Is Now the Time to “Think Like a Crook”?

Wes Wilhelm, Lead Fraud Subject Matter Expert, Risk & Fraud Management

​Now that NACHA members have approved the plans to extend ACH processing​ to include same day processing and same day funds availability, what steps should fraud managers at financial institutions be taking to be sure that they are not overlooking issues or gaps that could lead to fraudsters taking advantage of the speed and special characteristics of this new environment.    

As a first step, with respect to Same Day ACH (SDACH), fraud managers might gather together a small group of individuals (4 to 7 usually works best) with extensive ACH (system) and Fraud (management) experience to learn how to think like a crook.  While that may seem counter-intuitive, perhaps it is the “method acting” of the financial crime world. To use Professor Paul Ekblom’s phrase now is the time to “design against crime”. 

With their knowledge and experience in the ACH payment system and fraud management, the working group should focus its discussions from the point of view of a fraudster. They should ask each other questions like, “How can I use SDACH to help further fraud schemes?”  “How can I use SDACH to steal money?”  “How would we use SDACH to move stolen money?” In short, in order to think like a fraudster, look for vulnerabilities that SDACH may create or expand.

Call the working group whatever suits your fancy: the Crook Committee, the Faster Fraudster Working Group or, my favorite, the Fraud Red Team​ — with a nod to Greenway Solutions.  No matter what you call your assembled group of subject matter experts, here is some food for thought to prime their discussions.  On the NACHA website the value and benefits of SDACH are quite accurately listed.  Some of these include: same day processing with faster funds availability; intra-day posting with funds availability of credits to DDA accounts; funds from ACH credits available by 5:00 p.m. local time; and the all-encompassing new innovation opportunity to independently offer and price new products and services to be delivered via the new, optional same day ACH capability. 

While the last benefit needs to wait for a future discussion, because it currently is one of those challenging “unknown unknowns,” the other benefits are fair game for your hypothetical SDACH fraud working group.  So think about how Same Day ACH could potentially benefit fraudsters.

Here is a list of topic ideas designed to kick-start and seed the conversations to get the process of vulnerability assessment initiated: 
  • Payroll Fraud with SDACH: Stealing “Same Day Delivery” payroll deposits by altering the RDFI account number and circumventing the Batch Control Record hashing process.
  • Bill Pay Fraud using SDACH: Setting up a new fraudulent bill pay entry or fraudulently altering an existing bill pay entry to create a “Same Day Delivery” payment.
  • Account to Account Transfer Fraud using SDACH: Setting up fraudulent account to account transfers with “Same Day Delivery.”
  • Person-to-Person Transfer Fraud using SDACH: Setting up new (one time or recurring) P2P entry or alter an existing recurring P2P entry to create a “Same Day Delivery” transfer.

So let’s close with this thought. It is the Halloween season and everyone likes disguises.  So we hope that you and your team enjoys putting on the masks of fraudsters for a good cause —  and, in the course of this exercise that it leads to some good insights as to where speed might be opening up the door to fraud. The more you and your team of fraud managers start to think like crooks, the more you can identify potential vulnerabilities to remediate.  We hope this season that you are able to find your way around the tricks – and that your Working Group enjoys the treats of your journey. 

Starter’s Guide to Mitigate Fraud Using Policy Manager

September 13th, 2023
Rob Wilson, Senior Business Analyst, NICE Actimize

Thwarting Money Mules in an Instant Payments Environment

September 1st, 2023
Rob Rendell, Global Head of Fraud Market Strategy & Fraud Prevention - Subject Matter Expert

PSR’s New Rules for Reimbursement will impact more PSPs

August 22nd, 2023
Ian Church, Principal Business Consultant, Enterprise Consultancy and Advisory Practice

Fraud Prevention Blog Series with Expert Sean O’Malley, IDC

August 21st, 2023
Sean O’Malley, Research Director, Compliance, Fraud and Risk Management, IDC
Speak to an Expert