The best defense is looking at check fraud and other fraud types holistically within your bank by creating a fusion strategy between fraud, cyber and AML/BSA groups.
By Jim HitchcockThe oldest fraud in America is no longer new to banks. Check fraud has proven to be an unwavering, multifaceted threat that banks of all sizes are still struggling to mitigate. The volume at which checks are being stolen from the U.S. mail system, the organization of criminal groups and the convergence of street-level tactics with open access to social media have flooded the multiple check deposit points (remote deposit capture, ATM and branch) at banks with bad checks.
Types of fraudulent checks
- Counterfeit checks require an increased level of skill. The availability of check stock and online services, easily downloadable computer programs, and account information on the dark market add to the prevalence of this type.
- Altered or ”washed” checks are currently the most commonly reported fraudulent checks and involve altering the payee name or amount or both. The attributing factor is the increased focus by organized criminal groups stealing U.S. mail and monetizing through a well-orchestrated attack.
- Forged endorsements normally involve stolen checks by less sophisticated criminal(s) looking for quick money to steal and perhaps feed a habit or addiction.
Even with consumers writing fewer checks today, the American fraudsters see opportunity in their homeland, as demonstrated by the increased percentage of fraudulent checks among all checks. Fraudsters are creative creatures who adapt to societal behaviors. Now, using street level “mules” or “walkers” along with the latest social media applications, like Telegram, they are attacking at scale with high rewards with little risk of being caught and prosecuted. The Financial Crimes Enforcement Network disclosed that check fraud reporting doubled in 2022 from the previous year, reaching 680,000 cases reported by financial institutions. It’s probably safe to assume that 680,000 check fraudsters were not arrested and put in jail last year in hopes of calming this wave of fraud.
Unraveling the blame game
“So, why not?” is the simple question some ask. And the other loaded question is, “Who’s to blame?” The U.S. Postal Service for not protecting the mailed checks that get stolen and then “washed” or altered? Law enforcement for not arresting the “walkers,” “washers,” robbers, and counterfeiters and putting them in jail? Or the banks? Indeed, Congress asked the American Bankers Association earlier in the year why customers are not being protected better from “washed” and other fraudulent checks. There’s no agreed upon answer. However, each party plays a role in slowing this fraud down.
What’s going on at the USPS? While trying to deliver nearly 130 million pieces of mail a year, its blue mailboxes, mail carriers and even facilities are being targeted for theft by individual criminals and organized criminal groups. In fact, the U.S. Postal Inspection Service, the primary investigative arm for the USPS, received 299,020 mail theft complaints during March 2020 and February 2021, up a dramatic 161 percent from the prior year.
The thieves look for personal checks, business checks, tax refund checks and even Social Security and unemployment checks. The opportunity to steal a check and convert it to cash through a network of organized players is huge given the probability of finding a check in a stack of mail. Thieves can and do fish mail from blue boxes, steal it from carriers or steal the universal blue box keys from carriers and help themselves to the mail.
Chances are, given the role checks play in personal and business payments, thieves will find checks. So, before the retiree, anticipating a Social Security payment, becomes aware of the missing check, the thief has already chemically washed the check to remove the payee and dollar amount. The thief then inserts the name of a “walker” on the payee line with a dollar amount that may not trigger a specific bank’s attention.
The walker is a person who agrees to cash checks in branches and is trained by the fraudster to exert pressure on branch tellers. These walkers sometimes use fake identities provided by the organized fraud group, or alternatively, they may deposit the check into an established mule account to mask the fraud.
The mule, a person (unwitting or witting) who moves illicit funds in the direction of another, then rapidly withdraws the funds or moves them to another established account. The fraudsters take advantage of a federal law that requires funds from check deposits to be available before the bank can learn the check is unpayable.
Mail theft and check fraud: the domino effect and proactive measures
So, a piece of stolen mail puts an organized flow of events in motion quickly. Premeditated acts like this are difficult to defend. The USPS is trying to harden up on its end by installing tamper proof blue boxes and installing electronic key locks on mail receptacles. It is also trying to deter online change of addresses by implementing dual identity authentication as a speed bump to slow criminals working remotely from their computers. The best proactive step the USPS has taken is working with FinCEN to issue an alert to the financial services industry on Feb. 27, 2023, pertaining to the surge in check fraud schemes related to mail thefts. This alert provides clarity on what check fraud activity financial institutions should be looking for and reporting.
This alert includes “red flags” that banks should include in their fraud defense strategies to help detect mule activity or a walker, for example, depositing or cashing a bad check at a branch location. Banks should also consider deviations from the account’s historical activity as a potential red flag during the transaction. Certain conspicuous activities to watch out for include:
- Check deposits into accounts that are devoid of any prior deposit history, with the intention of subsequently withdrawing or transferring the funds.
- Abnormal deposits of checks followed by rapid withdrawals or transfers, often via electronic means.
Large withdrawals by check to a new payee.
- Checks cleared out of sequence with past checks.
- Check stock that is different than the stock used by the issuing bank or its customer.
- An account opened with a large check or multiple checks.
This activity above may indicate check fraud and should put an investigative process in motion to mitigate loss. Of course, as noted, fraudsters exploit the consumer protections of Regulation CC, which limits how long banks may hold funds from deposits. However, banks can balance the requirements to meet the hold limitations with proper due diligence on the account holder or individual depositing the check.
Reporting, sharing, and strengthening the fight
In this electronic age, even with this old-style paper fraud, reporting and sharing the activity is most critical to stopping this fraud today and deterring it tomorrow. With bank records being a very close second, activity is the strongest clue banks can share with each other and law enforcement.
While Check 21 helped speed the return of unpayable checks, it also diminished the forensic value of the paper check, by shifting to electronic check clearing partly in response to the terrorist attacks on 9/11. The unintended consequence is that proving alterations and forgeries has become more difficult. Alterations are less apparent and many of the traditional security features evident on paper checks are lost when the originals are scanned for processing and then destroyed. With no cancelled paper checks to examine, evidence of counterfeiting, forgery and alterations, such as fingerprints and ink samples, are not available for law enforcement use and bank processing examination to determine liability.
Connecting the dots and identifying “ring activity”— which refers to organized attacks targeting your bank and neighboring banks — enhances the effectiveness of reporting to law enforcement and alerting other banks to this suspicious activity. This collaborative approach leads to a stronger case against fraudsters.
Law enforcement can further connect the dots to identify the facilitators of the “ring,” and other banks can work this insight into their defense strategies to flag this behavior or the fraudsters. The dark market and social media have made historically local fraud into a global problem. However, organized criminal groups still target regional areas one at a time. This tactic aims to maximize their return on investment by exploiting checks that local banks may be familiar with or that are frequently processed at banks in that region. Thus, sharing information about local fraud within the community makes sense and will help to detect and prevent fraud.
The USA Patriot Act, Section 314b, provides a safe harbor for banks to share this information among each other, in part to identify and stop financial crimes. Not only will this help neighboring banks stop the organized criminal effort in your community, but it will also enable banks to report the fraud in aggregate to law enforcement, and the bigger the case, the more likely law enforcement will get the prosecutors involved. The aggregated data also provide law enforcement with street-level evidence critical to identifying known criminals and getting over other obstacles like seeking court orders to breach protective barriers and access encrypted data, which certain social media forums use to shield themselves from legal scrutiny.
Of course, certain dark market forums and social media outlets will be untouchable in countries with no legal agreements with the U.S., but this information may lead to surreptitious access to the dark market and other forums.
An integrated anti-fraud approach inside banks is also critical and should be the goal. The banks’ different deposit points tend to feed into different processes within the bank. This allows banks to have a more complete picture of check fraud and also to identify and share information about the newest check fraud strategies and practices. According to a discussion during an ABA sponsored monthly information sharing forum, it has become common for fraudsters to use a synthetic identity consumer account or to create a synthetic LLC (fully registered in state incorporation databases) to pass the check through.
A unified approach to combating check fraud
The best defense is looking at check fraud and other fraud types holistically within your bank by creating a fusion strategy between fraud, cyber and AML/BSA groups — a physical fusion center is ideal for larger banks. FinCEN encourages a coordinated approach and has advised this in past advisories, such as FIN-2016-A005.
So, this modernized approach could bring goodwill from regulatory examiners visiting your bank while slowing down this high-speed fraud. And, more importantly, breaking down silos within the bank will foster increased information sharing across business lines, which will serve as the first step toward delivering more actionable data in reports of suspicious activity to FinCEN, law enforcement, and other stakeholders.
Securing against the entral role of fraudulent checks in scams
How does a bank defend against the instrument (fraudulent check) that has become central to all these other frauds in motion?
Software. Modern check review and check clearing software provide integrated services that detect when the same check is deposited into an ATM or Remote Deposit Capture and then walked into a branch to “double tap” that check’s monetary value. Companies also offer integrated cyber-intelligence solutions that identify a specified bank’s routing number on checks for sale on the dark market or on social media, like Telegram.
Positive pay services. For banks with large business account portfolios, maybe consider requiring the businesses to use “positive pay” services. With positive pay services, the business preauthorizes checks tied to the check number for a certain amount with the check number reducing the risk of a bad check deposited or cashed for an amount not preauthorized. Many positive pay services now also provide a way to match the payee name in order to detect altered payees. But be aware: Well-trained walkers have been known to beat this defense at the teller’s window. Defenses need to be layered, and banks should follow the trail of the fraudsters and adapt to their tactics by exploring a host of dynamic services.
Education. Another important component for use to defend against check fraud is education. This applies to employees and both consumer and commercial customers. All should be educated on the fraud trends and tactics. If there is a high rate of check theft from the USPS in your region, employees should be updated on the characteristics of washed checks. Tellers should be trained to slow the moment down when a walker enters the branch and carefully examine checks, looking for faded handwriting under darker handwriting, a common clue that the original handwriting has been overwritten. Like the impersonation fraudsters, check fraudsters like to introduce a sense of urgency for the need to negotiate the check in hopes of speeding up the teller’s decision.
On this same topic, customers should be informed about the risk of check theft and encouraged to notify the bank immediately if a check goes missing, or if they come across any unusual checking transactions while reviewing their accounts.
Also banks should take the opportunity to highlight with customers the account service terms indicating their agreement to report any check-related fraud within a set period. Under UCC 4-406, the paying banks’ customers must exercise “reasonable promptness” in examining statements to determine whether a check was not authorized because of an alternation or a forged or unauthorized signature.
State laws vary, but customers typically have between six months to a year to make a claim that a check was not properly payable. However, this period may be (and often is) reduced in the account agreement so long as it is reasonable. Education should capture the audience in a creative, timely fashion.
Training. The exact training points are broad ranging, so focus on the activities most impacting your bank by engaging local law enforcement liaison meetings and monitoring reporting, both internal and external. All employees in the deposit pipeline should know the red flags of check fraud, and customers should understand their responsibilities in reviewing their accounts and reporting fraudulent activity.
ABA Resources: strengthening check fraud defense through education and collaboration
Check out aba.com for information sharing opportunities, the ABA Check Fraud Directory and educational materials including a Staff Analysis titled Laws Regarding Returned Checks.
During information-sharing meetings, ABA staff recognized that the impact of the surge in check fraud is not confined to the banks’ deposit points; it was inundating the back-office operations groups responsible for check processing.
This created warranty breach claim backlogs at banks, resulting in reputational risk as customers’ claims were slowed. Banks reported they could not easily communicate with each other. In response, ABA developed a point of contact directory, available for subscription by both ABA member and non-member banks at no cost. For more details visit aba.com/banking-topics/risk-management/fraud/check-fraud.
The directory provides contact information for banks needing to file a check warranty breach claim with another bank. The directory is searchable by bank name, city, state or FDIC number so banks can easily find a person or email address at the bank to help resolve a warranty breach claim.
A PDF with detailed information is available for banks that provided documentation requirements for filing a claim. To access the directory, a bank must participate by providing its fraud contacts for listing in the directory — a “give to get” approach. The more banks that participate in the directory, the more powerful the directory becomes as a risk mitigation tool.
In addition, an easy way to share information and keep up with trends is to join the ABA National Best Practices Fraud Information Sharing Forum. This group meets on a monthly cadence to openly discuss fraud topics, like check fraud mitigation. Just email [email protected] to join.
Check fraud has become a 21st century fraud like P2P and impersonation frauds. No industry can be
solely responsible for mitigating this outbreak of fraud. It will take cross-bank and cross-industry collaboration by educating, sharing information, and reporting to slow down the chain of events that the fraudsters put in motion. The fraudsters are well established and have proven their business model works. Now, front line employees, senior leadership and external stakeholders must work together to disrupt this crooked business model.
Jim Hitchcock is the vice president for fraud mitigation at ABA. In this role, he identifies and tracks key fraud topics and trends, runs banker committees focused on fraud, identifies potential commercial and government partners to help develop fraud mitigation capabilities, develops fraud prevention strategies and finds opportunities to develop capabilities and partnerships that provide products and services to banks. Reach him at [email protected].