In a live Q&A session following a webinar on the fraud threats that small business owners face today, Santander experts answered questions from audience members on how to best protect their businesses from the dangers of fraud. Click here to listen to the webinar that preceded the Q&A.
AMIR: We talked about a lot of emerging threats: things that maybe people feel are not necessarily related to them. I think you guys did a great job of highlighting what is out there. Are there other common forms of fraud that you didn’t cover today that small business owners kind of should know more about—whether that’s ACH or wire fraud—I don’t know who could maybe field that question initially.
DAN: Yeah, one of the things that I would bring up is confidence scams—is something that we see. So when sometimes people think about confidence scams, they think about, you know, a romance scam. You meet someone on match.com and all of a sudden they’re trying to extract money from you. But small businesses can fall victim to confidence scams as well, and it’s typically if you see something that’s too good to be true, it typically is, right? So you want to make sure that you’re doing your diligence and this isn’t even just relegated to small businesses; you have large commercial businesses that fall victim to this as well. And you have these fraudsters, and they’re exceptionally organized, and it looks very—they’re very articulate, and there’s a lot of money to be gained from it. So what they’ll do is they’ll set up business relationships or large purchases. One example is that they might, you know, very quickly they want to make a large purchase. They send you a check for $100,000, although it was only supposed to be for $70,000. They then ask you to wire the funds back to them, the $30,000. You do that, and then the check goes bad, and they disappear. So a lot of these too-good-to-be-true scenarios, you really want to make sure that you vet them out and do your diligence, and then really the channel kind of switch can be wires, checks, ACH—but we see a lot stem from that, so something to be cognizant of.
TIM: Yeah, and I know Amir you mentioned ACHs. So typically if you ask me what keeps me up at night as a fraud professional, payments for sure. I mention ACHs, wires, even person-to-person payments. Those are things like Zelle and Venmo. And that’s really because the demand for faster funds is here. Businesses want faster funds to transfer to suppliers and get paid. Customers want to send faster payments to each other, and faster payments essentially means more fraud. Also data. Data in our society is power, and the matter of the fact is I cannot reissue Amir. I can’t reissue your social; I can’t reissue your identity. So companies should make sure that they attempt to desensitize any data they can where available—encrypt it and store it and secure databases.
AMIR: Great. Thank you, gentlemen. We have a question from the webinar as well, and the question is: With respect to check fraud, where is the most common source of fraud? And the example, in parentheses, is: Is it employee fraud? Is it mail fraud? Fraud rings? So if one of you gentlemen could answer that, that would be great.
DAN: Yeah, that’s a great question. And what we see a lot of—the fraud rings are very prominent, right? They have their hands in a lot of information; they create a lot of counterfeit checks, and they kind of all strike at once. So it can be very challenging for financial institutions to react to and certainly, you know, small businesses can fall victim to that as well. When it comes to employee fraud—and one of the reasons I brought up the thought of, you know, when you have someone who’s a signer, make sure they’re not the ones reconciling the accounts as well—is those can tend to be much larger losses attributed to that, because if you have someone that’s an insider, typically they know all the ins and outs and they’re able to operate for a longer period of time, and that can aggregate very quickly. So because they can operate for so long, they can—it can accumulate to a very large number, so it’s something you certainly want to be aware of, and make sure you have the right controls in place for.
AMIR: Great. Thanks, Dan. Tim, this might be for you. You know, there’s two questions here that are very similar, which is: One, where can I go to learn more about fraud prevention for my business? And then, you know, how would you recommend staying up to date on emerging fraud threats? What would you give advice on there?
TIM: Yeah, it’s a great question, Amir. So I would probably say I’m really excited to announce that Santander’s actually announced a privacy and security hub, and this is going to help all of our customers, small businesses, large businesses, and retail customers alike. The site is actually going to be updated throughout the year and it talks about what Santander does to protect our customers and what our customers can do to protect themselves. Also there’s useful links to some of the major credit bureaus, and I would urge folks that they can check back later in the year when we start to put up additional enhancements, such as a mailbox where customers and forward potential phishing or fraud emails and helpful articles. The way that you get to our privacy and security hub is by going to our Santander homepage, scrolling to the bottom of the homepage, and clicking the “Privacy and Security” link. It can also be found on the “Business” webpage as well.
AMIR: Great. Thanks so much. Yeah, I think it’s incredibly useful to have these resources available to you at your fingertips and engage, right? If you’re not banking with Santander, then engage with your current bank; they have a vested interest in protecting your business as we do for our customers, and importantly there’s resources available to you, so to get educated quickly is incredibly important. And then to take steps forward to protect yourself, right? So here’s another question here: What solutions to banks offer to prevent check fraud? So both Tim and Dan have mentioned Positive Pay, and for the folks that are on this webinar and don’t really understand Positive Pay and it sounds complicated or unfamiliar, simply the bank offers an opportunity that essentially verify the checks that you wrote are legitimate. That’s about the level of knowledge that I think that you should start with and then engage with a relationship banker. We are more than happy to help businesses understand what’s available to them, how to protect yourself, and what it means to you from a cost perspective to do so, and I think incredibly important for you to know that there’s many ways for you to protect yourself, but that’s just one example to do that.
One of the other questions that I think we would like to maybe answer, here, is the landscape of fraud has been changing, and I think, you know, Tim and Dan have both talked about what is around us on the periphery, but you know, things that are changing over the next five years: How would you recommend folks on this webinar to really get prepared for things like that? I mean, it feels like fraud evolves so quickly. It is rapidly moving. And to your point earlier where the EMV chip on our debit and credit cards has shifted maybe some focus on things that are not related to the EMV chip—how would you give advice on that, gentlemen?
TIM: Yeah, I would echo in the fact that fraud changes by the second, by the hour, and by the day. You know, I think Dan and I both learn new things every single day being in these jobs, and we’ve been in these jobs collectively for probably over 40 years. (laughs) When you think about how the ecosystem reacts and how things change, it really is like a balloon animal, and I think you mentioned it best, Amir. When EMV chips started to come to the US, it’s really dried up some of the lucrative ways that fraudsters were able to capitalize on some of the fraud, and that has forced them to get intuitive. So as they get intuitive, we must all become intuitive together and essentially detect the new schemes of the next five to 10 years. I would definitely look—again, like I mentioned—at payments. If you look across the sea to the UK, they’ve had real-time payments for probably the better half of 10 to 15 years. That is definitely coming to the US. So a real-time way of moving large sums of money. Again, I think if you think about what are some of the prime vectors or threats that we’ll have with these faster payments, I think a lot of it is going to be based off authentication and how a business or a bank even can know that they’re dealing with their customer, so knowing your customer is going to be huge.
AMIR: Great. Thank you so much. Appreciate it. We have another question here from the webinar and the question was: If we get the BEC emails—and it sounds like one of the business customers that are on the phone here just received one the other day—you know, asking for a wire transfer—should we forward them to the fraud division of the bank? Currently we just delete them. So maybe Dan, I can get you to give some advice on that topic there.
DAN: Yeah. Hopefully Assad didn’t respond to it, but absolutely you should. If you can send it over—whether it’s at Santander or for anyone on the call, you know, that it happens at another bank, you want to send it over to the fraud division, that’s invaluable intel for us to utilize. We can—especially if we have that original email, (i.e. just dragging that email and copying it as an attachment and sending it over), that’s something that we could look at to potentially identify where it came from and see if there’s any similarity with other emails that we have. So yeah. Absolutely. Good question.
AMIR: Yeah. Good. Good job of protecting yourself. I will say that I recently have had an experience with speaking with a business customer that unfortunately did have one of these types of incidents and had been exposed to $1 million worth of losses, so incredibly important to pay close attention and scrutinize what you receive via email for sure.
Let’s see here. Let’s see if we have any other questions. And again, feel free to ask questions about services, about protections, about other threats that you personally have experienced or have been exposed to. We’ve got the subject matter experts here to help answer some of those questions for you. So maybe I’ll go to this question here: So what’s the most common mistake you see among small business owners when it comes to fraud prevention efforts? And maybe there’s an opportunity to focus on things like dual control, Tim and Dan. What do you think are good tips on how to prevent those kinds of issues from happening by having good-quality dual control in place?
DAN: Yeah, I think any time you can have dual authorization in place, it’s exceptionally positive. You want to make sure that you’re auditing your processes constantly; you should map out the ways that you can execute payments and ensure that there’s some separation of duties. We see scenarios where one person within the organization simply has, you know, too much power—nobody looking over their shoulder—and that’s when you run into these insider abuse situations that can manifest into very large losses. So again, any time you can insert a second—a third party—it is infinitely more helpful in kind of preventing any fraud from occurring. So yeah, I would say when it comes to internal, the more hands the better.
TIM: Yeah, I would piggyback and say most businesses should make sure they do regular access checks as well, to Dan’s point. Make sure that you have the ability with any bank that you bank with, enrolling in alerts. Alerts are key: if anything changes on your account so that your notified promptly. And then not allowing other folks to execute payments or information on your behalf. Don’t share credentials.
AMIR: Great advice, gentlemen. Thank you. And listen, I wanted to thank everybody for being on the line today and really participating in this webinar. We think—at Santander—it’s important for us to provide these kinds of insights and resources to all of you so that you can protect what is so precious to all of you and what you’ve worked so hard to deliver, and so really, really glad that we had this opportunity; this won’t be the last opportunity where we will be engaged in webinars and providing resources and thoughts on ways to solve problems as you have a partner in Santander for sure.