Company bank accounts are under siege these days from a whole new class of thieves. Computer hackers from places as distant as Russia and Romania work tirelessly to penetrate firewalls and siphon corporate deposits.

So-called “phishing” scams use telephones or the Internet to trick employees into revealing account numbers and passwords. Bogus creditors attack accounts with phony automated clearing house (ACH) debits or false wire-transfer orders.

Every year at the annual conference of the Minnesota Association for Financial Professionals, it seems that “a good third of the classes have to do with preventing fraud,” says Steve Holupchinski, chief financial officer of Impressions, Inc., a printing and packaging company in St. Paul.

But while Twin Cities bankers agree that attempts at all kinds of electronic thievery are on the rise, they say that the most common type of fraud is still the old-fashioned paper variety: check fraud.

Any company check that falls into the wrong hands becomes a potential threat, says Stephanie Ihbe, senior vice president and manager of treasury management and payments for Heartland Financial USA in Edina, which owns Minnesota Bank & Trust. “There’s a lot of valuable information on a check: the corporate logo, the check number, the signature, the [bank] account and routing numbers. Bad people can use all of that to duplicate and forge your checks,” she says.

Crooks have been known to park in vans outside storefront check-cashing operations to await people—temporary workers, often—who want to cash corporate paychecks. “They’ll say, ‘I’ll give you some cash just to let me take a picture of your check,’” Ihbe says.

It isn’t as if the bad guy has to be a skilled forger. Software programs that let businesses and consumers create their own bank checks are readily available for less than $100 at stores such as Best Buy.  

In a more old-style scam, a crook might sit in a bar and offer to pay $275 for a fellow drinker’s $250 paycheck. “Then he scrubs the amount and writes in $6,000,” says Steve Dale, spokesperson for U.S. Bank in Minneapolis.

Chuck Mueller, president and CEO of Fidelity Bank of Edina, recalls a recent case in which a corporate customer sent a check for about $15,000 to a supplier in another state. The check was intercepted by a thief who “washed” out the name of the payee, changed the name, and cashed the check at a branch of a major bank. The check cleared, and the customer become aware of the problem a few days later. Fidelity went to bat for its client, arguing that the out-of-state bank should have spotted the alteration in the check. The other bank “finally made good, but it took us a month,” Mueller says.

At least with paper checks, experienced bankers and tellers can often detect an alteration or forgery, Mueller says: The paper stock is peculiar, or you know your customer’s checks are yellow but this one is blue, or the chemical agent used to wash ink from part of the check leaves the paper feeling rough.

Things have gotten trickier since the advent of remote deposit capture, in which checks can be scanned and deposited electronically. But even if they can’t examine physical checks, bank employees who know a business client well can at least spot activity that is outside the norm. This is one reason why “it’s a good idea to get to know your banker” and as many bank employees as possible, Mueller says.

Walls of Defense

The tides of fraud may be rising, but so are the defensive dikes. The two most common services that banks offer business clients to protect against check fraud and electronic pilfering are called positive pay and ACH filtering.

Positive pay is a system whereby a business client provides the bank each day with a list showing the amounts and check numbers of each legitimate check written. When checks later come in to be cashed, the bank reports any discrepancies to the client. With a refinement called “payee positive pay,” the payee of each check also is recorded, along with the amount and the check number.

Mary Burchette, senior vice president for U.S. Bank, says that rather than instructing the bank to deny payment in case of any discrepancy, most positive-pay clients choose to be notified so that they can make individual decisions about whether to okay the payment. This guards against simple recording errors.

The notification-and-decision process takes place on line, and keeps getting simpler, Burchette says. By the third quarter of this year, she says, U.S. Bank clients will be able to manage the process via mobile devices such as smart phones.

ACH filters and blocks are services that protect against fraudulent ACH debits. A block placed on a bank account automatically rejects all electronic debits. Filters can be set up in a number of ways to regulate electronic debits—for instance, by limiting ACH amounts or by specifying only certain vendors or creditors who are allowed to debit the account. As with positive pay, many clients choose to make individual decisions about questionable ACH debits rather than having the bank reject them outright.

Holupchinski uses both positive pay and ACH filters for Impressions’ accounts with Bremer Bank. His online-services screen has a tab for “fraud services” that he checks daily. The folder contains any check discrepancies that positive pay has turned up. His ACH filter is set to flag all attempted debits because only a handful of vendors are authorized to make automatic withdrawals from his account, and it’s easy to check and approve those debits daily.

Banks charge minimum maintenance fees plus individual transaction fees for the positive pay and ACH filter and blocking services. Monthly maintenance charges for each appear to range from about $10 to $60 or more per account. Holupchinski says he can’t recall what Bremer Bank charges him—and he doesn’t care, because those charges are only two ingredients in a stew of fees and credits that make up any bank’s total charge for cash management services.

If a bank’s fee for positive pay is higher than average, but the earnings credit it offers is also high, the costs may wash out. “So I just look at the total charge to see that it’s in line with industry averages,” he says.

Self-Defense

The technological barriers to fraud that have been erected by banks and credit card companies are quite effective. Pointing to advances such as the “neural networks” that monitor unusual credit-card activity, Visa says that fraud within its system has fallen to a historically low level of just five cents per $100 transacted.

Bank services such as positive pay and ACH filters likewise prevent a lot of bad things from happening. But banks urge businesses to take some basic steps themselves to prevent fraud by employees and outsiders alike.

Industry wisdom maintains that most fraud against businesses is perpetrated internally, by employees, Ihbe says. “If you don’t have good controls, a bookkeeper with personal-life problems or one under financial pressure can dip into the till in a lot of ways,” she says. For instance, the bookkeeper can create phantom employees or phantom vendors and make payments to them.

The controls recommended to prevent such things boil down to a simple principle: “Don’t have the same person write and reconcile,” as Kate Kelly, president and CEO of Minnesota Bank & Trust, puts it. She means that literally, but also more broadly: If one person is authorized to pay out money—by writing checks, initiating wire transfers, or by any other means—then at least one other person should serve as a monitor.

Jeff Kubsch, director of finance and controller for Anchor Block Company of Minnetonka, which designs and manufacturers retaining walls for landscaping, says he worries more about fraud attempts by outsiders than by employees. He has ACH blocks or filters on all of Anchor’s accounts at U.S. Bank.

But Kubsch also takes precautions to guard against internal fraud, and to protect himself and others from suspicion of wrongdoing. For instance, he says, “I review all the check registers . . . but somebody else reconciles our cash accounts; I don’t.”

As for wires, Kubsch must approve all wires up a to certain dollar amount; he and the company’s owner must approve wires above that amount. The bank won’t process wire requests until he or the owner give that authorization, usually on line via screens guarded with individual passwords and PINs.

The basic question shaping internal security is, “How can money leave the company?” Holupchinski says. “Well, you can write checks, you can have automatic debits, or you can send out money by wire.” He requires that two people sign all checks. A third person does reconciliation. And the person who does reconciliation does not make deposits. As for wires, one person must initiate the wire, then a second person must authorize it. Additional safeguards are built into the process so that the bank can ensure, before sending the wire, that the person doing the authorization is, in fact, who he or she claims to be.

Neither Holupchinski nor Kubsch has ever found a company insider trying to commit fraud. In the only cases of outsider fraud they have experienced, their banks absorbed the losses. Kubsch says that roughly 10 years ago, when he was with a different company, “somebody forged some payroll checks that cleared through our account. The bank reimbursed us because they should have caught it.”

Holupchinski says that several years ago, before the positive-pay service was available, somebody stole an Impressions check out of a vendor’s mail and forged three or four checks that cleared. The bank made good, he says. “But once positive pay came out, they said, ‘We won’t cover something like this anymore unless you buy positive pay.’”

He has no objection, he says. He is just happy for the peace of mind.