News

Banks Upgrade Their Defenses Against Check Fraud, Then Criminals Adapt

By Fred Williams

After doubling from 2021 to 2022, the annual volume of suspicious activity reports filed on instances of check fraud in the U.S. is set to rise an additional 25 percent this year as depository institutions scramble to overhaul legacy systems for handling the financial instruments.

According to the Financial Crimes Enforcement Network, or FinCEN, through the first half of 2023, U.S. banks and credit unions filed nearly 315,000 SARs on attempts by customers to defraud them or their clients by cashing phony or stolen checks, placing them on track to submit 600,000 such reports for the full year if their filing rate holds steady through December.

Banks and credit unions in the U.S. filed roughly 501,000 suspicious activity reports on check fraud in 2022, pushing the crime to the top of suspected violations that financial institutions flagged FinCEN through SARs during those 12 months.

“The increase in check fraud has left many Americans in difficult situations where thousands of dollars are stolen from them,” Sherrod Brown (D-OH), chair of the Senate Banking Committee wrote the American Bankers Association on March 8. “According to reports, banks fail to properly identify fraudulently altered checks and when they do–they ultimately fail to timely reimburse victims.”

FinCEN warned the month prior of a surge in altered and counterfeit checks tied to organized mail-theft rings, and urged banks and credit unions to monitor accounts for uncharacteristically large checks issued to new payees, new accountholders who receive multiple checks from different payers before rapidly withdrawing the funds, and other red flags.

“Financial institutions are pouring a ton of resources into this,” Kevin Toomey, an attorney with the Arnold & Porter law firm in Washington, D.C., told ACAMS moneylaundering.com.

In July, four months after receiving Brown’s letter, the American Bankers Association launched an online directory with contact information for more than 1,000 anti-fraud compliance officers to facilitate information exchanges between financial institutions on fake or altered checks, identify and shut down accounts used in check fraud schemes and speed up reimbursements.

But counterfeiters continue to buy larger volumes of stolen checks and access to “drop” accounts opened with stolen or fictitious identities, said David Maimon, director of cybersecurity research at Georgia State University in Atlanta.

“We’re seeing more and more,” Maimon told ACAMS moneylaundering.com.

Profit motive

Maimon’s research group, which tracks activity on 60 online black markets, logged 6,330 stolen checks listed for sale in July, up from 4,400 in June and 4,000 in May. Despite attempts by banks   and the U.S. Post Office to ramp up security, “these folks are still getting the envelopes.”

The financial incentives are powerful.

Pilfered business checks typically cost $650 but may fetch as much as $10,000 apiece after the counterfeiters who bought them use acetone, benzene and other solvents to erase the names of the legitimate payee and the amount of the payment. Stolen personal checks range from $125 to $175 but can yield thousands of dollars once cashed.

Fake drivers licenses, passports and other identity documents are available for sale in bulk on online black market vending websites, alongside “mule” or “drop” accounts opened with stolen or synthetic identities, Maimon said.

Postal workers have also participated in check fraud schemes, as have bank employees.

In one case, convicted fraudster Meshach Samuels used account details he obtained from an unidentified bank teller in Orange County, California, to create phony checks which he then directed mules he recruited on Instagram to cash on his behalf.

The scheme netted Samuels more than $400,000 over a 10-month period in 2021 and 2022.

In July, federal prosecutors in North Carolina charged Jakia McMorris, a former mail carrier in Charlotte, with stealing $40,000 worth of checks in two months from mailboxes she allegedly unlocked with master keys she reported lost in September 2021.

McMorris and her co-conspirators allegedly used several accounts to deposit the checks in October and November of last year, then quickly withdrew the funds, converted some of them into money orders that they deposited into other accounts to obscure the financial trail.

Banks and credit unions in North Carolina, the ninth-largest U.S. state by population, filed the largest share of SARs citing check fraud from January through June, according to FinCEN.

Those in Ohio, the seventh-most populous state, filed the second-largest volume, suggesting that factors other than population drive the crime.

Raising their game

Using a combination of tellers’ scrutiny and screening software, banks capture 75 percent to 85 percent of fraudulent checks that criminals seek to cash, said John Calderon, chief compliance officer of Bison State Bank in Kansas City, Kansas.

Checks deposited via ATM or remote capture—an option that money mules favor because it allows them to bypass tellers—may present a higher risk of fraud. But automated systems still have the ability to detect smudging and other signs of alterations, not to mention red flags such as a high frequency of deposits and high rates of return for the accounts used to cash them.

“It’s not like a human being inspecting a check,” Calderon said. “It’s not foolproof, there’s always some risk.”

For new accounts, banks sometimes seek to reduce their exposure to losses by setting a longer holding period on deposited checks and a lower maximum amount on withdrawals, or both.

Calderon said that during his previous stint as head of compliance at a large check-cashing company, the process of validating a large check would sometimes take more than an hour and often mean calling the issuer’s bank for confirmation.

“In the business of cashing checks on the spot, we had to be very diligent.”

On one occasion, a customer presented a $50,000 check that he falsely described as the proceeds of a legal settlement after 5 p.m., when the law firm listed as the issuer could not be reached.

Image analysis revealed an inconsistency: the ‘5’ in the amount of the check had been written with a different pressure than the other figures. Calderon responded to the anomaly by inviting the customer to return the next day to cash that check after his business verified its authenticity with the law firm.

“The customer never returned,” Calderon said.

NICE Actimize, a consultancy and software company in Hoboken, New Jersey, reported in July that banks increasingly use image validation technology to identify and avoid cashing altered and counterfeit checks.

They also use behavioral analytics to flag anomalous transactions, as well as “negative lists” of suspected stolen or false identities drawn from the dark web and from accounts already linked to deposits of fraudulent instruments.

Image validation technology analyzes previously cleared checks to validate signatures and the authenticity of “stock,” or paper, while also scanning for irregularities that may suggest an alteration.

“That’s a big piece of the equation because traditionally, a lot of the deposit channels were only doing a very simple validation of the item,” said Joseph Gregory, chief strategy officer at check processing and fraud detection technology maker OrboGraph in Burlington, Massachusetts.

Out with the old?

Many institutions have avoided upgrading their check processing systems for decades amid a multiyear decline in check use.

But while commercial checks dropped by nearly 50 percent in terms of volume over the past 10 years, according to the Federal Reserve, their average value doubled from $1,295 to $2,617 during the same period, giving fraudsters an opportunity to potentially double their profit per deposit.

“We’re seeing a strong push by several banks to try to reduce the use of checks—they’re the least secure form of payment,” Paul Benda, the ABA’s vice president for cybersecurity and operational risk, said in an Aug. 3 podcast. “They’re trying to convince a lot of customers to move towards electronic payments.”

The U.S. Postal Inspection Service launched an effort in May to combat the wave of mail theft by replacing 12,000 streetcorner mailboxes with newer, more secure models, replacing locks on 49,000 older boxes, and urging customers to deposit their mail in person at their post office or hand it directly to their carrier.

Counterfeiters and their associates appear to have adjusted to the new security protocols, Maimon said. For example, a larger share of “mule” accounts sold on the dark web have been “aged,” meaning set up two to three years prior to their acquisition.

“All the banks have anomaly detection to figure out if your account is legitimate or not, but these guys know how to fly under the radar,” Maimon said.

Photos of debit cards that vendors post on the dark web to promote their sales of mule accounts now routinely blur out their names and account numbers so as to avoid detection by monitoring services.

“In the past we saw PIIs [personally identifiable information] all over the place, now they’re masking it,” Maimon said. “They know they’re being watched.”

Contact Fred Williams at fwilliams@acams.org

Topics : Anti-money laundering , Fraud
Source: U.S.: FinCEN
Document Date: August 25, 2023