How the Fraud is Occurring
According to a recent KrebsonSecurity article1: "A well-organized Nigerian crime ring is exploiting the COVID-19 crisis by committing large-scale fraud against multiple state unemployment insurance programs… [The crime ring is] using Social Security numbers and other personally identifiable information (PII) belonging to identity theft victims." These criminals then contact the victim's financial institution to receive additional account and PII information, under the guise of needing to “verify” their information for an unemployment insurance application. All of this stolen information is then used to send out a fraudulent unemployment insurance payment in the form of an ACH credit to another financial institution, where the criminals then pull out the funds – never to be seen again.
How to Stop Unemployment Insurance Fraud
Prevention as the originating depository financial institution (ODFI):
As the ODFI, your financial institution is liable for any ACH credit fraud that occurs as a result of these unemployment insurance fraud schemes, as per your ACH vendor agreement. Identity theft is the means by which these fraud criminals are able to perform these attacks, thus the best way to prevent the fraud is to adopt strong authentication measures to validate the identity of the depositor. Follow these ACH authentication best practices to arm your financial institution against these attacks:
- Limit the daily and single transaction dollar amount for outgoing ACH credits and debits
- Set daily velocity limits: a max number of ACH transactions within a 24-hour time-frame
- Offer text or email alerts to accountholders so they may detect and report any unauthorized transactions
- Require validation of a one-time trial balance before authorizing the outgoing ACH credit or debit
- Establish strong identification requirements for all account access and information requests, including:
- Require complex passwords
- Turn on biometric access for your mobile app (i.e. fingerprint or facial recognition)
- Require both identifying information (i.e. SSN) and personal information (i.e. pet’s name)
- Enforce multi-factor authentication (i.e. signatures, passcodes, and security questions)
- Verification of a one-time text/email passcode
- Require additional authentication requirements for new account requests
- Provide accountholder education on protecting against identity theft
Prevention as the receiving depository financial institution (RDFI):
Under the ACH rules, financial institutions acting as the RDFI do not take on the risk for fraudulent ACH credits deposited into your accounts. If the funds are already gone, the ODFI takes on 100% of the liability risk.
If there are still funds in the accountholder's account, freeze the funds and request an indemnification letter from the ODFI before returning the funds to them. Perform name matching on ACHs to uncover any mismatches. If the name on the incoming ACH credit does not match the name on the account it’s coming into, return the ACH credit back to the ODFI.
Sign up for our “Let’s Talk Fraud” monthly series to get direct access to our fraud experts and receive real-time advice on how to prevent against these risks: alliedsolutions.net/lets-talk-fraud.
About Allied Solutions’ Bond Protection
For over 20 years, Allied Solutions has been selling and underwriting customized solutions to keep our clients protected from unexpected risks. Allied is now the industry's largest independent producer of bond and insurance business with more than 1,000 clients nationwide and a staff that has exceptional technical experience and know-how. It is this commitment and expertise that has helped Allied save our clients millions in insurance premiums, and has granted us the highly esteemed 'Preferred Partner' status by NAFCU Services. Learn more: alliedsolutions.net/bond.