Fraud Defense 2025: The New Front Lines of Fraud Prevention
Brandon Nowac
Thank you, and welcome to KeyBank's eighth annual fraud webinar. With a few 1000 attendees with us today from across the country, it shows the reality and prevalence of fraud in our day to day lives. Proactive monitoring, employee training and layered controls are now table stakes, not just luxury add-ons for our businesses based upon feedback from last year's attendees, many of which are with us. Yet today, we've altered our conversation to bring more real-life examples to the table. Fraudulent activity is becoming an ever-present concern for businesses. Fraud attacks are increasing at an alarming rate. This is across businesses of all sizes and all industries, from check fraud and cell phone hijacking to criminals posing as business vendors, even times as the bank or financial institution. In our most recent Key Bank middle market sentiment survey, where, by the way, we had nearly 800 business executives and CEOs respond, seven out of 10 businesses experienced some form of fraud over the past 12 months. Today, we plan to focus the dialog around four main themes. First, the most prevalent fraud schemes we're seeing across the industry. Second, actionable strategies you can take to safeguard your business. Third, threats and schemes we're seeing within KeyBank for our own business customers. And then lastly, what to do if you suspect your business has become a victim of fraud. But before we jump in, let's get to know our panel of experts. First, I'm joined here today by my colleague Kolt Bell. Kolt's the senior vice president, head of enterprise fraud services for key he leads a team over 600 teammates focused on fraud client experience, managing risk effectively and enabling the businesses to perform and grow. He brings a unique end to end perspective to many of the challenges faced by financial institutions when it comes to fraud. Before joining key about two years ago, Kolt had over 20 years of experience working in other financial institutions. He's also a Six Sigma Green Belt and has a couple of patents. So Kolt, it's great to be with you today. Secondly, Welcome Frank McKenna. Frank is the author of Frank on fraud and the chief fraud strategist at point predictive. Point predictive is an AI and technology-based firm focused on helping businesses and financial institutions identify and prevent fraud. Frank brings over 30 years of experience working with financial institutions and businesses worldwide. He holds six patents in AI and fraud prevention, and Frank joins us today from San Diego, California. Lastly, Brandon Nowac. I'm an executive vice president at Key Bank. I have the good fortune of working with teammates and colleagues around the United States. We bring lending, payments, Wealth Management and capital market services to small, medium sized businesses all the way up through large publicly traded companies. Kolt, we talked a little bit out our middle market sentiment survey and had a couple of statistics of what we've heard from our clients. If we pull it up a level, what are you seeing in regards to the broader industry?
Kolt Bell
Yeah, I think one of the best ways we can do this is to look at the FBI Internet Crime Complaint Center, also known as the IC three. It's been around for the last 25 years, and it really has evolved to become the primary destination for individuals and businesses to report fraud, scams and cyber crime. Since 2000 the IC three has received more than 9 million complaints. To put this into perspective, in 2020 they received 770,000 complaints and just over $4 billion in losses. During its infancy, the IC three was receiving about 2000 complaints a month. They're receiving that every day now, wow. The latest IC three report fraudulent activity reported in 2024 have 860,000 total complaints, a new record for reported losses that totaled $16.6 billion that's a staggering increase from 2023 of 33% this includes complaints from business and individuals across the US and more than 200 other countries. These rising losses are even more concerning considering that the FBI took significant actions to make it harder for fraudsters to succeed. One thing is clear, fraud and cyber crime can impact any person, employee or business of any size at any time. No one is impervious to the way to scams or schemes. But at key, we're gonna do everything we can to help keep our clients informed and help them avoid becoming victims. Frank, let's start with you and talk a little bit more about what we're seeing in the industry and following we'll cover the trends we're seeing here at key.
Frank McKenna
Thank you, Kolt. Good afternoon, everybody. My name is Frank McKenna. I've been a Fraud Fighter for 30 years, and during that time, I've worked with hundreds of companies and businesses, helping them stop scams in their track. But as a former fraud investigator, I've also worked with the FBI Secret Service and postal inspectors to bring scammers to justice, but also to try to get money back for victims that have lost their money in scams and fraud. Now I've seen almost everything that there is in fraud and scams over those 30 years, but I've never seen anything quite like what we're seeing right now, and I want to show you a statistic that blows my mind this. Six shows it's by the global anti scam alliance that half the population of the world is victim of an attempted scam at least once a week. Now if you do the numbers, that means billions of people are being approached by scammers who are trying to steal their money, and the scammers are very successful. Look at this statistic, the financial losses to scams and fraud to businesses and people in the United States last year alone was over $1.03 trillion that money was gone in the blink of an eye, never to be recovered, because law enforcement simply can't keep up. This means that businesses and people need to protect themselves, because law enforcement can't always get your money back. Now what happened? How come scams and fraud is so bad right now? Well, during the pandemic, something very sinister began to happen in Southeast Asia, scam factories began to pop out. Now look at this aerial photo. This isn't a tech hub or some industrial park. This is actually a scam factory, a scam compound in Myanmar in Southeast Asia. Each of those buildings house hundreds of scammers. Those scammers have been recruited from all over the world to go to Myanmar and scam innocent Americans and businesses out of their hard earned money. These people are supposed to scam at least five people a day, and they often have quotas to scam $5,000 a day. They operate 24/7, 365 days a year. This is why scams and fraud are soaring across the world right now, and this is what it looks like inside. Inside looks like any other company, cubicle after cubicle filled with people. They have computers and they have phones. It's estimated there there are about 400,000 people working in these scam factories in Myanmar, Cambodia and Laos. And each of these people work shifts from 12 to 15 hours. They have quotas to meet, and if they don't meet those quotas, they're punished. So they're highly incentive to be very good at stealing your money. Now. Have you ever received one of these messages? Maybe somebody's looking for Jennifer. Maybe they thought they were going to meet you at a golf course. Or maybe it's like this text that I received about two weeks ago. Can I sneak in for a manicure today? Any openings? Imagine my surprise when I receive this text, I've never gotten a manicure in my life. Now, millions of these types of messages are being sent by those people and those scammers that you saw in those scam compounds. And if you were to answer this text message, and maybe you have, the person will be very polite and say, Oh, I think I have a wrong number. But then they will say, maybe it's fate that we met. And over the next weeks and months, they'll build your friendship up, and they'll convince you at some point to invest in cryptocurrency. And when you invest in that cryptocurrency, they'll show that your money is increasing and you're making lots and lots of money, but the only clue that you've been defrauded is when you try to get that money back. These innocent looking text messages are called pig butchering scams, and they're stealing billions of dollars from people and businesses across the United States and across the world today. But here's where it gets really scary. Did you know that sometimes those messages that you're receiving are not from people at all, but from artificial intelligence. Look at this video. This video depicts a software called Instagram automatic fans. It's artificial intelligence that powers 1000s and 1000s of phones to send text messages to victims across the world. These phones that you're seeing are communicating via Instagram and via WhatsApp and via Facebook to victims, building trust so that when those victims feel that they're ready to invest, a scammer can swoop in. So a lot of those messages that you're receiving today are being powered by artificial intelligence, which means that we need to be extra vigilant. So now that we know that we're what we're up against, 400,000 scammers operating in global scam factories, half the population of the world being scammed every day, and law enforcement that is completely overwhelmed by scams. It's important that we learn how to protect our businesses, our employees and our bottom line. So I have a message for you, and that is, don't get hooked by fraud. Now, based upon my experience, I'm going to show you the three biggest fraud. Odds and scams that you might get hit with this year. These are what I'm seeing happening day after day to businesses all across the United States. And I want to show you these because I want to show you how to spot them, and then I want to talk to you about how you can stop them, how you can protect yourself, your bottom line, and your employees with practical measures. Now pay attention, because any one of these scams can hit you at any moment, and it can cost you 1000s and 1000s of dollars, in some cases, millions of dollars. So let me talk to you now about the top three scams. So the number one trend, the number one fraud trend in the United States for businesses today, based on my experience, is booming check fraud. Check fraud has never been higher than it is right now. You might think checks are old school, but businesses still write about 3.4 billion checks a year, and those checks are ripe targets for scammers and fraudsters who want to steal your money. Now we only need to turn to the government reports on check fraud to see just how bad it is. Businesses are being hit with more check fraud than ever. This chart that you're seeing is based on banks reports to the government about instances of check fraud. It's called SAR reports. And as you can see, back in 2016 there was only about 130 140,000 check fraud reports a year. But you can see in 2022 that increased by seven times. There's been a 7x increase in check fraud, and many of those are targeting businesses such as yourself. So what happened? Why did check fraud increase so rapidly? Well, to understand that, we really need to look at where it starts during the pandemic, mail theft became one of the biggest crimes that emerged in this country. So check fraud starts when you as a business, put a check in the mail. Maybe it's a vendor payment, maybe it's a contractor, maybe it's employee. When you put that check in the mail, that's when the risk starts. So what happened during the pandemic is these funny keys that you're seeing here, they're called arrow keys, and arrow keys are used by post post men and post women to open up any mailbox in an apartment complex, any mailbox in a city, they open up those blue mailboxes. So when you put your check into one of those boxes, the mailman can get it out and deliver it for you. But during the pandemic, those keys started to become those postman started to become victims of armed robbery, those arrow keys, people and criminals would steal those. Sometimes the postman, if they were bad, would sell those to criminals. Those keys can go from one to $2,000 now what do those keys do? So when you put your check in the mail, those criminals open up those mailboxes and take everything out, and they steal checks. They steal every check they can find, and then they post it on the dark web. Here's an example of one posting that we saw. This check for $8,100 that was stolen from a business was posted on the dark web, and they wanted to sell it for $150 Imagine your $8,100 vendor payment being sold to a criminal for $150 it's reality. It's happening 1000s and 1000s of times a day right now, and when somebody buys those checks, the criminals will actually FedEx that check. They won't put it in the mail because they know the mail isn't safe. They will FedEx that check to the person that bought it, so that person can negotiate that check and commit fraud against you. Now it's not just small checks they're selling. Look at this check to Acme business corporation. This check is $158,150 this business book the check in the mail, and it ended up on the dark web, and they were willing to take any reasonable offer. So the criminals were willing to sell this for any reasonable offer, 158,000 which would eventually be stolen from a business. But even if it's not a large check, these criminals can turn any check into any amount to any pa payee simply by washing them. So what is washing them mean? So look at this check to JD contracting services using nail polish remover. A criminal can merely paint the nail polish remover on the payee and on the amount and make it disappear. And let me show you an example of what that looks like. So we have this paycheck, or this check that's written to JD contracting services from a business they deposit in the mail. The criminal gets this check. So they paint over the payee and the amount, and then they write in a new payee and a new amount, and look what the magic of that $3 bottle of nail polish remover actually does. They've made that check to JD contracting services payable to Tom Smith for $8,500 the Postal Service says that over $1 billion in washed and counterfeit checks have happened in the last year. So you need to protect yourself and know that putting checks in the mail is a very bad idea right now. What is the second biggest scam? The second biggest fraud that I'm seeing happening right now is insidious impersonation scams. Maybe somebody's pretending to be your bank, maybe they're pretending to be a government official, maybe they're pretending to be an employee, or maybe they're pretending to be an organization, but they're the purpose of those people calling you is only to do one thing, to steal your money, to steal your passwords and to steal your one time passcodes. Impersonation scams are off the charts, and let me show you this FTC report that shows just how bad it's gotten. Just five years ago, impersonation scams were relatively rare, but in 2024 they increased 10 times. Last year, impersonation scams skyrocketed over $3 billion you need to be aware that you can get hit with these at any time now, let me tell you about the fastest growing scam, which strikes close to home because I used to work for the fraud department, but the fraud department impersonation scam is the biggest scam that's happening right now, and this happens when somebody calls you, spoofs your bank's phone number, and they call you to get access to your one time passcode or your passwords. They're very dangerous, so listen carefully to what I'm about to tell you, because I'm going to tell you a true story of somebody I know. This is a true story of custom of Susie customer bakery. She has locations in three states. She has over 100 employees, and she's very, very busy. I know Susie customer bakery because she's my sister. About three months ago, I got a call from her. She was crying. She said, Something terrible has happened, and she proceeded to tell me a very terrible and heart wrenching story that I'm going to tell to you right now. So it was a busy Monday. She was preparing for a very big catering order, and all of a sudden, her phone buzzed, and on her phone appeared this message from the frog department. The message said, Did you authorize a transaction for $505 to Delta Airlines. It immediately took her back. She never used that card for any airline purchases, only for purchases within the bakery. So she quickly replied No, and she thought it was settled. She thought the bank would take care of it. But one minute later, her phone buzzed again, and this time, a phone number popped up. It was her bank's phone number, the 800 number that she recognized, she picked it up, and the person on the other side of the phone said, Is this Susie? She said, Yes. They said, Yes. This is your savings bank fraud department. Thank you for responding to the text. We have a few more questions for you. Did you log in to your online banking account using a Samsung Galaxy in Ohio. She said, Oh my gosh, I don't have a Samsung Galaxy phone, and I've never been to Ohio. That wasn't me. They said, rest assured, Susie, we're going to take care of this for you. We're going to remove any fraudulent charges, and we're going to restore your account. But we need to do one thing before the we do that because there's fraud in your account, we need to verify your identity. We're going to send you a passcode that's going to come to your phone. Please read that back to me. She complied with them. She trusted them. She gave that passcode to them, and they said, no worries, Susie, we're going to take care of everything. You have a very good day. She hung up the phone and she had a very bad feeling, so she quickly decided to log into her bank account to see what had happened. When she logged in, she quickly noticed that there were multiple Zelle transactions for $12,000 in three minutes. The fraudsters had scammed her out of $12,000 in Zelle transactions. It made a very bad situation for her. It devastated her business that month, and she lost 1000s of dollars. In fact, she couldn't even fulfill that catering order. She was so distracted by this fraud, I want to tell you that this type of fraud is not only happening to my sister and her bakery, but to businesses across. The country, you need to inform your staff to be very careful of those fraud department calls that comes through your bank and to really not trust everything at face value. And the final scam that I want to talk to you about is maybe the scariest of all of them, AI powered B, E, C, scams. Do you know, it only takes three seconds of video or audio to perfectly clone somebody's voice, including maybe your CEO or your CFO or an executive at your organization, and those clones can be used to perpetrate very high level and very damaging wire transfer frauds powered by artificial intelligence. It's true, and it's happening. I want to tell you a story of what happened in Hong Kong last year. It's February 2024 the Hong Kong Police are holding a press conference to talk about an audacious fraud that occurred in their country, an international company with headquarters in Hong Kong had just suffered a $25 million wire transfer fraud due to AI cloning of the Chief Financial Officer. This fraud was the most audacious and largest artificial intelligence fraud to date, and I want to tell you how they did it. So these fraudsters and scammers were very meticulous, and they started preparing for this wire fraud for month. They researched the company across zoom, info, LinkedIn, Google, public records database. They searched the Internet for any information they could find about this multinational corporation. They researched the executives. They listened to earning calls and YouTube videos and downloaded those videos, and then they learned the organizational structure of that company. They had the blueprint of how this company operated, but more importantly, the images and the voice of the executives that ran that company. And they used that information and those voices to clone the Chief Financial Officer. They found his email, and they had his voice, and they had his imagery, and they were able to clone everything about him. And then what they did is they chose a target within the company. During their research, they wanted to find somebody in accounting that had high enough level access so that they could perpetrate the fraud, using that person as leverage. So they found somebody in accounting from LinkedIn, and then they spoofed an email to that employee, coming from the chief financial officer, and they roped her in with this email here. The email said, Hello, Mary, based on your tenure at the company, I know I can trust you in a series of discrete money transfers that involve a large transaction, presumably an acquisition of the company. So she was supposed to be very secretive. Now Mary interacted with him. At first, she was a little suspicious to get this, but he put her at ease through multiple emails, and over the next couple of days, he said, let's move this comfort conversation over to WhatsApp. And he did that because he could gain more control over Mary, but he also did that because he knew that he could operate outside of the email system and avoid detection. So over the next two days, they communicated via West app. He said, be prepared at any time we're going to close this transaction, and you're going to do your part to make sure that this takes place. So it was a Saturday morning. Mary was welcomed by her computer buzzing. She opened her computer and it was a zoom call that was starting, and she was put at ease, because all of her associates at the company were on the Zoom call. All of a sudden, the CFO jumps on the Zoom call. It was his voice, his video. It was a one sided conversation, and he was instructing her how to carry out three separate wire transfer transactions. So Mary, when she got off that call, began to work feverishly, working through the day and through the night to send those wire transfers that she was instructed to do. It was very frustrating for her, but she managed to make it happen. On Monday, she got a call from her boss, saying, Why did you send those three wire transfer transactions? She said, Well, you were on the Zoom call with the CFO. You were there with me? You heard these instructions. She said, I wasn't on the Zoom call. The CFO never made those. And through the next week, they found out that all of it was an AI clone. The CFO and all her co workers were clones of people in the company that had perpetrated. Fraud against her. They had lost 25 million simply by fooling Mary. Now that's the type of thing that we're up against that you need to be very prepared for. So finality, I want to give you my three recommendations for how you can stop fraud and scams in your company. First, verify before you trust. Confirm every payment request, every vendor change or wire transfer with a known contact, and not the contact that they give you in the email, but call them at a known phone number, verify before you trust. And secondly, lockdown access limit who can approve payments. Not everybody in the company needs to be able to send wire transfers or ACH or payments limited only to people that are the most critical and always require multi factor authentication. You can stop 98% of the attacks if you just have that multi factor authentication turned on so hackers can't penetrate your system, and finally, and most importantly, train your team. Fraudsters rely on people that are not informed. So train your team. Run regular scram scam drills and tell employees how they can spot fraud. If you do all of these things, you'll be well protected, and you can protect your employees, your businesses and your bottom line. Brandon and Kolt, thank you for your time today, and back to you.
Brandon Nowac
Thanks, Frank. Appreciate the industry insights and just some fascinating stats you brought to the table. Stick around, because I think our audience will have some questions for you later in the conversation. Kolt, let's now talk about some of the things we're seeing at key and I know some of these themes we've hit in conversation with Frank, but I think our intent here is to dive a little bit deeper into some of the specific things, your team, my team, we're seeing every day with our
Kolt Bell
clients. Yeah, so frank hit on this on the business email compromise, but what we really want to talk about today is what this is going to look like, potentially for you is a potential victim in business email compromise. Whenever you hear about this, it sounds like an email has been compromised. That's exactly what it is. It's not necessarily your email. What we're seeing across the industry, and here at key is a vendor of yours may have their email compromised. In the normal interaction that you're getting from email traffic from them seems completely normal. There's no changes to the email address. It seems to have the same tone. But what's really happened on the backside is a bad actor or fraudster has gained control of that email account, and they may still have control with your vendor. They may still have control of it, but what you're going to do is you're going to get an email and it's going to say something to the effect of we just had our accounts compromised at Bank A. We have to establish new accounts at Bank B. Please send any future payments to our new account, and you're not going to think anything of this. It's an email that you've gotten from people. You may even have dual control in place so that I'm going to check it, you're going to check it, we're going to go ahead and send out that payment. What we really need you to do in these scenarios is, if you get any kind of new payment information, contact your vendor via telephone on a phone number that you know is theirs. Don't take the phone number that's in the email, don't respond back to the email, but pick up the phone. That one simple act can save a lot of people, a lot of victims that we've seen that one simple act could have averted the entire fraud scheme. Because what's going to happen is, if you send that payment, your vendor is going to be really nice for the first 30 days and not tell you that they haven't gotten it. It might take 90 days for them to finally reach out to you and say, Brandon, we never received your payment. What's going on? And at that point, you're going to figure out that you've been a victim of a scam, and it's gonna be too late to have any attempt at a recovery.
Brandon Nowac
Well, in certain payment types, it's more instant, like real time payments wire, but ACH, you have some time for reversal and in wire as well, but you wait 90 days. A lot of times it's too late. I tell you, if
Kolt Bell
it's more than 24 hours, your odds of getting money back has really declined. So that's why we say the best practices with make sure that you have strict policies in place of how you're going to handle the situation whenever you get new payment information from your vendor. Require, you know that multi level authentication, absolutely critical, dual control. We love all that stuff. Perhaps you could talk a little bit about solutions that we have here at key for for our clients,
Brandon Nowac
we sure knew you've hit on a couple, like leveraging our tools around dual authorization and sign off on a payment type, but also some of the more recent, sophisticated solutions, like enrolling an Account Validation via API into key navigator that allows you to have more instant real time information. But point is, we have the tools, we have the resources. Our team's out there to help you, and you know, we want to have the conversation to make sure you're fully protected.
Kolt Bell
Yeah, the example we have here, it's relatively large company that's got protocols in place, ended up with a $300,000 loss because they didn't make that simple phone call to their vendor to validate that new payment information actually came from them. Yeah.
Brandon Nowac
Well, you mentioned a point earlier on, not just making the phone call, making the phone call to the vendor's number that you know, a lot of times we see, unfortunately, in that email thread from the fraudster, a fraudulent telephone number, and they're really good, once you get on the phone, to be able to trick you into taking the action they want you to
Kolt Bell
Absolutely. They'll give you some sort of sense of urgency. They'll give you a reason why they might sound differently than what you're used to. And a lot of times we do so much email interaction, you don't even recognize the voice on the other side, because that's not how you typically communicate with somebody. But pick up the phone, contact your vendor, make sure that that's that information is correct. It's the number one thing we can ask you to do that's
Brandon Nowac
great. So cool. Let's now jump into check fraud. We heard frank talk a bit about check fraud, and it's fascinating that you see and scary a check where you can eliminate someone's name and put on a new one look. I've been in payments for over 10 years, helping commercial clients think about moving from paper to electronic, and I remember a decade plus ago, 60% of payments were still check, and everyone talked about it's going to get reduced. It's going to move to electronic. A lot of our clients still use check today. What are you seeing with our clients, and what are some best practices around mitigating
Kolt Bell
risk of fraud? It's interesting. You talk about check 21 and checks were going to go away. I remember that 20 years ago, checks were going to go away. Here we are still writing checks. When we talk about how fraud occurs with with checks, it's really changed over the last 10 to 15 years. What we used to see was counterfeit checks. They would get your account number off of a check that you wrote, and they would make a new one. That was a little bit easier for detection, because you could look at like signature verification or signature modifications or check stock modifications, and it was a little bit easier to identify. What we've seen over the last three to five years is it's not a counterfeit check anymore. They're stolen checks. They're your check. It's the check you wrote, or your mom wrote for your birthday. And I got one from my mom. I had to tell her stop writing checks. But what's happening is with those legitimate checks being put in the mail. And Frank talked about this like there's mail theft that's happening through the blue boxes. There's mail theft that's happening with postal carriers getting robbed, and it's all over Instagram and Tiktok, where the fraudsters are going through all of these checks, and that really makes it more difficult for the controls that historically used to be looking for counterfeits. So on this example here that we have on on the screen. You know, this is an example, again, a good sized company that writes checks. What we would ask you to do is stop using checks and use other payment methods like ACH or wire or something something digital, that really eliminates this problem altogether. But their checks were stolen out of the mill, and like Frank showed they were washed with a new payee, and then they come through the verification process. And we'd like to talk a little bit about the difference between maybe payee positive pay versus positive pay, because I know a lot of people are familiar with positive pay, but the fraud has evolved where you really need that name, payee validation. You want to talk a little bit about that, yeah, sure,
Brandon Nowac
it's relatively simple. It's being able to identify that the payee is actually who you want to pay, and similar to the rest of positive pay within within check, you hit the right point, though, which is the more we can get our clients and our clients and get their vendors to adopt alternative forms of payment, notably electronic payment. That's really the mitigating risk factor with check and unfortunately, this is an area that fraudsters are increasingly, you know, focused on to be able to take dollars from from clients. And we said this earlier, but it's across business sizes and industries. It's not just a small business
Kolt Bell
problem. No, it's not. This is a really low level barrier to entry for fraudsters, like, if you can get a hold of checks through a blue box or from a mail carrier through really a robbery, you've got everything you need to be able to go
Brandon Nowac
commit fraud. And on the right side of the page, you see kind of three mitigating factors we talked about, positive pay. On top of that, would be payee positive pay. And then lastly, would just be check block, which is rejecting paper checks, requiring electronic payments, altogether.
Kolt Bell
That's a good one if you're going to go to Ach, and that's going to be your primary path, and you're not going to be writing checks, get check block, because that really helps us, whenever we see a check come against your account, to know that that's not legitimate. And we're going to go ahead and block it right there for you, and you're gonna be mitigating that risk altogether.
Brandon Nowac
Excellent. Well, let's move on to the next topic, social engineering. This is an emerging theme. I'm sure you and your teams see more of it each and every day. Can you talk a little bit about what we're seeing at key?
Kolt Bell
Yeah, and again, Frank covered this with the example with his sister. But what we're seeing with social engineering, we're seeing a lot of bank impersonations, and if you think about how this works, and you think to yourself, how do the fraudsters know who I bank with? And a lot of times, it'll either come from your check, your routing number will tell tell them which bank it is, or if your card's compromised, that first six digits is a bin number, and it's unique to every bank. So if you think about a card compromise, there's. Something like that. I now know your your name might have your phone number from a breach of data breach, like a telco or something that you see in the news. And now I know the bank that you're at. So whenever you start getting those targeted phishing or phishing attacks where you're getting my bank, just like he showed did you do this transaction in California, there's going to be some sort of urgency behind that. And what we're seeing across the industry is the fraud departments of various financial institutions, really, all of them are being impersonated with the techniques that we talked about. Now we recommend, if you ever get a text from us or another financial institution, look to see where it came from, from the phone number, you should see it coming from a short code. If it's the full like 10 digit, that's going to be fraudulent right out of the gate. Look for that short code. But we tell people, if you don't feel comfortable, call us, we really want to hear from you, and we will tell you whether or not we were trying to attempt to contact you, if you do start to fall victim for this, and it's going to seem like I need to really Hurry up on this. We've seen bank impersonation. People call a victim say, are you sending a $50,000 $5,000 $600 it doesn't really matter, transaction to somebody in Texas. And you say, no, they're going to start asking you for additional information. Hey, we need to be able to authenticate you. Could you give us your user ID and password, or just our user ID? I don't need your password, but I'm going to send you a one time passcode. Could you read that back to me? Those types of interactions that we have with the client, the fraudsters are being very good at being able to social engineer those components for authentication from our clients. So if you get a call from the fraud department, this is what I would recommend saying, Thank you. Let me call the number on the back of my card and call back into the bank. Now, as we talk about social engineering techniques, they're ready for this, and they're going to tell you, Brandon, great idea. We fully support you on doing that, but I need to let you know, until you get a hold of us to verify these transactions is valid or invalid, you're going to be responsible for the loss. Let me just check real fast and see what the hold times are so you know what you're getting into. And I see additional transactions coming through right now, the hold times are about 45 minutes. Do you want to go ahead and call back and wait again? You're going to be responsible. For all the transactions until you can verify them. It's fraudulent. Don't fall for it. Don't fall for that. Okay, these guys are very good at what they're doing in social engineering and using psychology against you. There's going to be a big urgency of you to act right now to prevent financial loss or to help them, they're gonna be like we're here to help. So be very careful with the social engineering. Again, best practice on this. Anybody that asks you for any kind of PII, we're not gonna ask you for that. Whenever we're calling out right, hang up, call back, talk to your financial institution, see what's going on. But just take a second to see if this even makes sense to you, you can log in online banking a lot of times. If you're on talking to somebody, you can see activity, but don't give up your credentials.
Brandon Nowac
I think the big takeaway is your bank is not going to ask you via text for your, you know, routing an account number, your username and password, any type of sensitive personal identifiable information, you know, and if you get a phone call and a voicemail asking to call back and you don't recognize it, or even if you think you might still go to the back of your card or on your statement and call and call key, call your financial institution, talk to someone that you know is the is the fi. And we say this a lot, but have healthy skepticism. If it doesn't feel right, it probably isn't. And I
Kolt Bell
just want to touch on something you were you were saying, We won't ask you for your routing number and account number, going back to the last part, on checks, if you write checks, your routing number, your account numbers on there, and it's, it's out in the wild, along with your company name, address, phone number. So just convincing a lot of people to go electronic, go electronic. If I had one PSA checks, they're they're dangerous.
Brandon Nowac
So, so let's transition actually, this is a topic Frank did not hit on, which is Sim swapping. And quite frankly, I think for many it can be a bit confusing. Do you mind Kolt? Just kind of defining what it is. Give a couple examples, and then what to
Kolt Bell
watch out for? Yeah. So if you think about your personal device, your cell phone, there's a lot of information on there, if I could get control of your device, that would be very valuable to me as a fraudster. And I'm going to take this away from the business accounts and kind of make this personal of an example that we saw a couple years ago. There was a lot of California wildfires, if you remember, in LA and people were evacuating from their houses and they weren't able to go back. And the fraudsters take advantage of these like natural disasters, to be able to go into the telco stores and say, I don't no longer have my phone. I need a new phone. And of course, your telco is going to try to help you out, and they want to be comforting and helpful. It sets you up with a new phone, and it'll have new sim, and that's. Essentially, what sim swapping does is it takes control of your phone and it puts it into another phone. So if you think about that now, if you're contacting your financial institution or we're trying to get multi factor authentication through OTPs or access to your email, there's a lot of information that the fraudsters can get if they're able to effectively sim swap, is what they call it, but get, essentially, your device put onto another device. So as we talk through this one, there's a couple things you can do here. One is, a lot of the telcos let you, like, lock your Sim or allow you to get notifications, and that really starts to prevent the ability for them to do that, also using strong passwords. We have this on here on the screen, but if you ever pick up your cell phone and it isn't working, that's a good indication that your phone might have gotten swapped. And we will hear clients say something to the effect of, like, you know, I was having problems with my phone. I wasn't getting any calls or texts for a while. Try using your phone or have somebody that you know, like, could you call me and just see and if it's swapped, somebody else will have control of your your phone number? Scary.
Brandon Nowac
I mean, it's interesting. The trend that's occurring seems like more consumer but could bleed also a bit into business as
Kolt Bell
well. Yeah, absolutely could. But this is one that, again, somewhat confusing, but it's really fraudsters trying to get access to your cell phone.
Brandon Nowac
Yeah. Okay, so shifting over to best practices. I mean, I know we're not gonna read the slide. I think it's important for folks to actually spend some time read the slide. I think this is an archive to take back to your teams around information and training. Are there a couple high points you'd hit, though, for the audience's takeaways?
Kolt Bell
You know, these are the things that you hear all the time, and it's that the reason why you hear them all the time is they're really the most effective in monitoring your accounts. Like our clients are truly the best fraud detection people we have, because you know what's normal and you know what's not, make sure that you're monitoring your accounts. Don't like, reconcile like at the end of the month, and that's gonna be the first time that you're looking at it. Look at your daily activity. Look at your accounts throughout the day. If you spot anything abnormal, get a hold of us like immediate way, and we can help you out. So that sounds so simple, but it's so effective. The other one that we say all the time, and you would think I would never do this, is never share your credentials. But we see this a lot where, hey, to be able to authenticate you, we do multi factor authentication. People don't quite understand what that is. I'm going to ask you for your user ID, but I don't need your password. Sounds fine, but you've given up half of the combination, so to speak. So never share your credentials. We should your bank, financial institution. Should never be asking you for those things. And then the last one keep talking about here is when in doubt, call us. Get a hold of us. We are here to help. So when in doubt, contact your financial institution well and
Brandon Nowac
then just have the payments front. We talked a lot about check but whatever payment modalities or payment types you and your businesses are using, make sure you have the appropriate fraud controls on top of it, because even even ACH right we have, the industry has fraud controls to mitigate ACH risk, wire risk, and you know, that's what our team is here to help, is make sure you're appropriately controlled across your across your payment types.
Kolt Bell
I think prevention is the key, and that's what you're talking about, is, how do can we prevent this from happening? The other stuff we talked about is, how can you detect it? But if you can get in front and actually prevent it from occurring to begin with, all the better.
Brandon Nowac
Just to reiterate, you know, one of the best practices we talked about, Kolt, I think it's just so important we hit it, you know, yet again, because it's something that, it sounds so simple to your point, but a lot of our clients out there, you know, they're getting attacked by this form of fraud, so maybe just hit on prevention strategies around what never to do and what we would never ask our clients to
Kolt Bell
do. Yeah, like you said, these are good, and the social engineering is going to get you to the point where you're not thinking about this and just be aware of these. Like Key Bank will never contact you and ask you for your username, password or your pin one time, pass codes or answers to your security questions. We're not going to ask you that over the phone. So this is going to be keys to you or clues to you that something is kind of off. We're also not going to ask you for your full bank account number. We have that. We know what that is, so we're not going to ask you for but if you do receive a request like this, don't provide the information, as we talked about, contact us.
Brandon Nowac
We're here to help and contact us by the number you know on the back your card bank statement. Don't fall for the text you know or the email that says, call this number.
Kolt Bell
It's a great deal. A couple things is you're on that don't google it, right? So don't, don't search for it. Get the number off of the statement or off the back
Brandon Nowac
of your card. What brings up a separate topic around googling. We see this with key navigator, which is our commercial online payments platform. And if you go into Google, fraudsters try to sneak in the wrong letter the wrong statement or buy an ad to try to get to the top exactly, and don't go to Google, go to your URL, type in our key navigator URL, and that's the only way to log in with your partners. Yeah, bookmark it. That's right. So Kolt, you mentioned. I mean, we're here to help our clients every day mitigate fraud and really provide education and for. Information around best ways to identify and mitigate and then if, unfortunately, something does happen, what to do about it. There's a lot of things we provide out around education and prevention resources. A few are on this page, monthly articles we provide on fraud and cybersecurity topics, obviously being cybersecurity. Month here in October, we're talking today, you know, with the team via webinar, but on key.com/business fraud, we have a hub of a lot of education tools and prevention strategies for you and for your teams. And again, this is across businesses of all size, small, medium, large businesses, all industries. We have a lot of great resources@key.com forward, slash business fraud and then education opportunities. You know, our teams are out there to help identify trends, and then the tools and resources you can use to mitigate the risk. And then lastly, that kind of segues into what we talked about earlier, which is the different types of detection and prevention services like positive pay, Payment Protection, account alerts. There's a whole host of things we can provide to our clients to help them mitigate risk. Before we close, we've had a couple questions come in from the audience. I think we have time to tackle a few of them. Kolt maybe the first one for you and I. But you can start, how can businesses balance the need for security with the convenience of digital payments, especially in the light of emerging fraud trends?
Kolt Bell
I think this is a good question, and how I would start to answer this is digital payments, not only are they convenient, but they actually have the security embedded in the payments.
Brandon Nowac
Yeah, you know, I think in addition to that, though, just because someone's submitting wire or ACH, which is a digitized form of payment, real time payments, there are still controls that our clients should be using to further mitigate risk, similar to positive pay on check. But I agree with you, net, net, it's safer to be transmitting an electronic or digital payment. I think the second piece is, sign up for alerts. You can see abnormal activity. Your team does a lot around constantly understanding what's normal what's abnormal, and then creating alerts around that so that our clients can make decisions and get visibility into what might not be normal
Kolt Bell
activity, and a lot of times you can actually set limits on exact types of transactions as well. That's exactly right.
Brandon Nowac
And our next question is actually for you, Frank, can you elaborate on the role of employee education in preventing business email compromise attacks and what training methods have proven most effective?
Frank McKenna
Oh, that's a very good question. Now, when I think about B EC tax, they're not really a tech problem. It's a people problem. Hackers don't need to really break into your systems. They just need to trick one employee. That's why education is often the strongest defenses, and the companies that make this, this type of training part of their culture often most successful. It isn't a one time training, but repeated training. So they'll hold phishing simulation exercises. They'll train their HR, their finance and their executive team, specifically for these types of attacks, because they're the ones that are mostly likely to come in contact with it. So an effective program kind of looks at blending regular, routine training for employees, but also executives, HR and the finance team, and does it regulate it regularly with kind of simulated phishing attacks and some of the red flags that they should spot that's what I would say. Would make an effective program.
Brandon Nowac
Thanks, Frank, that was great. Before we wrap up. Do you have any final tips or thoughts for our audience?
Frank McKenna
Yeah, I sure do. I guess I would just say the three recommendations verify before you trust. Lockdown access. Not everybody needs to be be able to make payments within the company and train your team. It's often one of the strongest defenses against fraud and scams is when people know what to look out for so that they can avoid it.
Brandon Nowac
And lastly, if you or your teammates suspect fraud, Kolt, you mentioned it time is your enemy, act immediately. Report all suspected fraud immediately. A couple points that we wanted to leave you with. If you suspect your business has been exposed to fraud, immediately, contact the Financial Institution. If you are a KeyBank client, contact KeyBank fraud Client Services Center. You see the number on the screen. That's Kolt's team. They're here to help. We want to make sure we're helping you mitigate any potential risk related to fraud. Report the fraud to law enforcement immediately. It was last year in our October series for fraud and cybersecurity, we talked a lot about how to engage the FBI local law enforcement. The resources were out there. They're here to help you. Cybercrime complaints should be reported to the internal Crime Complaint Center. IC three, you mentioned this earlier in the presentation, via complaint report, the link is on the page. Contact your banker about anything suspicious. Do not call the number you don't know. Call the individual you do, and your banker, who you've known, is the best phone call you can make. Email a screenshot of any fraudulent text or email related information to key at reportfish@keybanc.com, again, all this is out. There we wanted to leave you with, if you believe something could be happening, act immediately. These are some best practices. Take these steps. I would like to extend my gratitude to you Kolt, and to you Frank, thank you so much for bringing your expertise, your decades of expertise, to the table to help all of us think about best ways to identify, manage, and, quite frankly, prevent fraud. It's been a fantastic session and really informative.
Kolt Bell
Appreciate the opportunity.
Brandon Nowac
Key has compiled this information from sources we believe to be reliable and it is subject to change. We assume no duty to update this information in the event of changes. This material is provided for general purposes only particular situations may require additional information or actions. This session is not intended as an offer solicitation, recommendation or advice of any type. If legal advice or any other expert assistance is required, you should consult a qualified professional. We may collect information about attendees of this event, including name company affiliation, email address, phone number, address, and in certain instances, IP address, as well as any other information you choose to provide to us, this may be combined with information we already have about you.
Replay our October 7 webinar on the latest fraud threats to businesses.
Webinar topics
Replay our October 7 webinar on the latest fraud threats to businesses.
- The most prevalent fraud schemes blindsiding businesses today
- Emerging technology threats, like SIM swapping
- Examples of how businesses can fall victim to trending fraud schemes
- The latest technologies, tools, and resources to help safeguard your business from these same threats
