The Triangulation of ACH Fraud, Wire Fraud and Check Fraud September 2020

Jeanette Mosley, CFO Greg Litster, President Presidian Hotels & Resorts SAFEChecks (210) 646-8811 ext: 223 (800) 755-2265 [email protected] [email protected] Fraud and the Coronavirus

“…Moreover, the risk of B2B payments is even higher particularly as more employees work from home. Recently, Europol issued a warning of how cybercriminals and other fraudsters are adjusting their strategies to take advantage of the current climate uncertainty stemming from the coronavirus….”

https://thepaypers.com/expert-opinion/b2b-payments-2019-2020-key- drivers-of-innovation--1243725 “ACH Network” = infrastructure for electronic payments between individuals and organizations.

Began as a system for recurring transactions between parties who knew and trusted each other, but now includes one-time transactions between unfamiliar groups and individuals.

3 Almost 7 Billion ACH transactions in 2 nd quarter of 2020 alone!

https://www.nacha.org/content/ach-network-volume-statistics 4 ACH Network = one of the safest payment systems in the world.

HOWEVER…

ACH fraud has almost tripled , from 12% in 2010 to 33% today (Unauthorized ACH Debits)

AFP 2020 Payments Fraud and Control Survey AFP 2020 Payments Fraud and Control Survey “It is not the payment method itself that is compromised but the processes leading up to the payment initiation … “By gaining access to internal systems, fraudsters may successfully be able to generate ACH files…”

AFP 2020 Payments Fraud and Control Survey Most ACH fraud could have been prevented if “best practices” had been followed by organizations or individuals. Some practices include :

• Know the person with whom you are dealing – fraud happens by incorrectly assuming an unknown party is legitimate

• Utilize your bank’s fraud detection and prevention resources such as ACH Filters, Blocks, Transaction Review, UPIC codes

• Monitor EVERY account daily, before 10:00 AM

Frank Abagnale Fraud Bulletin, Volume 15 • Segregate accounts for better control - collections vs. disbursements - high volume vs. low volume - paper vs. electronic

• Use encrypted email for confidential information

• Mask account numbers and tax ID numbers in correspondence

• Collect bank tokens and cancel password of an employee leaving the company. Remove them as a authorized signer or authorized user of ACH services.

Abagnale Fraud Bulletin, Volume 15 Cybercrime Wire Fraud, BEC Scams & VEC Scams Wire Fraud is Cybercrime In 2010, wire transfer fraud represented only 3% of payment fraud attempts

Today, it represents 40%!! (down from 48% in 2018) Wire Fraud 2010 – 2020 Wire Fraud 2010 – 2020

The problem is not the bank’s wire transfer system.

It’s a human failure .

Somebody falls for a clever social engineering scam. “Vendor ”

VEC Scams Most organizations haven’t heard about VEC scams and are falling prey to them ! What’s at stake? Money Reputation Productivity Jobs - Human Impact “A newly discovered cybercriminal gang is putting a twist on business email compromise scams by targeting vendors or suppliers with phishing emails and then sending realistic-looking invoices to their customers to steal money….” https://www.bankinfosecurity.com/vendor- email-compromise-new-attack-twist-a-13170

“…it is being popularized by a cybercriminal group

dubbed Silent Starling ….”

https://www.agari.com/email-security-blog/silent- starling-vendor-email-compromise/ https://www.agari.com/email-security-blog/silent- starling-vendor-email-compromise/ Fraudsters gain access to a vendor or supplier’s employee email account and watch those communications, become knowledgeable about the business operations, and attack: Fake invoices with “change-of-bank ” data sent to the customers of that vendor or supplier ─ style mimicking the employee. In < a year, 700 employees ’ email accounts in 500 companies have been infiltrated by Silent Starling . Most victims were in USA, Canada, and UK.

https://www.agari.com/email-security-blog/silent- starling-vendor-email-compromise/ The BEC Email Scam RequestsRequests areare typicallytypically urgenturgent andand confidentialconfidential LookLook forfor SPOOFEDSPOOFED domaindomain registrationsregistrations Identifying the Difference in Email Domains Real

Information Classification: Public Fraud

Information Classification: Public Identifying the Difference in Email Domains

[email protected] [email protected]

Information Classification: Public Identifying the Difference in Email Domains

[email protected] [email protected]

Information Classification: Public InternationalInternational wireswires areare mostmost common,common, butbut requestsrequests forfor USUS paymentspayments andand W-2W-2 recordsrecords areare increasingincreasing WhenWhen replying,replying, useuse ForwardForward NOTNOT ReplyReply

Information Classification: Public DoDo callbackscallbacks oror otherother out-of-bankout-of-bank verificationverification to to aa knownknown goodgood contactcontact sourcesource NEVERNEVER callcall thethe numbernumber onon thethe emailemail BEC Scam Videos BEC Scam Videos

https://www.youtube.com/watch?v=sxybmE1rrZg BEC Scam Videos

Staff Training Video

https://www.youtube.com/watch?v=LfGaDd7-dlk

This EXCELLENT video has been taken down, but I saved it. Email: [email protected] BEC Scam Videos

https://www.youtube.com/watch?v=LfGaDd7-dlk

This EXCELLENT video has been taken down, but I saved it. Email: [email protected] VEC Scams and BEC Scams target Organizations & Businesses

It is not a “bank” problem It’s human failure A recent unsuccessful email scam received at SAFEChecks –

Hovering cursor over Name on “button” did not match banker’s info NEVER click on embedded links!!!

Scam email attempts can happen to anyone ! Be afraid Be very afraid Scam email attempts can happen to anyone ! Be afraid Be very afraid Strategies to defeat VEC Scams

Verify that the email address source is correct. (Domain addresses are changed by 1 or 2 letters!)

Look at words, phrasing of email – very slight differences in grammar style, misspellings.

Spoofed emails in VEC & BEC scams don’t trigger spam traps because the targets are targeted. Verbally confirm all change-of-bank notifications – Don’t call the number on the invoice. Wire Fraud Court Case

Choice Escrow and Land Title vs. BancorpSouth Bank Choice Escrow and Land Title vs. BancorpSouth Bank

Important Link http://courtweb.pamd.uscourts.gov/courtwebsearch/mowd/qmC2dt555T.pdf Choice Escrow and Land Title vs. BancorpSouth Bank

March 17, 2010: Bank received an online banking wire transfer request to wire $440,000 from Choice Escrow’s Trust Account

Wire transfer $440K to Republic of Cypress

Request NOT legitimate – Choice Escrow employee’s computer had been hacked; taken over by fraudsters

http://courtweb.pamd.uscourts.gov/courtwebsearch/mowd/qmC2dt555T.pdf Computer Takeover: NO “Dual Control”

1. The wire to Cypress was initiated using the User ID and password of a Choice Escrow employee

2. Wire was initiated from IP address registered to Choice

3. Bank authenticated employee’s computer by detecting the ID secure token device the Bank had installed

4. Immediately after wiring funds, Bank auto-generated a Transaction Receipt that was faxed to and received by Choice Escrow. Fax placed on a desk, without review until the next day. The money was gone! Bank: Customer failed to implement Dual Control

Bank required online banking customers sending wires to utilize “Dual Control” (Dual Control = 2 computers, 2 different logins, passwords)

Wire transfer could only be effectuated by two individuals using separate User IDs and passwords

Choice declined in writing , TWICE , to use Dual Control Feeble Legal Argument against using Dual Control

Choice contended “Dual Control” was not “commercially reasonable” because…

“…at times, one or both of the two individuals authorized to perform wire transfers through the [bank] system were out of the office due to various reasons. ”

Court disagreed.

Choice Escrow held liable for loss. Official Comments to the Funds Transfers provisions of the UCC:

The purpose of having a security procedure deemed to be commercially reasonable is to encourage banks to institute reasonable safeguards against fraud but not to make them insurers against fraud .

A security procedure is not commercially unreasonable simply because another procedure might have been better or because the judge deciding the question would have opted for a more stringent procedure. The standard is not whether the security procedure is the best available . Official Comments to the Funds Transfers provisions of the UCC:

Sometimes an informed customer refuses a security procedure that is commercially reasonable and suitable for that customer and insists on using a higher-risk procedure because it is more convenient or cheaper. In that case , under the last sentence of subsection (c), the customer has voluntarily assumed the risk of failure of the procedure and cannot shift the loss to the bank . Court Order, March 18, 2013

"For"For thethe foregoingforegoing reasons,reasons, thethe CourtCourt GRANTSGRANTS thethe MOTIONMOTION OFOF DEFENDANTDEFENDANT BANCORPSOUTHBANCORPSOUTH FORFOR SUMMARYSUMMARY JUDGMENT.JUDGMENT. AllAll otherother pendingpending motions,motions, includingincluding allall otherother motionsmotions forfor summarysummary judgmentjudgment (including(including motionsmotions forfor partialpartial summarysummary judgment),judgment), areare DENIEDDENIED asas moot.moot. Accordingly,Accordingly, itit isis ORDEREDORDERED thatthat summarysummary judgmentjudgment isis enteredentered inin favorfavor ofof defendantdefendant BancorpSouthBancorpSouth Bank.Bank. ”” Preventing Unauthorized Wire Transfers

Wiring money requires two different computers, two different users/passwords: FIRST to initiate , SECOND to approve and release funds.

Employees initiate Wire/ACH via own computer

Release Wires/ACH via a dedicated , banking- only computer. Wire transfer scams would likely fail if EFT protocols required a second approval by a second person , and was sent from a dedicated computer . Strategies to defeat Wire Fraud

Be suspicious of urgency or secrecy in wire transfer requests Look for consistency with prior requests from CEO to CFO, and from vendors Look at wording, phrasing of email requests – different writing style, misspellings. Today the spelling, grammar is nearly perfect! Strategies to defeat Wire Fraud

Alternate the form of communication to confirm the wire request. If the request came by email, confirm by phone.

Confirm the request actually originated with a “C” level executive. Is essential if the request says “…no more confirmation …” is needed. Preventing Unauthorized Wire Transfers

To help avoid losses and shift liability for cyber and fraud losses, follow your bank’s internal controls and tech recommendations.

Failure to implement your bank’s recommendations may result in your organization being held liable for losses.

Your bank IS NOT RESPONSIBLE to monitor your computers or educate your employees. VERBALLY confirm ALL bank change notifications

CALL phone # in file – not # on notification

Buy check fraud and cyber crime insurance Jeanette Mosley, CFO Presidian Hotels & Resorts (210) 646-8811 ext: 223 [email protected] Mobile Banking Fraud – merging the new with the old…. For information: Steve Hines [email protected] 800.915.3381 https://www.zulualphakilo.com/press/homeequity-catch-the-scam/ Mobile Banking Fraud:

Double Deposits Example of Double Deposits Deposited by smart phone November 25, 2016

Deposited via smart phone on 11-25-16 Deposited via smart phone on 11-25-16 Heat-sensitive ink icons visible

VisibleVisible laidlaid lineslines Deposited later at a bank….

Same check deposited later at a bank Heat-sensitive ink icons NOT visible

Laid lines dropped out Mobile Banking Deposit Fraud Scenario : A check is mailed to Dishonest Don • Don uses a smart phone app to deposit check Takes pix of front of check Endorses the back of a different check Uploads check; pays at drawer’s bank • 3 days later, Don cashes the same check at a check cashing store, endorses it for first time

2nd check hits the drawer’s bank account (check is presented for payment twice) Mobile Banking Deposit Fraud Scenario : A check is mailed to Dishonest Don • Don uses a smart phone app to deposit check Takes pix of front of check Endorses the back of a different check Uploads check; pays at drawer’s bank • 3 days later, Don cashes the same check at a check cashing store, endorses it for first time

2nd check hits the drawer’s bank account (check is presented for payment twice) Who Takes The Loss? The answer is found in the Rules governing

Check 21

AND

The Uniform Commercial Code (UCC): Holder In Due Course Mobile Banking & Check 21

1. Mobile depositing is Remote Deposit Capture, part of Check 21

2. Check 21 has specific rules that govern Remote Deposit Capture (mRDC)

3. The Rules determine who takes the loss Check 21 Rules Two Warranties: Image of check is clean & legible;

Check is presented for payment only one time; no double presentments.

The Fed did not envision mobile banking smart phone apps or desktop scanners in 2004 § 229.52 Substitute check warranties

A bank that transfers, presents, or returns a substitute check (or a paper or electronic representation of a substitute check)… warrants… that— § 229.52 Substitute check warranties

(2) No depositary bank, drawee, drawer, or indorser will receive presentment or return of , or otherwise be charged for, the substitute check, the original check, or a paper or electronic representation of the substitute check or original check such that that person will be asked to make a payment based on a check that it already has paid . § 229.52 Substitute check warranties (b) Warranty recipients . A bank makes the warranties… to the person to which the bank transfers, presents, or returns the substitute check or a paper or electronic representation of such substitute check and to any subsequent recipient, which could include a collecting or returning bank , the depositary bank , the drawer , the drawee , the payee , the depositor , and any indorser . These parties receive the warranties regardless of whether they received the substitute check or a paper or electronic representation of a substitute check. § 229.56 Liability

(c) Jurisdiction. A person may bring an action to enforce a claim… in any United States district court or in any other court of competent jurisdiction. Such claim shall be brought within one year of the date on which the person's cause of action accrues… a cause of action accrues as of the date on which the injured person first learns …of the facts and circumstances giving rise to the cause of action, including the identity of the warranting or indemnifying bank against which the action is brought. Under the § 229.56 Warranty…

Bank of First Deposit (BOFD) can charge the loss against its customer’s account

Liability for the loss falls on the bank that allowed its customer to download the app Warranty Claims

A Breach of Warranty claim can be filed within one year from the cause of action.

Cause of action begins to run the date the injured party first learns of the loss.

Claims must be made within 30 days after the person has reason to know or further losses cannot be claimed.

Comparative negligence applies. Email : Breach of Warranty Claim Actual Breach of Warranty Claim

the Elephant in the room ─

Check Fraud ─ still the King! Checks & Check Fraud

Why talk about Check Fraud? Checks & Check Fraud

Checks produce more $ Losses than all other types of payment fraud! The FIRST Check Fraud Lawsuit

in 1762 Price sued Neal for check fraud

Price v. Neal, England The FIRST Check Fraud Lawsuit in 1762 Price sued Neal for check fraud Price v. Neal, England Plaintiff, Price, argued that : Defendant, Neal, was indebted to him for 80£ for money had and received: and damages were laid to 100£. Plaintiff should recover back the money he paid them by mistake believing “that these were true genuine bills.”

Plaintiff “could never recover it against the drawer, because no drawer existed; nor against the forger, because he is hanged .”

The jury found a verdict for the Plaintiff; and assessed damages of 80£ and costs 40s. (Bank had NO liability… even in 1762!) Check fraud has continued unabated for 250 years!

(but with few public hangings)

Association for Financial Professionals Payments Fraud Survey

50% of large organizations (plus millions of smaller organizations) still issue checks Association for Financial Professionals Payments Fraud Survey

“Checks remain the most-often targeted payment method by those committing fraud attacks.

Check fraud also accounts for the largest dollar amount of financial loss due to fraud .” Fraudulent Payment Attempts (by Method) (Respondents were hit multiple ways-- total > 100%)

CHECKS 74% 100 Wire 80 Transfers 40% Corporate Cards 34% 60 ACH Debits 33% 40 ACH Credits 22% Faster 20 Payments 3% Virtual Cards 3% 0 Percentage eWallets 2% Frank Abagnale Catch Me If You Can Technology is making Frank Abagnale’s “gift” achievable by mere mortals Quiz –– True or False? QUIZ: True or False?

1) Placing a Stop Payment on a check ends your legal responsibility to pay the check FALSE

Holder in due course trumps Stop Payments QUIZ: True or False?

2) Positive Pay will catch all check fraud attempts FALSE

Pos Pay won’t catch Altered Payee Names or counterfeit checks using the same check number QUIZ: True or False?

3) Payee Positive Pay will catch all check fraud attempts including added payee names FALSE

Won’t catch ADDED Payee Names placed two (2) lines above the original payee name QUIZ: True or False?

4) If you’re using Payee Positive Pay the quality of your check stock doesn't matter FALSE

If the counterfeit checks looks “genuine ” you can be held liable for the check under Holder in due course

(See Triffin v. Somerset Valley Bank and Hauser Contracting Co.)

QUIZ: True or False?

5) In a Check 21 world, check security features don’t matter if you’re using Payee Positive Pay FALSE

Holder in due course trumps Payee Pos Pay QUIZ: True or False?

6) Your payables are outsourced to a third party (your bank) that uses Payee Positive Pay. The quality of the checks they use doesn't matter to you because if there is loss, they will take the hit. Depends

on what the contract says. If it is silent, you have liability. QUIZ: True or False?

7) If you have a great relationship with your bank, you’ll never be held liable for a check fraud loss HA!

Cincinnati Insurance Co. vs. Wachovia Bank Yesterday’s generation

What once was “old” is NEW Willie Sutton Profession: Bank Robber (1901 - 1980)

“I rob banks because that’s where the money is.” Today’s generation

What once was “old” is NEW

Outlaw Gangsta Crips , Brooklyn, NY “... Gangs traditionally associated with drugs and violent crimes are increasingly committing financial frauds.

Gangs are getting into crimes like check fraud and identity theft because they are more lucrative, harder to detect, and carry lighter prison sentences ....”

Wall Street Journal, March 8, 2016 “We think of gang members being knuckleheads , but these guys are using a sophisticated thought process and getting involved in stuff that requires technology and an understanding of the banking system.”

Wall Street Journal, March 8, 2016 When federal agents arrested a group of Outlaw Gangsta Crips last summer in Brooklyn, N.Y., the 38-page indictment included robbery , attempted murder and cocaine distribution . But it also included an atypical charge for a street gang case: bank fraud .

Wall Street Journal, March 8, 2016 “Check fraud has become especially popular…fraudsters are familiar with checks and so are able to commit check fraud with relative ease with the help of sophisticated equipment.”

Wall Street Journal, March 8, 2016 What has changed are the size and scale of the operations. “The sums of money involved are staggering ...the potential amount of money involved and damage to people’s financial accounts is greatly out of proportion to other gang crimes....”

Wall Street Journal, March 8, 2016 “Prosecutors said the gang members created and deposited fake checks , and then quickly withdrew money from the accounts before the banks could identify the checks as fake.

The alleged scheme reaped more than $500,000 for the group ....”

Wall Street Journal, March 8, 2016 Twelve members of a group known as the Van Dyke Money Gang were accused last summer of bilking banks out of more than $1.5 million .

Manhattan federal prosecutors say the gang, mostly men in their 20s living in Brooklyn , fraudulently obtained money orders and cashed them at bank accounts along the East Coast.

Wall Street Journal, March 8, 2016 BOSTON’S # 1 SELLER Strategies to Prevent

dd aauu Frr kk F eecc CChh Don’t Write Checks!

• Use Commercial Purchase Cards

• Pay electronically (ACH) Which is Safer?

Checks vs ACH or Wire

• Northern CA city - Which is Safer?

Checks vs ACH or Wire

• Northern CA city - population < 100,000 (happened 2018) • School bond construction money • City received fraudulent change of bank notification • Sent two $450,000 ACH payments to fraudsters • $900,000 – Taxpayer school bond money gone! • If paid by check, City could file an Affidavit of Forged Endorsement – get the money back from BOFD • Forged Endorsement is the liability of BOFD – 3 years Which is Safer?

Checks vs ACH or Wire

• Colorado School District (happened in 2019) • IT Director at GFOA 2019 • In 2019 – FIVE (5) incidents – Bogus change of bank notifications • $500,000+ ACH payments to sent fraudsters • Taxpayer school money gone! • IT Director – “No More ACH Payments! ” Checks are Safer

If payment had been made by check and mailed to a PO Box controlled by fraudster, fraudster would forge endorsement and deposit the check, wire out the money 3 days. Money is gone.

UCC : Forged Endorsement is liability of bank of first deposit (BOFD) for 3 years (Florida and Georgia 1 year)

Drawer/issuer files Affidavit of Forged Endorsement; check is charged back to BOFD. Money recovered.

BOFD takes the loss. When you issue checks…

s U Strategies to Prevent Check Fraud

1. High Security Checks 2. Positive Pay 3. Payee Positive Pay 4. ACH Filters or Blocks Effective check fraud prevention strategies start with a high security check Which security features matter most? 1. Using a Controlled check stock Controlled check stock: Checks that aren’t sold blank unless the face has been customized for that organization, and the account holder, account number, & ship-to address has been verified. Uncontrolled check stock Uncontrolled check stock : Checks that can be purchased entirely blank , or are sold without the buyer, the account number and the ship-to address being verified or authenticated. Because buyers can be fraudsters ! How is

Uncontrolled Check Stock

a problem? Fraudsters Create Counterfeit Checks

Fraudsters use: 1. Adobe Illustrator

2. Scanner

3. ORIGINAL blank check stock (uncontrolled ) to create authentic-looking counterfeit checks, including Cashiers Checks & Official Checks. Video

Creating Counterfeit Checks Counterfeit Cashier’s Checks Who Sells Blank, Uncontrolled Checks?

Virtually ALL business accounting & check writing software vendors

Virtually ALL check printers , including: 1. Large, national check printers 2. Small print brokers buying from wholesalers I bought high-security checks from XXXXX (Major National Check Printer) …

…using a bogus name and

…a closed account number! BOGUS Name

Uncontrolled Checks Uncontrolled Checks

I used this CLOSED Account Number Check Printer did not verify Bogus Name / Closed Account # / Address Fraudsters ADD a Name & Logo

Fraudsters use ACTIVE Account Numbers I added… Intuit (Quickbooks)

I used this closed account number… And a BOGUS Name; Intuit did not verify! Costco

I used this closed account number… And a BOGUS Name; Costco did not verify!

In contrast with other check printers…

SAFEChecks does not sell checks entirely blank unless the face of the check has been uniquely designed and customized for that customer or end user.

For customers that use entirely blank checks we can print the company’s website along the edge, or a customized logo on the face, or something that is unique to that customer. SAFEChecks pays its employees $100 if they catch an unauthorized person trying to buy checks using someone else’s account number. Every new check order is verified with the bank

SAFEChecks has never had a check replicated or used in a scam in over 20 years. Additional Security Features

1. Controlled check stock. Dual-tone True watermark Thermochromatic ink Correctly worded warning banners Toner anchorage Copy void pantograph Chemical sensitivity Chemical wash detection box Inventory control numbers

o P Positive Pay

Positive Pay is an automated check-matching service offered by many banks. Each day checks are issued a file of those checks is sent to the bank. Positive Pay does not protect against:

1. Counterfeit Checks using the identical check number and dollar amount

2. Altered Payee Names

3. Added Payee Names

a P Payee Positive Pay Will Catch Altered Payee Names Payee Positive Pay Will Not Catch Added Payee Names

Printed two (2) lines above the original payee name

Banks have NO solution for checks printed with a bogus name two (2) lines above the original payee name The “Solution” is a Secure Name Font

e S Typical Check Layout

Open Areas Where Forgers Add A New Payee Name This is the IDENTICAL check-issue data printed through the special software Secure Name Font Printed TWO LINES above original payee name

Secure Name Font Secure Name Font printed TWO LINES above original payee name

Secure Name Font

The Secure Name Font is created by special software Leaves No Room for Adding Bogus Payee

No room for an Added Payee Secure Name Font – Secure Number Font

The software interfaces between your computer and laser printer. When printing checks, select the software’s virtual printer driver. The check data passes through the software, is reformatted, and the checks print on your existing laser printer. Secure NUMBER Font blocks out the area where a bogus Payee Name could be added

Secure NUMBER Font Add WARNINGS to the Check

THIS CHECK CLEARS THROUGH POSITIVE PAY PAYEE NAME ON FILE AT THE BANK Encrypted barcode

The Encrypted Barcode is created by the special software. Helps deter fraudsters and embezzlers Encrypted Barcode contains:

1. Drawer 2. Payee Name 3. Dollar Amount 4. Issue Date 5. Check Number 6. Account Number 7. Routing/Transit Number 8. Date and Time Check was printed 9. Laser Printer used

10. The employee that printed the check (deters embezzlement ) A Positive Pay file, the Secure Name Font & Barcode are automatically created by the software as checks are being printed

NO technical skills are required to create a Positive Pay file The software:

Eliminates the need for technical skills to create a Payee Positive Pay file

Converts Payee Name into ALL CAPS as checks are being printed

NO Retyping Vendor Names into ALL CAPS The software:

Converts font size to 14 point automatically

Accumulates & configures the check data to send Positive Pay files to the bank

Adds Barcode & Secure Name Font

Repositions where the check prints Typical Check Layout – Check is on top and shows thru window envelope

Special Software can Reposition the Check Typical Check Layout – Check is on top and shows thru window envelope

Special Software can Reposition the Check

Special software can reposition check placement 8934 Eton Avenue Top panel shows through Canoga Park, CA 91304 the window envelope

Payee Name, Address, is printed in TOP white panel. Check is re-positioned to the bottom.

Check is Z-folded . TOP PANEL shows through window It is not obvious the envelope contains a check. Legal Reasons to use Positive Pay

Court Order

Loose Ends …

ACH Filters and Blocks Stop Payments Multiple Payee Names on Checks ACH Filters and Blocks

Prevent unauthorized ACH debits from paying against your bank account

An unauthorized ACH debit MUST be returned within 24 hours after it posts or it CANNOT BE RETURNED !

ACH Filters and Blocks are available through your Bank Stop Payments

1. Print a SHORT expiration # of days on the check “This check expires and is void 20 days from issue date”

2. DO NOT reissue the check until after 20 days

3. “Void After 90 days” is too long!

4. Banks do not care or pay attention to what is printed. This will prevent some HIDC claims. Endorsements & Multiple Payee Names

If Multiple Payee Names on a check do not include the word “and” after the names—

the Payee is “ambiguous” and legally means

“OR”

A forward slash [virgule, vər-gyül “/” ] = OR Request the longer PPT – [email protected]

ACH Filters & Blocks BEC Scams Check 21 Checks & Check Fraud Which is Safer – Checks vs. ACH or Wires?

Strategies to Prevent Check Fraud – High Security Checks – Why Checks Matter Cybercrime – Wire Fraud, Online Fraud & BEC Scams eCheck Fraud Embezzlement Endorsements & Multiple Payee Names Holder in Due Course – UCC §3-302 Mobile Banking Fraud Passwords – The New Recommendations Positive Pay – How It Works Payee Positive Pay – Added & Altered Payee Names Jeanette Mosley, CFO Presidian Hotels & Resorts (210) 646-8811 ext: 223 [email protected]

Greg Litster, President SAFEChecks (800) 755-2265 (818) 383-5996 cell [email protected] PROTECTIONPROTECTION Passwords Posted on the Web Last Year

100,000,000 + 10 Years Ago The Time it Took a Hacker to Randomly Guess Your Password + numbers and Length lowercase + Uppercase symbols 6 Characters 10 Minutes 10 Hours 18 Days 7 Characters 4 Hours 23 Days 4 Years 8 Characters 4 Days 3 Years 463 Years 9 Characters 4 Months 178 Years 44,530 Years

Five years ago: 8 Characters, all lower case = 4 days

Today: 8 Characters, all lower case = 12 hours Toda y: 12 Hours!

It Takes a Hacker 12 Hours to Randomly Guess Your 8-Character Password

This $12,000 computer containing 8 AMD Radeon GPU cards can brute force thethe entire keyboard for any eight-character password in 12 hours! New Recommendations for Passwords

Wall Street Journal - August 7, 2017

New Recommendations: Use LONG Passwords → 15 + characters correcthorsebatterystaple (25 characters) correct horse battery staple

Isolemnlyswearthatiamuptonogood (31 characters) I solemnly swear that i am up to no good

Repeatafterme:Dadisalwaysright (30 characters) Repeat after me: Dad is always right VoIP Phones - Voice Mail Msgs

213 Protecting ALL Your Company’s Assets and Preventing Fraud Protecting ALL Your Company’s Assets and Preventing Fraud

Jeanette Mosley, CPA, CTP and CGMA

CFO of PRESIDIAN HOTELS & RESORTS Jeanette Mosley has over 20 years of experience in the Hospitality Industry specializing in Financial and Real Estate Development Accounting, Treasury Management, Cash Management, Investments, Risk Management, Insurance, Audits, Budgets, HR and 401(k) Plan oversight, Employee Benefits selection, and Credit & Collections. She is experienced in effective management of critical relationships with Banks, Owners and Investors.

Jeanette has served on the Items Writer Task Force Committee for AFP (assists in writing the questions for the CTP Exam), received a Bachelor of Business Administration in Finance from the University of Texas in San Antonio and is a CPA and a CTP.

Jeanette is on the Board of Directors for the San Antonio Association for Financial Professionals and currently serves as Treasurer of TEXPO 2020. Presidian Hotels & Resorts is a full service hotel development and management company known for first class service, operational excellence and exceeding owner and investor expectations. We have an extraordinary track record of maximizing asset value and delivering an uncompromising guest experience.

Presidian has developed and managed hotels such as DoubleTree Hotel, Hampton Inn, Hilton Garden Inn and Aloft. We have also renovated historical hotels and developed condominiums. Through affiliates, Presidian has initiated construction of a TownePlace Suites by Marriott and is converting a DoubleTree Hotel into the Estancia Del Norte (a boutique hotel by Hilton).

Presidian also provides contract hotel management services for properties owned by third-parties, such as Hilton Garden Inn, Holiday Inn & Suites, Holiday Inn Express, Candlewood Suites and boutique hotels. PRESIDIAN HOTELS & RESORTS

Better Management Better Development Better Consulting Better Hospitality

Candlewood Suites Northwest San Antonio, TX Holiday Inn Express Dripping Springs Dripping Springs, TX Holiday Inn & Suites Northwest San Antonio, TX Holiday Inn Express Medical Center North San Antonio, TX Hampton Inn Bulverde Spring Branch, TX

Hilton Garden Inn Sugar Land, TX Hilton Airport San Antonio, TX Estancia Del Norte San Antonio, TX The Springs Resort & Spa Pagosa Springs, CO

9000 Tesoro Dr, Ste. 300 | San Antonio, TX 78217 | P: 210-646-8811 | F: 210-646-8814 | Presidian.com PRESIDIAN HOTELS & RESORTS

Better Management Better Development Better Consulting Better Hospitality

Hilton Garden Inn Sugar Land, TX Hilton Airport San Antonio, TX Estancia Del Norte San Antonio, TX The Springs Resort & Spa Pagosa Springs, CO

9000 Tesoro Dr., Ste. 300 | San Antonio, TX 78217 | P: 210-646-8811 | F: 210-646-8814 | Presidian.com Protecting ALL Your Company’s Assets

Cash – Review and Reconcile Bank Accounts daily for any unauthorized transactions by 10 am. Review Check Acceptance Policy. Use Counterfeit Detector Pens if you accept cash. Ensure CC batches are not hung up.

Investments – Review rates, maturities and company’s risk tolerance levels. Have an Investment Policy.

Receivables – Review weekly and keep clean (current). This converts to cash when collected.

Buildings – Maintain in excellent condition. Address issues immediately such as water leaks. Review Insurance policies.

Inventory and FF&E – Keep good records and dispose of obsolete assets. Protecting ALL Your Company’s Assets

Intangibles: Company Name, Logos and Phrase - Trademark and file Assumed Name Certificates (DBA) with County and State.

Reputation – Corporate Culture, Develop Core Values & Mission Statements and don’t deviate from them. Integrity is your Reputation.

Associates – Hire right for Company’s Culture, Train and Retain. Educate Employees to keep them safe and reduce Worker’s Comp MOD rate/insurance premiums. Encourage Healthy Habits, Perform Wage and Employee Satisfaction Surveys, Offer Competitive Benefits, Perform Background Checks including Pre-Employment Drug Tests. Protecting the Other Side of the Balance Sheet

Accounts Payable – Find a good balance between cash and credit. Pay Vendors on time so when cash is tight, your Vendors will work with you. Request refunds for credits in A/P. Lock up your Payable files. Pay Vendors from Invoices not from Statements. Collect W9’s prior to paying Vendors (to send out 1099’s at year end).

Liabilities – Maintain Summary of Vendor Contracts, Notes, etc. Be aware of evergreen clauses (auto renewable language in Vendor Agreements). Know your Debt Service Coverage Ratio (DSCR).

Accrual Accounts (Earned Vacation, Interest, etc.) - Make sure they balance to reports.

Stakeholders – Communicate timely and accurate information to Owners, Investors and Lenders. Preventing Fraud

Bank Reconciliations – Perform daily by 10am. Look for unauthorized ACH debits and notify Bank within 24 hours. Alert your Bank immediately if fraud is detected or even suspected. Clear old items quarterly (uncashed checks).

Check Stock and Company Credit Cards – Keep locked up at all times. Control access. Use a high quality secure check stock company. Review Statements for Credit Card Activity.

Wires – Confirm wiring instructions by calling recipient at a known contact number. Dual Control on Wires - different person initiates and a different person approves ALL wires. Require Multifactor Authentication (MFA).

ACH – ACH Positive Pay, ACH Filters and Blocks, Dollar Limits and Dual Control. Preventing Fraud (Continued)

Accounts Payable – Use Positive Pay or Reverse Positive Pay on all checks issued. Confirm Vendor change of address or banking information by calling contact on file not the contact on the email.

Emails – Use a Spam Filter. Don’t open emails if you do not recognize the sender. Hover over sender’s URL on email to confirm email address is correct. Don’t click on embedded links and attachments. Don’t Unsubscribe to spam email. Confirm email notifications stating a password has been changed.

Communicate – Confirm with CEO or CFO if you are asked by email to place a wire, issue a check, or buy gift cards. Don’t reply by email. Confirm verbally with CEO or CFO, in person or by telephone.

Passwords – Create difficult passwords which are easy to remember but hard to hack (a phrase with letters, special characters and numbers), at least 15 characters long. Don’t use the same passwords. Don’t share passwords or leave them at your desk, under a keyboard or on a calendar. Use a phone with facial recognition or a Secure Password Software App/Vault. Preventing Fraud (Continued)

Tokens – Soft tokens on phone vs hard tokens (key fob) that you carry with you. Don’t leave tokens physically near your passwords.

Banking – Have regular meetings with your Banker. Make sure they have your cell number in case they need to contact you. Set up text alerts or email notifications of transactions.

Procedures – Review Procedures regularly and Train Employees often on the latest Fraud Trends and ways to prevent Fraud. Test your Procedures.

Computer and Computer Software Updates – Dedicate certain computers for Banking Transactions only and avoid internet surfing and emails on those computers. Stay current with updates. Some updates are patches to security holes.

Antivirus Program and Firewall – Confirm with IT Department that this is being done and is routinely updated. Preventing Fraud (Continued)

Server Room – Limit access to few individuals.

Insurance Policies – Meet with Broker to discuss adding crime (embezzlement) and cyber security coverages to policies.

Segregation of Duties – Different Employees performing different functions. Review online banking users and check signers often.

Internal Controls – Perform quarterly. Create Self Audits.

Sensitive Documents – Never leave these types of documents on your desk or on your screen when you are away. Lock computer. Preventing Fraud (Continued)

Encourage Vacation Time – This is good for Employee satisfaction and a good form of check and balance to uncover fraud.

Employee Handbook – Include language about automatic termination for theft. Require Employees sign an Acceptance page of all the Policies within your Employee Handbook including anytime there is a revision. Make this an automatic email when revised.

Direct Deposit – Have Employees update their own records in Payroll System so the process is not hacked or compromised.

Public Wi-Fi – Avoid using especially for Banking. Preventing Fraud on a Personal Level

Review Credit Reports – https://www.annualcreditreport.com/index.action is the only Federally authorized online source for you to obtain your free credit reports. You can get a free credit report from the 3 national credit reporting agencies every 12 months. (Spread each request over 4 months). Make sure you click on the correct website and not the Ads that come up first. Consider freezing your credit.

RFID Protective Sleeves – Use for Passport, drivers license, insurance cards, credit cards especially when traveling. Make copies of front and back of documents when traveling in case wallet or purse is stolen.

Credit Cards – Review statements. Set up text alert notifications. Alert credit card companies of travel plans especially if traveling abroad.

Mail – Have USPS hold mail when traveling.

Smart Home – Have lights turn on at certain times. Install Cameras.

Antivirus Software – Install a reputable software after researching. You can email me with any additional questions at: [email protected]

THANK YOU!!!