Ralph C. Aiello Senior Vice President Treasury Management Manager

Greg Williams Senior Product Director, Head of Payables

Mitigating Payment : “The use of paper checks is a growing PROTECT YOUR COMPANY FROM AND CHECK FRAUD Payment fraud prevention is continuously evolving. While source of fraud. shifting payments from paper checks to electronic systems, such That said, fraudsters as wire transfer and ACH transactions, has served as an effective can also find ways deterrent to check fraud, electronic payment systems are not still entirely safe from criminal activity. Criminals can and do find to commit fraud via ways to commit fraud via electronic means. And check fraud electronic means. resulting from the use of paper checks remains a concern. It’s important to Social Engineering Attacks focus on how to Most of the breakdowns in cybersecurity occur from social engineering email mitigate the risk of attacks. Hackers gaining entry into an online system and diverting funds used to be a more significant threat, but improvements in security have made that fraud by any means, harder for criminals to pull off. Social engineering attacks manipulate people into including electronic.” disclosing confidential information or releasing funds inappropriately. If criminals can do that, they don’t need to hack into well-protected computer systems. —GREG WILLIAMS STERLING NATIONAL BANK Think of social engineering as “people hacking.” Social engineering attacks often use two techniques, known as “” and “spear phishing.” � Phishing uses fraudulent emails sent to many targets at one time to trick recipients into providing personal information or sending funds to an unauthorized recipient.

� Spear phishing targets individuals—usually managers or executives in financial institutions, companies, or nonprofits—using information gathered about the targets to increase the attack’s chance of success.

Both techniques can be used to impersonate someone who might legitimately ask the recipient to transfer funds through the banking system. Also known as “executive impersonation or Business Email Compromise (BEC), these attacks exploit the recipient’s trust and subsequent willingness to comply with a request from someone in authority. For example, a corporate employee or bank employee might receive an email—supposedly from a senior manager, executive, or even the CEO—requesting an urgent wire transfer or ACH payment to a vendor. If the recipient takes the bait and initiates a wire transfer, the funds actually go to the criminal.

STERLING NATIONAL BANK RANKED BY FORBES’ 2020 “AMERICA’S 100 BEST BANKS // CYBERSECURITY—TREASURY MANAGEMENT // SNB.COM | 1 Review your account activity frequently online, and question anything that WHITE PAPER seems unusual or suspicious. When in doubt, call your relationship manager.

WHAT TO LOOK FOR. Fraudulent suspicious, trust your instincts, and convincing two people to approve don't hesitate to question it. email requests often have telltale signs, a fraudulent transaction through such as: � Verify the request by phone using social engineering are low. � Changes in previous instructions a trusted number. DEDICATED COMPUTER. Setting up � Statements of urgency � Consider the supposed sender: Does the request make sense? a dedicated computer—one that is � A sender who is unable Is it consistent with the sender’s used only for financial transactions, to be contacted typical operations? has no email access, and can only

� An unlikely email address � Research the recipient to be sure connect to secure sites—eliminates they make sense. much of the risk of hacking. � A contact phone number or email � Above all, use common sense and that is not usually used by the sender SEGREGATED AND DEFINED DUTIES. err on the side of caution. Even � Language that includes errors though an urgent request from Company procedures should make or is not in the sender’s typical tone your boss or your boss’s boss might it difficult for one person to have too or style seem like it demands immediate action, ask yourself if those people many overlapping responsibilities for � Evidence of cutting and pasting, are likely to make such a request of financial transactions. such as different font sizes, you. When in doubt, always double- grammar shifts, or repetition check. After all, would they be upset SECURE EMAIL. A secure email system if you took a little time to be sure the request is not fraudulent? encrypts emails as they are sent and HOW TO PROTECT YOURSELF. Follow received, and requires the receiver these best practices every day, but Internal Anti-Fraud Practices to provide authentication. If that’s especially when fraud is suspected: not possible, you should, at minimum, � Be alert to anything out of the As vital as it is for all employees to be ordinary. If something feels on the alert for fraud, it’s even more truncate any account numbers that critical for companies to establish and you include in email correspondence, maintain systems and procedures to showing only a few digits of the entire actively prevent fraud. number. It’s also important to be consistent in how you truncate. If you DUAL APPROVAL. One of the most send the first few digits in one email, effective ways to prevent fraud and the last few digits in another, is to require two people to approve a hacker who has access to your email any financial transaction, a practice account could easily determine the known as dual approval. This entire number and gain access. significantly reduces the risk of being compromised because the FREQUENT ONLINE ACCOUNT chances of a hacker getting two REVIEW. This is one of the most active IDs simultaneously or common ways fraudulent account

“Over the years, we’ve seen cybercrime elvolve from relatively simple and detectable 'Trojan horse' virus attacks to sophisticated social engineering email attacks that induce victims to divulge private information and send funds by impersonating a trusted colleague, executive, or vendor.” —RALPH AIELLO, STERLING NATIONAL BANK

2 | SNB.COM // CYBERSECURITY—TREASURY MANAGEMENT // STERLING NATIONAL BANK RANKED BY FORBES’ 2020 “AMERICA’S 100 BEST BANKS” Sterling National Bank has experts that can help to educate your staff about WHITE PAPER how to protect your organization from account fraud.

activity is detected. If a fraudulent checks received before any are paid. transaction occurs, the sooner you The client reviews all checks and alerts "Old Fashioned" Check Fraud alert the bank, the higher the chance the bank to any that do not match Don’t assume that financial attacks of recovering the money. If you find can only arrive by computer. their approved list, allowing suspected As more companies convert from a problem, don’t report it once and then fraudulent payments to be returned. paper-based to electronic banking, let down your guard. Once an account fraud attempts are following the CHECK BLOCK. A service that protects same path, but check fraud is still number is compromised, there probably a major concern. The first increase your checking account from fraudulent will be multiple attempts to move in check fraud losses since 2008 or unauthorized check writing by occurred in 2017, according to ABA’s money out of the account. 2017 Deposit Account Fraud Survey restricting the account to electronic Report. Check fraud can include the STAFF EDUCATION. Since much activity. All checks presented against use of counterfeit checks created vulnerability comes from people, not digitally, forged checks using stolen your account will be automatically blank checks, and altered or forged technology, ongoing staff education returned, while allowing you to endorsement on legitimate checks. about computer safety is essential, continue to send and receive electronic WHAT TO LOOK FOR. These are some including basics like not clicking on common signs of possible check fraud: payments or deposits. unfamiliar or unexpected attachments � Different check stock and never sharing passwords. ACH DEBIT BLOCK AND ACH POSITIVE � Check numbers that are out PAY. This ACH screening service Bank Fraud Protection Tools of sequence defaults to blocking all ACH debits, so Just as cybercrime has evolved, � Inconsistent handwriting none are cleared automatically. Instead, or signature so have treasury management as ACH debit transactions or checks tools offered by banks. Treasury � Checks that are missing the come into the bank, they are made client’s name management—which started with relatively simple processes such as available to the bank client via online � Purpose or payee that is banking for review, which is called ACH inconsistent with the client’s manually matching check numbers usual activity and check amounts—has evolved into Positive Pay. If the decision is to pay, a � Physical tampering, including filter can be created to allow future ACH a suite of tools that encompass robust indications that a check has been fraud protection. debit transactions or checks from the dampened or washed same vendor or supplier to be processed CHECK POSITIVE PAY. This daily � A sudden increase in check activity automatically. automated service provides early How to protect yourself. Question detection of fraudulent, altered, OTHER TOOLS. Additional treasury anything that feels unusual or or counterfeit checks. The company management tools include courier suspicious, and follow these best practices at all times: provides the bank with a list of issued service to bring checks to the bank; � Avoid mailing checks, especially checks. Checks received by the bank online initiation of ACH and wire using outdoor mailboxes are compared to this list, and only transfers; lockbox services, which � Write checks using black gel checks included on the list are paid. are centralized physical or electronic pens, whose ink is harder to remove or alter Bank clients are alerted to any checks payment destinations that shift not on the list, allowing them to payment processing to the bank; � Limit access to checks and keep check stock locked up identify unauthorized activity. account reconciliation tools that � Do not “pre-sign” blank checks CHECK REVERSE POSITIVE PAY. For streamline the process; and fraud companies with a smaller volume detection tools that identify fraud � Use fraud detection tools available from your bank of checks, the bank sends a list of all before checks are paid. � Review your account activity frequently and question anything Contact your Sterling National Bank Relationship Manager or Treasury Management unusual Client Services at 212-575-8020 to review all of the fraud protection tools we offer.

STERLING NATIONAL BANK RANKED BY FORBES’ 2020 “AMERICA’S 100 BEST BANKS // CYBERSECURITY—TREASURY MANAGEMENT // SNB.COM | 3