Protect Your Organization from Theft and Fraud
Protect Your Organization from Theft and Fraud
Think your business won't be impacted by fraud? Think again! The risk of fraud is always present and always changing. Fraud can hurt your reputation and your bottom line, but there are steps you can take to protect your business.
Click on the links below for more information:
Click on the links below for more information:
Deposit Accounts
Did you know that nearly half of employee theft and fraud can be attributed to weaknesses in internal controls and procedures? While implementing proper internal controls may not entirely eliminate fraud from happening in your business, they do make it harder for your employees, and others outside your organization, to perform fraudulent activity. With a few steps, you can keep your money where it should be – in your bank account.
-
Check your accounts regularly via online banking and review your business’s monthly bank statements in detail within a reasonable time frame. Have bank statements sent directly to your personal email or home addresses.
-
Review all credit and debit card statements for accuracy. Using payment cards for business expenses can simplify accounting and tax preparation. However, the more employees have company credit cards, the greater the chance of fraud. Require employees to document all business expenses with detailed receipts.
-
Ensure you keep track of the cheque book and store it in a safe location. If any cheques are missing, notify the Credit Union as soon as possible.
-
Create proper signing authorities and notify the credit union if there is a change in signing authorities or structure of the organization.
-
Do not pre-sign cheques.
-
Segregate duties. Ensure that whoever is signing the cheques is not the one that is reconciling or verifying the account.
-
Create cheque signing and cash processing limits.
-
Restrict employee access to financial data, and computer records.
-
Monitor point-of-sale transactions. Count cash in the cash drawer at the beginning and end of each business day. Use point-of-sale software that requires employees to log in—tracking who is on the register at any given time reduces the risk of theft.
-
Don't put one person in charge of petty cash. Require a second employee to authorize all petty cash transactions. Record all transactions and balance the petty cash once a week.
-
Review all outgoing payments. Compare payments to invoices. Watch for duplicate invoices, new vendors or multiple invoices from the same vendor in a short time. Embezzling employees often use these tactics to pay themselves. Perform a regular review of all approved cheques to ensure payee info, cheque amount and date all match the invoice.
-
Require vendors to submit detailed invoices. Avoid vague language on invoices.
-
Sign checks yourself. Require all outgoing checks and payments to be signed or authorized by the business owner or established signing authorities.
-
Review payroll before it goes out. Watch for any variations in the amount. Use direct deposit to reduce your risk of payroll fraud.
-
Establish signing authorities and implement dual signature requirements. Notify the Credit Union if there is a change in the signing authorities or structure of the organization.
-
Don't be predictable. Put the element of surprise on your side when watching for employee misconduct. Perform your financial reviews and audits at random times.
-
Perform an external audit and complete annual financial statements within a timely manner. Completing an independent and unbiased review of financials helps to reveal problems.
Small Business Online Banking
Small Business digital banking is secure online access that provides business owners and community groups convenient management of accounts wherever and whenever you need, as well as maintain flexible administrative controls.
The Small Business Banking has all the same features as personal digital banking plus additional features for business owners that support the day-to-day banking needs of your business, such as:
- Consolidate Profiles: if you have more memberships with Fusion you can consolidate & have the ability to switch between other membership with one login.
- Add and Manage Delegates: Delegates are people such as an accountant, bookkeeper or employees who can be granted limited access to Small Business digital banking. Delegates are managed by authorized signers with small business digital banking access.
- Read-Only Access – view account information but cannot perform any transactions.
- Initiator Access - initiates transactions that require approval by authorized signers.
- Make corporate tax payments.
- View pending transactions that require your approval, as well as cancelled or expired transactions.
- Set up dual signers on business accounts that require two people to approve transactions. (You can have as many signers as the organization requires, but you only need 2 to sign for dual signature).
- Create transactions that require additional approval.
- Set up Alerts - Stay informed when you need to approve transactions or if you have transactions that are about to expire. You can view small business alerts by email or text message anywhere, anytime. (Text messaging rates may apply.) Set up is needed before alerts will be received.
- Two-Factor Authentication – one time passcode (OTP) is a security code that provides an additional layer of protection that safeguards sensitive information and certain online banking activities. One-time passcodes are used to:
- register for online banking,
- add a new bill vendor,
- update contact information,
- change or reset your password,
- transfer funds to another member,
- add an Interac e-Transfer® recipient
- Use strong passwords
- Use long and memorable words with a combination of letters, numbers & special characters.
- Create unique passwords for each website login.
- Create strong passwords for email accounts as they are the gateway to digital banking.
- Keep your passwords secret:
- Do not share passwords or login credentials; each user should have an assigned username and password.
- Segregation of duties:
- Authorized signers & delegate access should be assigned based on employee responsibilities; Adequate segregation of duties involving custody, authorization and control of source documents and records.
- Using dual authorization requires two individuals to complete a transaction; one person should not have sole authority to initiate, authorize or approve a transaction without appropriate sign off processes and differing levels of approval.
- Contact Fusion CU about any changes to signing authorities
- Provide updated resolutions and communicate to the credit union regarding changes in signing authorities or when there is a change in staff or board member to update Digital Banking access
- Note: Digital Banking access is to the person & does not distinguish position and assigned authority. For example, two signers required one of Mayor or Deputy Mayor AND one of CAO or Assistant CAO,
- Establish Internal controls
- Strong Internal Controls (policies, processes and procedures) do not make a company immune from fraud, however it does make a company less attractive as a target to both internal and external fraudsters seeking to exploit internal control weaknesses.
- Internal controls are a set of tools that evolves over time as the business, technology and fraud environment changes
- Review and Manage Delegate Access Regularly:
- Delegates are managed by authorized signers of the account with Digital Banking access; Any changes to staff employment or authority should be managed immediately.
- Protect your computer:
- Install anti-virus and malware on computer or network.
- Register for Autodeposit if accepting Interac e-Transfer
- Autodeposit is a secure way to receive money without having to answer security questions for every transaction.
- Employee Education of Fraud Prevention
- Keeping employees and committee members up to date on fraud schemes can assist them to pass on information to the members and make them more vigilant.
Online banking security is the responsibility of everyone who uses the system. Fusion invests considerable time and money in fraud detection systems, but requires vigilance on everyone’s part in order to be effective.
Hackers today are getting more sophisticated, so it is vital that everyone remember some basic online banking safety principles. It’s better to prevent theft than to try to recover losses later.
Here are a few things you should NEVER do with your online banking:
- NEVER log in to online banking over public Wi-Fi. That is like letting hackers “look over your shoulder” as you do your banking.
- NEVER provide personal information over the phone. Fusion will never ask for personal information over the phone.
- NEVER click on attachments or links in suspicious emails or text messages. This is a very common method for hackers to gain access to your private information
- NEVER click on an Interace-Transfer† that you weren’t expecting. Make sure you verify the suspicious Interac e-Transfer with the sender personally before clicking.
- NEVER tell anyone your password or PIN.
Here are a few things you should ALWAYS do with your online banking:
- ALWAYS be wary of suspicious emails, text messages, social media messages and letters, and online ads that ask you to reveal private information or ask you to click through to online banking. Type your online banking address directly into your browser instead of clicking on a link.
- ALWAYS choose unique and secure passwords for any site that requires you to create one.
Security questions should be difficult to answer. Your spouse’s or child’s name is easy to find online. Pick something that a hacker can’t answer using Google, Facebook or LinkedIn.
- ALWAYS change your passwords on a regular basis. Use difficult passwords and consider using a password manager app that can keep your passwords safe. These can help you generate difficult passwords and will remember them for you. Examples of password manager apps are: Keepass, LastPass, 1Password, Bitwarden, Dashlane, Keeper and TrueKey.
- ALWAYS use anti-virus and anti-malware software. Keep your devices safe and secure!
- ALWAYS take extra precaution by setting up sign-in and transactional alerts through online banking. When important changes have been made to your account, Account & Security alerts let you know by text, email or both as soon as it happens.
Wire Transfers
A wire transfer is a safe way to send or receive money from around the world. Wires can be sent in almost any currency and can be received in either Canadian or US dollar. Generally, you can expect the funds to arrive within one to three business days. It is a convenient and quick form of payment that has gained popularity.
International Wire Transfers - An international wire transfer is initiated in one country and settled in another. Senders must initiate international wire transfers even when they send money to someone in another country who has an account at the same bank. These payments require a routing or SWIFT codes (Swift stands for Society for Worldwide Interbank Financial Telecommunication. It is a unique identification code for both financial and non- financial institutions, used for International as well as Canadian wire payments). These wire transfers are normally delivered within two to three business days.
Wire transfers are generally safe and secure, provided the member knows the person who's receiving them. Each person involved in a wire transfer transaction will be required to prove their identity so that anonymous transfers are impossible.
Wire transfers may be flagged for several reasons, alerting officials to possible wrongdoing by either the recipient or the sender. These reasons may include:
-
- transfers to safe-haven countries
- transfers to non-account holders
- regular transfers for no viable reason
- incoming and outgoing wires with the same dollar amount
- large amounts wired by cash businesses
-
- Eliminate the possibility of processing delays related to missing/incorrect data;
- Lessen risk that the payment will be rejected; and
- Satisfy regulatory requirements under anti-money laundering and anti-terrorist financing laws and regulations.
-
- Within the province, if we receive & send by 3 pm = receiving institution to receive same day.
- Out of province, if received and sent by 12 pm = receiving institution to receive same day.
- Outside country (Domestic) if we receive and send by 3 pm = receiving institution to receive in 3 business **This does depend on both the intermediary and receiving institutions’ acceptance of incoming wires.
- Institution name
- Institution’s full address
- Institution’s phone number
- Institution’s Transit number
- SWIFT code
- Beneficiary’s full name
- Beneficiary’s full address
- Beneficiary’s phone number
- Beneficiary’s account number
The Outgoing Wire Request form will need to be completed in full providing as many details as possible.
-
- Institution name
- Institution’s full address
- Institution’s phone number
- Institution’s Transit number
- SWIFT code
- Beneficiary’s full name
- Beneficiary’s full address
- Beneficiary’s phone number
- Beneficiary’s account number
A fraudster may pose as a colleague, client, or someone they or their company have done business with recently in an attempt to get confidential account information or convince members to wire funds. In some cases, if the fraudster has access to the members mail or invoices, they may pretend to be a vendor asking for funds to be wired to a new or different account.
These are some of the common red flags that should raise suspicion in a wire transfer request.
RED FLAG: THE SENDER REFUSES PHONE CALLS AND INSISTS ON COMMUNICATING VIA EMAIL ONLY
If attempting to send money and they won't even talk to you by phone, something's probably wrong.
Sometimes the person requesting the transfer will claim an inability to be reached by phone now but will promise to confirm at a later date. This should be treated as the implausibility it is and the member should insist on hearing directly from the person requesting funds.
RED FLAG: THE SENDER USES ODD OR INCORRECT WORDS, SPELLING, OR PHRASES
If dealing with a professional, you should expect their email and other communications to make sense and appear professional. But it's extremely common for fraudsters' emails to arrive riddled with spelling and grammar mistakes, which is a red flag.
While some fraudsters can pass for polished business communicators, many cannot. It might be bizarre phrasing, awkward English, poor grammatical choices, incorrect punctuation, or simply weird spacing or capitalization. These all suggest that you may be dealing with someone other than a legitimate contact.
RED FLAG: THE NATURE OF THE AMOUNT REQUESTED IS UNUSUAL OR INCONSISTENT WITH PREVIOUS PRACTICE
If the request is out of the ordinary, especially if it's way out of the ordinary, that's a reason to question it. Watch the patterns associated with the people we do business with and keep an eye out for larger-than-normal amounts or requests to transfer money to new locations.
RED FLAG: THE RETURN EMAIL IS INCORRECT
Even if an email appears legitimate, always check the return address before sending any money. In most cases, a financial institution, lawyer's office, or other legitimate organization requesting funds will not use a Gmail or Yahoo email address; they will use a branded company email address. Some fraudsters will try to imitate the legitimate company email address but make it slightly different, so check closely.
Individuals and business owners should also watch out for large monetary requests that ask to be “coded" to a department within the company, or requests accompanied by detailed instructions with return addresses that are incorrect or have one or more extra letters added — all further indications of spoofing.
Be vigilant, use common sense and take a detailed approach. Fraudsters are getting bolder, and the amounts are getting bigger. Take the steps you need to take to keep from becoming the latest victim.
Review the content of each request carefully. Watch for slight changes to an email address, spelling, grammatical errors, a great sense of urgency, unavailability of the member, international transfers, high dollar amounts and increased frequency.
Do not rely solely on history of similar email wire transfer requests, as a fraudster may have intercepted that correspondence with the purpose to introduce similar but fraudulent transactions.
Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited emails; delete sensitive information.
Use strong passwords and keep anti-virus and anti-malware software up-to-date.
Avoid sending sensitive emails using hotspots.
Do not allow employees to access:
-
- Personal emails on work computers
- Internet freely on the same computer used to initiate payment
CAFT (Customer Automated Funds Transfer)
Customer Automated Funds Transfer (CAFT) is a web-based solution that allows a business to manage payments. CAFT is compatible with most accounting software and provides the option to enter data manually online. With CAFT, businesses can initiate: Direct deposits like payroll and accounts payable, collect payments like loans, accounts receivables, strata/or condo fees, donations and club fees/dues.
CAFT is a web-based application, therefore Originator accounts could be exposed to cyber fraud if the business or employee's computer system becomes compromised.
If you notice unusual activity:
- Check the CAFT Activity Log and History File.
- Contact your financial institution.
- Change your CAFT password.
- If you have been compromised, follow the security procedures of your company.
- Protect passwords and User ID’s
- Manage CAFT transactions.
- Verify file totals prior to file processing.
- Release files in a timely manner.
- Review CAFT email notifications upon receipt
- Review the Activity Log.
- Review the History File.
- Verify all CAFT reports
- Verify account settlement to the settlement register (AFTR0010).
- Contact their financial institutions about any changes to Originator information
- Immediately notify their financial institution of any unusual activity.
Users can prevent transaction processing due to key error, theft or fraud by:
- Learning about cyber.
- Implementing internal controls (segregation of duties, dual authorization, setting CAFT limits).
- Creating a policy/control that mandates all requests to change payee/payor account information received via email MUST be confirmed by phone using the contact number on file (not the number included in the email request).
- Reviewing transaction files for accuracy.
- Reviewing CAFT email notifications.
- Reconciling banking transactions daily.
- Talking to insurance provider about Social Engineering coverage.
Increasing cyber security practices and building fraud awareness are vital in protecting yourself.
- Create strong passwords and never share your User ID or password.
- Lock or logout out of your computer when unattended
- Never access bank, brokerage or financial services information using open/free Wi-Fi (e.g. coffee shops, public libraries, hotels, etc.)
- Never click on links or attachments from an unexpected email, even if it looks like it is from a person or organization you know.
- Always use the login page on your browser to login to an account or online service (e.g. CAFT) – never use links in an
- Limit administrative rights on users' workstations to help prevent the inadvertent downloading of malware or other viruses.
- Ensure virus protection and security software and the operating systems/applications on your computer are updated regularly. Familiarize yourself with your institution's account agreement and your businesses liability coverage for fraud.
Find more information at:
- Your financial institution
- Get Cyber Safe: getcybersafe.gc.ca
- Canadian Anti-Fraud Centre: antifraudcentre.ca.
- Onboarding new CAFT originators.
- Completing the profile form and required CAFT agreements with appropriate user permission levels.
- Understanding and applying the CAFT risk management features, originator training and support.
- Monitoring CAFT Activity Log and History File information to ensure compliance and mitigate risk.
- Confirming the file value with the Originator when authorizing late files using the "Hold Late" feature.
- Resetting employee and Originator passwords, if applicable. Note: credit unions/financial institutions are responsible for the authentication process.
- Reviewing Originators information in their profile (at minimum annually) to ensure it is current and notify CUPS of changes.
- Ensuring CAFT Signature Card(s) are current and forwarded to CUPS.
Originator:
- Read Only: has view only access.
- Data Entry: this ID gives the user administrative access without being part of the authorization process.
- Upload Only: this ID gives the user the ability to upload a file to CAFT without being part of the authorization process.
- Authorize Only: this ID allows the user to authorize files for processing without being part of the administrative process.
- Super User: can release all files and upload or administer transactions on database.
Credit Union/Financial Institution:
- Authorize Late: allows credit unions/financial institutions to authorize or reject files which have been marked late.
- Security: all credit unions/financial institutions are required to have this level to assign or reset passwords for Originators and lock or unlock User IDs.
If your Originator notices unusual activity, you must notify CUPS immediately with the following information:
- Originator name and number
- User ID(s) and name(s)
- Transaction date(s) and value(s)
- Mitigates risk by stopping file from processing if transaction limit is exceeded.
- Mitigates risk by stopping the file from processing if limit is exceeded.
- Mitigates risk by stopping file from processing if credit limit is exceeded.
- Mitigates risk by stopping file from processing if debit limit is exceeded.
- Mitigates risk by sending credit union/financial institution a warning email (note: files will not be stopped if the monthly limit is exceeded).
- Mitigates risk by ensuring a second user is reviewing a file prior to releasing.
- Mitigates risk by aggregating all file totals to a maximum daily combined limit. If the daily limit is exceeded, the file will reject.
- Mitigates risk by warning email recipients of Originator activity.
- Mitigates risk by securing funds at the credit union/financial institution prior to settlement (works best with pre-hold option).
- Mitigates risk by stopping files from processing without the credit union/financial institutions authorization by following their internal authorization procedures.