Last week, I looked at the resurgence of digital frauds which is emanating from the increased use of digital banking by customers. It is always a fact that not every customer can take advantage of this opportunity of contactless banking.
This is mostly due to high illiteracy levels, accompanied by techno-phobia. That is why we still find queues in banking results, necessitating the importance of adhering to the protocols directed by the government to fight COVID-19.
In many cases, frauds are not detected in real times. While the IT professionals work hard to put in controls to detect these frauds in real-time and minimize losses, my concentration is on how ordinary customers and banks as well can prevent these from happening.
Here are a few tips:
Tips to Customers to Overcome Digital Banking Fraud
In this pandemic era, I urge customers to familiarise themselves with basic tips on how they can protect themselves against digital banking fraud.
*Don’t type passwords while others are watching.
*Don’t email passwords.
*Always keep your PIN and password secure. If you think your PIN or password has been compromised, change it immediately, online or at your nearest ATM or branch.
*Remember to change your passwords and PIN’s regularly.
*Never save usernames, passwords or PINs on your cellphone or computer as it may allow others to access your banking without your permission.
*Always do internet banking on a secure computer that you regularly use at home or work. Ensure you have a password or biometric identification to assess your cellphone.
*Never do online banking in public areas such as internet cafes or shared computers, as you can never know what software is loaded that may compromise your transactions.
*Log on to your bank’s website by typing in the web address yourself instead of accessing it via Google search as this may lead you to a spoofed site.
*Never open suspicious or unfamiliar e-mails or attachments, and never click on links in emails or SMS.
*There are numerous and enticing emails and SMS messages sent by criminals which look legitimate and often bait you with scare tactics to confirm your account details or to login to prevent your account from being closed. They even entice you to win something or get something for free in order to get access to your account.
*Only make online purchases with your card on reputable websites that are verified as secure sites. Please do this by looking out for the lock icon in your browser and ensure that the address starts with https:/.
*Never use the same username and password for banking as you use on other apps and websites like social media and email.
*Download your bank’s app to keep track of your accounts and transactions and monitor it daily.
*You can stop fraudulent online banking transactions, report fraud for any suspicious transactions, and temporarily block or cancel your cards. Quickly call your bank when you sight a suspicious transaction.
*Download free antivirus software for your computer and/or smartphone.
*Update your smartphone and computer with the latest software and app updates.
Monitor your cellphone reception. If you have lost signal for an unusually long time, you may be a victim of sim swap fraud. Contact your bank immediately.
A bank’s customer noticed that his telephone was unusually silent for about four hours. Unfortunately, this was when a cloned cheque of his account which was being confirmed by his bank’s relationship manager on telephone, got diverted to another phone.
This fraudster mimicked the voice of the customer and got the account debited with GH¢78,000! These cheque fraud syndicates are very notorious.
Criminals may sometimes call you and pretend to be from your bank, service provider or a reputable retailer. During this conversation they may ask you to verify personal and banking information or download software for them to “assist” you. It will be safer for you to hang up and call the company directly to verify if the call is legitimate.
When you receive the bank e- statements directly, review and follow up on unusual items. Meanwhile check the statements online before you receive the bank’s e-statements. Regular reconciliation is key.
Internal Controls in Banks
Internal controls are important in banking. Managers are obliged to protect the assets, reputation and the people in the business. This is very important to employees who are likely to feel protected from false accusations.
A bank with sound internal controls promotes trust among employees. Excuses like, “we are too small” we are too busy” or “ we trust our staff” or “ we are one big family” or “we take good care of our staff” should never be entertained.
Internal control in banking can be found in two forms, prevention and detection. In preventive, it stops something bad from happening, while the detective controls concentrates on identifying an occurrence. Both of them work together for maximum effect. These controls can be summarized into three significant actions:
Dual Control: this happens when two or more staff are involved in the process.
Segregation of duties. In this case, one person cannot initiate and complete a transaction. One person cannot be responsible for an asset in custody and still be responsible for the basic accounting and responsible for reporting on it.
There should be appropriate oversight, and monitoring.
Finally, there should be regular independent reviews, reconciliations, statements, reports, etc.
Scenarios for Review
Remote deposit capture: the ability to deposit your cheque into your bank account from a remote location without having to deliver it physically to the bank. There is a risk of scanning the item twice.
Receiver must immediately stamp and process the cheques. There may be security concerns between the time of receipt and processing so data security measures should be in place. Customers must comply with the terms of agreement.
Skimming and stealing: Ensure adequate dual control in the retrieval, removal of cheques in a place requiring dual control, and during scanning process.
ACH: These are payments received and processed by the Automated Clearing House for electronic financial transactions both credit and debits.
The concerns are the possible diversion of funds to other unauthorized accounts, and fictitious credits to merchant accounts.
One person should never set up accounts, download or initiate transactions and reconcile those accounts. This can lead to diverting funds into personal accounts. Separate the duty of initiating transactions from the accounting side.
No one person should authorize to fully execute wire transfers to similar electronic disbursements alone.
Have a knowledgeable person not directly involved in the disbursements process to review the beneficiary lists looking for multiple accounts with the same names, multiple payments to same accounts, multiple payments to accounts with similar names, or amounts just below a certain threshold (to avoid alerts and triggers), significant payments to staff other than the normal.
Electronic payroll processing: one person should not be responsible for all phases of payroll processing, including maintaining, personnel records, payroll details, transmitting direct deposit. This is a big NO. No. this can lead to possible schemes, insertion of ghost names and manipulation of pay amounts.
A separate person should prepare the payroll while another reviews the payroll details before submitting the file for the direct deposit. An independent reviewer should download, review and monitor reports.
Controlled access to systems: This is another thorny issue which should be regularly reviewed. Just check your systems and you may be surprised to see the names of staff who have left the institution, those on leave, still have access to the bank system!
Banks should be on top of controlling access to their systems. Staff with accounting or custody responsibilities should never add system administrator roles to that. Make sure the assigned rights are consistent to the roles.
The list is endless but let me leave you with a real story: A branch had an acute staff shortage so the customer service lady was given the rights of the branch manager to perform a temporary function in the system.
This privilege was never reversed. She had to rush home one day and left her password with another “trusted friend” to complete transactions to enable the branch to execute a seamless end-of-day.
Six months down the line, it was detected from the audit trail of transactions that this lady’s name was exhibited authorizing overdraft facility functions which could only be performed by the manager.
Huge amounts had been wrongly credited as overdrafts and the beneficiary account holders not available or could not be traced. I will leave you to judge or imagine the result!
The list of digital fraud prevention in the bank goes on, but I will leave the rest to the Technology offiicals to continue.