How to avoid fraud at your independent insurance agency
Moving money poses the greatest risk of fraud for an insurance agency. Here's what agency owners can do to protect their business.
Every independent insurance agency must protect its operations from fraud, including bank fraud.
Moving money ― both incoming and outgoing ― poses the greatest risk of fraud for an insurance agency. Collecting premiums, paying bills, administering payroll, paying commissions, and moving funds from or to depository accounts all require procedural protocols and consistent monitoring to mitigate risk for the agency.
The higher the transaction volume, the greater the risk rises for fraud. Risk is present whether transactions are conducted by check, deposit, wire, or ACH (automated clearing house).
Is email a source of fraud?
A prevalent risk for fraud is business email compromise, or BEC. The Federal Bureau of Investigation reported that in 2021, the agency received 19,954 email account compromise complaints with adjusted loses of nearly $2.4 billion.
In the independent agency channel, agency owners unfortunately have become victims of this type of phishing attack, which involves a criminal impersonating an employee or executive at the agency or a trusted vendor in order to gain access to funds or sensitive information.
In many instances, it involves a scheme in which the fraudster has hacked an email account and requests a wire transfer or ACH request to move money out of the agency. ACH transactions are a rich target because these transactions are the way agencies move money from their account for payment to carriers and or to collect payment from insureds. The stolen funds are often transferred to crypto currency wallets or out of the country, making it difficult to recover them.
Is malicious software used to steal accounts?
Corporate account takeover is a crime in which cyber criminals penetrate the computer network of a business and spread malicious software ― such a “keylogger” ― that records the words typed, web browsing history, passwords and other private information. This in turn allows criminals to access your agency software programs, including online banking. As with BEC, these funds are very difficult to recover once they leave the bank.
Is check fraud common?
Counterfeit or altered checks are still a target for fraud at agencies. Checks are vulnerable from the moment they are issued until they are cashed. Check fraud can include:
- Stolen checks. Mail theft is still a growing trend, whether the fraudster steals blank checks or written checks placed in the mail.
- Check alteration. This is most common with payroll checks. A check for $500 can easily be changed to $5,000.
- Copying checks. Changing various information on a check and making a color copy has also proven to be easy and effective for fraudsters.
- Unauthorized printing of checks within an agency. Unfortunately internal check fraud is as great a threat as external fraud. Employees who have access to check printing within the agency have the opportunity to commit fraud.
- Creating a fake check, whether paper or digital, on the agency’s account.
- Check-washing. In this growing trend, a scammer steals a check from a mailbox then erases the name of the payee with common household cleaning products. The check is then made payable to the scammer. Because the amount matches the bank statement, the fraud can escape notice until too late. The criminal receives the funds while the legitimate payee endures the hardship.
How are an agency’s financial accounts potentially affected by fraud?
The compromise of an agency’s financial accounts or computer system becomes a huge disruption to their business. Depending on the dollar amount stolen or type of scheme, the fraud often results in a negative impact to the bottom line.
Imagine the hassle of closing accounts, issuing stop payments, ordering new checks and reissuing payments. Often, to recover, the agency must manage two accounts on an interim basis and tell all of their carriers to redirect funds to their newly established replacement account.
The victimized agency owner often must hire an expert to perform a computer-hacking forensic investigation. This process aims to detect hacking attacks, properly extract evidence to report the crime, and conduct audits to prevent future attacks. All of this is expensive and time-consuming.
How can an agency combat fraud?
The basic steps to protect an agency are straightforward:
- Put firm procedures in place to deal with access to funds and disbursement of funds.
- Train your employees to recognize suspicious signs of online fraud.
- Replace paper check writing with technological cash management products such as online banking, ACH origination, bill pay and wire transfer.
- Use an automated fraud detection tool known as “Check Positive Pay” or “Positive Pay.” This service, conducted by the bank, compares each check presented for payment against the agency’s check issue file. It also has an ACH component for electronic transactions. It identifies checks or ACH transactions that don’t match, allowing the agency to stop fraud on their account. The agency can view the images of check or transaction exceptions before deciding which items to pay and which to mark as fraudulent.
- Establish a firm procedure for acting upon email requests to move money. Regardless of whether the request is made by someone internally or by a known vendor, the agency should validate the request by doing what may be old-fashioned: Pick up the phone and call the requester to validate them before acting upon the request.
- When using remote deposit, be sure that the original checks deposited are safeguarded and that scanned checks are not left unsecured. Ultimately deposited checks should be shredded.
- The agency that continues to use paper checks should safeguard them in a locked drawer or vault when not in use and make sure no lone employee has absolute access to checks when paying accounts.
- Rather than allowing mail delivery to the agency, establish a post office box at the local U.S. Postal Service branch to reduce mail theft and access to sensitive information.
The security tips presented here are simply guidelines to aid agencies in diminishing security and privacy risks and managing them. Although none can be guaranteed 100% effective, they can help reduce the probability of becoming the next victim of fraud.
Patricia Smith (psmith@insurbanc.com) is vice president and director of Cash Management Services/Business Development officer at InsurBanc, a division of Connecticut Community Bank, N.A. InsurBanc specializes in financial products and services nationally for the independent insurance distribution community. Started in 2001 as a vision of the Big “I,” InsurBanc finances acquisitions and perpetuations and helps agencies become more efficient by providing cash-management solutions.
See also: