire transfer from customers
without divulging its bank account information.
b. By Some Co. to receive
Automated Clearing House
from customers without divulging its bank account information.
c. By Some Co.’s authorized suppliers to initiate direct
debits against its bank account without knowing its bank account
d. All of the above.
3. Buford, the controller of Bait Taker Co., received an unexpected
yet seemingly legitimate email from the company’s bank prompting
him to renew his
. Following the renewal instructions m
the email, he clicked on an embedded link to log in to the
company’s online banking site and renew the token. Buford should
enter his logon credentials only under which of the following
a. The web address in his browser matches that of the bank.
b. The term “https” precedes the web address, indicating
a secure web session.
c. A secure lock icon appears in the status bar at the bottom of
the browser window
d. None of the above.
4. Prudence was fired from Fake Corp. for
Not submissive to authority:
and concerned about making ends meet, she altered her final paycheck,
changing the amount to $5,547.30 from $547.30, and cashed it for the
inflated amount through a teller at the company’s bank. The
company’s failure to use high-security check stock, along with the
Lack of attention, notice, or regard.
Noun 1. inattention – lack of attention
basic cognitive process – cognitive processes involved in obtaining and storing knowledge
to the obvious, visible evidence of
alteration, made it easy for Prudence to execute her scheme. Which of
the following outcomes regarding liability for the loss under the
Uniform Commercial Code (
) is most likely given the failure of both
Fake Corp. and its bank to exercise ordinary care?
a. The bank is strictly liable for the entire loss.
b. The bank’s liability for the loss is limited to $500.
c. The bank will share liability with Fake Corp. for the loss based
on comparative fault.
d. Fake Corp.’s liability for the loss is limited to $500.
5. In setting up her online access to Pigeon Inc.’s bank
any plant of the genus Petunia, South American herbs of the family Solanaceae (nightshade family). The common garden petunias, planted also in window boxes, are all considered hybrids of white-flowered and violet-flowered species from Argentina.
, the company’s controller, is asked to select
several challenge questions as an added layer of security Which of the
following is likely to be an effective challenge question?
a. What is your mother’s
A woman’s family name before she is married. Used of a surname that is replaced by a woman when she marries. Also called birth name.
b. From what high school did you graduate?
c. What is your father’s middle name?
d. None of the above.
6. On Monday, a thief stole Ishmael’s
card that allows the cost of goods or services that are purchased to be deducted directly from the purchaser’s checking account. They can also be used at automated teller machines for withdrawing cash from the user’s checking account.
, which was
linked to Ishmael’s personal checking account. The thief used the
cam to purchase $400 worth of electronics and $200 worth of groceries
over the next several days. On Wednesday, Ishmael realized that his card
had been stolen, but he failed to report the theft to his bank until
Tuesday of the following week. Under Regulation E of the Electronic Fund
Transfer Act (
see European Free Trade Association.
), what is Ishmael’s maximum liability for the
7. Safe Corp. wants to enjoy the benefits of ACH debit transactions
while mitigating the risk of fraudulent debits. Which of the following
measures would be the LEAST effective in minimizing Safe Corp.’s
ACH debit fraud risk?
a. Placing an ACH filter on its account to eliminate the
possibility of automatic transactions.
b. Creating an authorized-user list and rejecting ACH debit
requests received from parties not on the list.
c. Performing monthly account reconciliations of ACH debits.
d. Using one-time authorizations so that every transaction must be
authorized before it is processed.
8. Pretend Co.’s bank account was taken over after its
controller was duped by a phishing email that appeared to be from the
company’s bank. Through the phishing scheme, cybercriminals
obtained the controller’s logon credentials for online banking and
the random number from his security token and then used this information
to initiate 40 wire transfers, totaling $1 million, to co-conspirators
in six countries. Which of the following statements regarding these
fraudulent wire transfers is true?
a. The wire transfers would likely be easier to recover than would
fraudulent ACH transactions.
b. Pretend Co. can be held liable for any resulting loss even
though it did not authorize the transfers.
c. Pretend Co. can escape liability for any resulting loss by
reporting the fraudulent wire transfers to its bank within two banking
days of their occurrence.
d. The wire transfers are processed through a clearinghouse.
9. To protect against check fraud, Any Co. uses Some Bank’s
positive-pay service. Yet, a fraudulent check cleared Any Co.’s
account. Possible explanations for this situation include all of the
a. Some Bank presented the check to Any Co. as an exception item
but then was instructed by Any Co.’s authorized representative to
b. The positive-pay service used by Any Co. does not include
n. the one named on a check or promissory note to receive payment.
PAYEE. The person in whose favor a bill of exchange is made payable.
validation, and the fraudulent check was an altered one on which only
the payee had been changed.
c. Any Co. failed to enhance its positive-pay service with reverse
d. The positive-pay service used by Any Co. does not include
teller-line protection, and the check was cashed through a teller at
10. Skeptic Co. incurred a $10,000 loss after cyberthieves stole
its logon credentials for online banking and used them to send a
fraudulent wire transfer. The company blames the loss on its bank’s
inadequate security measures and seeks to move its accounts to a more
secure bank immediately In evaluating different banks, Skeptic Co.
should keep in mind that it will gain the MOST protection from online
banking fraud through which of the following bank security measures?
a. Out-of-band verification.
c. Transaction-value thresholds.
d. Dual-customer authorization.
1. (d) Keylogging can be accomplished through a variety of
means” One method involves plugging a keylogging hardware device
directly into the target computer to capture data. Of course, this
requires the fraudster, or an accomplice, to have physical access to the
target computer. Other options involve installing keyloging malware on a
target computer when its user unwittingly visits an infected website,
clicks on an infected banner advertisement, opens an infected email
attachment, or downloads an infected program. To help guard against
keyloggers (and other malware), companies that use online banking
services can implement several security measures, including providing
antifraud training to employees, installing up-to-date, anti-malware
software, using multilayered security controls, and setting up a
computer dedicated to online banking (e.g., never used for reading email
or surfing anywhere else on the web).
2. (b) A UPIC is a
an organization can use to
receive electronic ACH credits without divulging its bank account
information. (Wire transfers cannot be received using a UPIC.) UPICs are
convenient in that they can be used with any cash management or accounts
payable system. Additionally, they are portable and stay with an
organization even if its banking relationship or account structure
changes. More important, because a UPIC cannot be used to electronically
debit an account (via ACH or wire transfer) or to create a check or
demand draft, its use reduces the organization’s exposure to
3. (d) Buford should not have clicked on the embedded link in the
first place, let alone enter his logon credentials into the purported
bank website, lest he fall victim to a phishing attack. This is true
regardless of how legitimate the email appears. In a phishing attack, a
phisher sends out fraudulent emails, which usually contain embedded
links or attachments, in an attempt to collect
or to load malware onto end users’ computers. Some of the more
sophisticated attacks don’t appear “phishy” at all;
rather, the sender, content, and attachments–along with any embedded
links and their corresponding websites–all appear bona fide and
frequently claim to be from commercial financial institutions, the
Federal Reserve Bank, the
, or another well-known organization. For
this reason, Buford should access Bait Taker Co.’s online banking
only by typing the bank’s web address directly into his browser.
Also, because the email was unexpected, he might consider contacting the
bank about it.
4. (c) Under the UCC, because both Fake Corp. and its bank failed
to exercise ordinary care, the loss can be allocated based on the extent
to which each party’s failure contributed to the loss. Section 406
of Article 3 of the UCC states, “A person whose failure to exercise
ordinary care substantially contributes to an alteration of an
instrument … is precluded from asserting the alteration … against a
person who, in good faith, pays the instrument….” However, under
Section 406, “if the person asserting the preclusion fails to
exercise ordinary care in paying … the instrument and that failure
substantially contributes to the loss, the loss is allocated between the
person precluded and the person asserting the preclusion
1. As stated or indicated by; on the authority of:
2. In keeping with:
the extent to which the failure of each to exercise ordinary care
contributed to the loss.”
Account holders can reduce their chances of being held liable for
check fraud losses for failing to exercise ordinary care by:
* Using positive pay (with payee validation and teller-line
protection) or reverse positive pay, and ACH positive pay
* Placing ACH filters or blocks on accounts as appropriate.
* Placing accounts for which no check activity is authorized into
“no check activity” status.
* Using high-security check stock.
* Reconciling bank accounts promptly
* Immediately notifying the bank in the event payment has been made
using a counterfeit or forged check.
* Encouraging employees to sign up for direct deposit of their
5. (d) Challenge questions can provide an added layer of protection
against online banking fraud for both business and consumer accounts;
however, to be effective, they should be sophisticated questions whose
answers aren’t easily uncovered by a fraudster. Challenge questions
such as “What is your mother’s maiden name?,” “From
what high school did you graduate?,” and “What is your
father’s middle name?” have answers that might readily be
ascertained via an internet search engine or a visit to a few
. If Petunia has the option of writing her own
challenge questions, she should do so, creating questions for which the
answers are ones that she can easily remember yet would be difficult for
others to uncover, such as “What is your favorite
constellation?” If Petunia is not given the option of selecting her
own challenge questions, she could provide nonsense or crafty answers to
the questions provided to increase their security effectiveness. For
example, for the answer to “What is your favorite color?,”
Petunia could select “Dinosaur,” “green*green,”
“forest green,” or “green0845.” However, Petunia
should only use nonsense or crafty answers if she is confident in her
ability to remember them.
6. (c) Under Regulation E, which governs electronic funds transfers
(EFTs), Ishmael’s maximum liability for the fraudulent transactions
is $500. Had he notified his bank of the theft of his debit card within
two business days after learning of it, his liability would have been
limited to $50. Regulation E, issued by the Board of Governors of the
Federal Reserve System, aims to protect consumers (not businesses) who
engage in EFTs such as point-of-sale and automated-teller- machine
transfers, direct deposits or withdrawals, telephone transfers, and
transfers initiated through debit card transactions. Section 205.6 of
the regulation states that a consumer’s liability for unauthorized
EFTs is determined as follows:
* If the consumer notifies the financial institution within two
business days after learning of the loss or theft of the access device
(e.g., a debit card), his or her liability is limited to the lesser of
$50 or the amount of unauthorized transfers that occurred before he or
she gave notice.
* If the consumer fails to notify the financial institution within
two business days after learning of the loss or theft of the access
device, his or her liability is limited to the lesser of $500 or the sum
of: (1) $50 or the amount of unauthorized transfers that occur within
the two business days, whichever is less; and (2) the amount of
unauthorized transfers that occur after the close of two business days
and before notice to the institution (provided the institution
establishes that these transfers would not have occurred had the
consumer notified it within the two-day period).
* A consumer must report an unauthorized EFT that appears on a
periodic statement within 60 days of the financial institution’s
transmittal of the statement to avoid liability for subsequent
transfers. If he or she fails to do so, he or she can be held liable for
up to the amount of the transfers that occur after the close of the 60
days and before notice to the institution (and that the institution
establishes would not have occurred had he or she notified it within the
60-day period). When an access device is involved in the unauthorized
transfer, he or she may also be liable for other amounts, as mentioned
in the previous two bullet points.
7. (c) Of the choices provided, monthly account reconciliations of
ACH debits would be the least effective in minimizing Safe Corp.’s
ACH debit fraud risk. Under National Automated Clearing House
) Operating Rules, which govern the exchange of ACH
payments, a corporate customer must notify its bank within two banking
days of an unauthorized, or fraudulent, ACH transaction or risk being
liable for the loss. Therefore, Safe Corp. could more effectively
mitigate its risk by reconciling ACH debits daily, in addition to using
an ACH filter and an authorized-user list or one-time authorizations.
The following are further steps Safe Corp. could take to protect against
ACH debit fraud:
* Use ACH positive pay.
* Maintain a separate account for ACH debit transactions,
particularly a clearing account that is funded just before an ACH debit
* Place an ACH block to automatically reject all ACH
transactions–on any account for which ACH activity is unlikely to be
8. (b) Under the UCC, Pretend Co. can be held liable for the
fraudulent wire transfers even though it did not authorize them.
According to Section 202 of Article 4A of the UCC, a payment order
accepted in good faith and in compliance with both a commercially
reasonable security procedure and the customer’s instructions is
“effective as the order of the customer, whether or not
authorized.” And if the order is “effective,” the
customer can bear the loss associated with the transfer. For the best
chance of recovering its funds, Pretend Co. should report the fraudulent
wire transfers to its bank immediately; however, doing so does not
relieve the company of liability for any resulting loss. Unlike with
fraudulent ACH transactions, businesses do not have a reporting window
in which they can avoid liability for fraudulent wire transfers. Also,
unlike ACH transactions–which are processed through a clearinghouse and
usually have a two-day settlement period–wire transfers can move funds
directly from one account to another within a few minutes, making their
recovery more difficult. Finally, although banks are required, under the
UCC, to attempt to recover stolen funds, they are not always
successful–particularly when the funds have been transferred to a
foreign country uncooperative with U.S. banks and the
See Federal Deposit Insurance Corporation (FDIC).
9. (c) Many U.S. banks offer positive pay, which is an electronic
check-matching service designed to protect companies and banks against
fraudulent checks. In a standard positive-pay service, as a company
issues checks, it provides its bank with an issued-check file containing
details about those checks, such as the account number, issue date,
dollar amount, and serial number. Then, each day, the bank verifies this
information as checks are presented for payment, marking any
discrepancies as exceptions for the company to review and decide whether
they should be paid or returned. Payee verification and teller-line
protection are enhancements to positive pay offered by many–but not all
banks. Without these enhancements, Any Co. would not be adequately
protected against altered payee schemes or fraudulent checks cashed
through a teller at its bank. Reverse positive pay is similar to
positive pay but designed for companies with a small check volume that
are unwilling or unable to transmit issued-check files to their bank. In
reverse positive pay, the bank provides details of checks presented to
the company’s account. The company then reviews the checks
presented for payment against its check-issuance data to determine
whether they should be paid or returned. Because reverse positive pay is
not an enhancement to positive pay, but rather a lower-cost alternative,
Any Co. would not use both services for the same account.
10. (b) Because no one control is likely to provide absolute
protection from online banking fraud, Skeptic Co. should keep in mind
that it will gain the most protection through a layered security
program. In a layered security program, different controls are used at
different points in the transaction process to reinforce, enhance, or
compensate for other controls. The
Federal Financial Institutions
, in its Supplement to
in an Internet
Banking Environment, offers the following controls as part of a layered
* Fraud detection and monitoring systems that include consideration
of customer history and behavior and enable a timely and effective
institution response; * The use of dual-customer authorization through
different access devices;
* The use of out-of-band verification for transactions;
* The use of positive pay, debit blocks, and other techniques to
appropriately limit the transactional use of the account;
* Enhanced controls over account activities, such as transaction
value thresholds, payment recipients, number of transactions allowed per
day, and allowable payment windows (e.g., days and times);
(IP) reputation-based tools to block connection
to banking sewers from IP addresses known or suspected to be associated
with fraudulent activities;
* Policies and practices for addressing customer devices identified
as potentially compromised and customers who may be facilitating fraud;
* Enhanced control over changes to account maintenance activities
performed by customers either online or through customer service
* Enhanced customer education to increase awareness of the fraud
risk and effective techniques customers can use to mitigate the risk.
If you answered 10 questions correctly, congratulations. Your solid
knowledge about fraudulent banking transactions will assist you in
protecting the accounts of your clients or employer. Keep up the good
work. If you answered eight or nine questions correctly, you’re on
the right track. Continue to build on your antifraud knowledge. If you
answered fewer than eight questions correctly, consider strengthening
your understanding of fraudulent bank activity to help ensure that you
have what it takes to battle criminals determined to drain the accounts
of their targets.
See American Institute of Certified Public Accountants (AICPA).
* “What CPAs Need to Know About Organized Crime,” April
2012, page 38
* “What’s Your Fraud IQ?” Feb. 2012, page 36
* “What’s Your Fraud IQ?” Nov. 2011, page 42
* “Ferret Out Fraud,” Aug. 2011, page 20
* “What’s Your Fraud IQ?” Aug. 2011, page 32
Use journalofaccountancy.com to find past articles. In the search
box, click “Open Advanced Search” and then search by title.
Letter from the SEC
See “More on Auditors’ Reporting Duties to the SEC,”
in Letters, page 14, for comments from SEC officials regarding a
question about the
Foreign Corrupt Practices Act
that appeared in the
February 2012 version of “What’s Your Fraud IQ?” (page
Dawn Taylor (firstname.lastname@example.org) develops educational materials
Association of Certified Fraud Examiners
, where Andi McNeal
(email@example.com) is director of research.
To comment on this article or to suggest an idea for another
article, contact Jeff Drew, senior editor, at firstname.lastname@example.org or