The trillions of dollars moving through the ACH banking channel is attracting the attention of fraudsters. Learn how cyber criminals insert new ACH batches and modify existing files to complete fraudulent payments. Also, learn how financial institutions can use originator and recipient behavior to quickly detect fraudulent ACH payments without tedious, manual reviews of long ACH reports.

1. Using Anomaly Detection to Prevent ACH
Payments Fraud
Tiffany Riley – Vice President, Marketing
Eric LaBadie – Vice President Sales and Customer Success

2. Guardian Analytics: The Leader in Fraud Prevention
“Minimum expectations for layered
security include the ability to detect
and respond to anomalous activity”
“FraudMAP allowed us to shift from being
reactive to proactive giving us confidence to
expand our online and mobile offerings
"Guardian Analytics…has a proven and
effective fraud detection risk-scoring
engine."

3. Criminals Turning Focus to ACH
“It seems that from some of the data,
the criminals are shifting from wires in
many respects to ACH to exfiltrate
funds”
– Bill Nelson, FS-ISAC (July 2012)

4. Two Recent Examples
“In the second week of July, I spoke with three different small companies that
had just been hit by cyberheists.” - Brian Krebs, Krebs on Security (Aug 12)
Example 1:
Business: Georgia fuel supplier
Bank: $123M Community bank
Story: Criminals attempted to transfer $1.67 million out of the company’s
accounts. When that failed, they put through a fraudulent payroll batch
totaling $317,000, which the victim’s bank allowed.
Example 2:
Business: Tennessee contracting firm
Bank: $270M community bank
Story: Trojan stole controllers login info and one-time password and redirected
user to “site down” webpage. Meanwhile, the attackers used that browser
session to put through a batch of fraudulent payroll payments for $328,000 to
at least 50 “money mules.”

5. Criminals Better At Defeating Authentication
 Fraudster
machine
 Proxy/RDP
through victim
 Spear phishing machine  Change personal info
 Vishing  Leprechaun  Call/phone forwarding
Access Validate
Human Steal Set Up Transfer
Online Transactions
Automated Credentials Fraud Money
Banking
ACH, Wire, Bill Pay,
 Twishing  Zeus Check Fraud…
 “Operation High Roller”  Zitmo
 Phishing  SpyEye
attacks  Ice IX
 Ice IX
 Spitmo
 Gameover
 Gameover
 Citadel
 Shylock

6. Customers and Profits Are At Risk
Fraudster takes ove
Criminals
Effort to find fraud with traditional corporate account
Progressive levels of fraud infiltration
Progressive levels of fraud
infiltration rules-based monitoring and reports fraud
Effort to find Business
1
FRAUDULENT FILE
• Fraudster submits a new completely
fraudulent ACH batch file
• May or may not exceed caps/limits
ROGUE RECIPIENTS
2
• Existing batch file
• New fraudulent payments
• Changes volume of transactions and batch amount
• May or many not exceed caps/limits
BALANCED BATCHES
3
• Existing batch file
• Criminal adds new credit transactions In 73% of
• Criminal balances file amount by adding debits corporate
• Likely not to exceed caps/limits or violate rules account
takeovers,
TAMPERED TRANSACTIONS money was
• Existing batch file
4
successfully
• Edits portions of transactions only (account transferred.
Increasing effectiveness
number, routing number)
• Transactions and amount typically the same at defeating caps. rules,
• Likely not to exceed caps/limits or violate rules limits

7. Customers and Profits Are At Risk
Fraudster takes ove
Criminals
Effort to find fraud with traditional corporate account
Progressive levels of fraud infiltration
Progressive levels of fraud
infiltration rules-based monitoring and reports fraud
Effort to find Business
1
FRAUDULENT FILE
• Fraudster submits a new completely
fraudulent ACH batch file
• May or may not exceed caps/limits Lose
confidence
after 1
ROGUE RECIPIENTS fraud attack
2
• Existing batch file
• New fraudulent payments
• Changes volume of transactions and batch amount
• May or many not exceed caps/limits Took their
business
elsewhere
BALANCED BATCHES
3
• Existing batch file following
• Criminal adds new credit transactions a fraud
In 73% of
• Criminal balances file amount by adding debits In 73% of attack.
corporate
• Likely not to exceed caps/limits or violate rules corporate
account
account Banks
takeovers,
TAMPERED TRANSACTIONS takeovers, sharing
money was
• Existing batch file money was losses with
4
successfully
• Edits portions of transactions only (account successfully their
transferred.
number, routing number) transferred. customers
• Transactions and amount typically the same
• Likely not to exceed caps/limits or violate rules

8. Courts Favoring Businesses
 Comerica – Experi Metal – Bank Did Not Act in Good Faith
 Ocean Bank – Patco – Bank Did Not Have Reasonable Security
 Bancorp South– Choice Escrow – Contract Not Valid
• "Long story short, the court ruled that UCC 4A pre-empted the
indemnification clauses being used by the bank in their
counterclaim,”
• The ruling suggests that a bank's contract with a customer that
contradicts the spirit of the UCC could be nullified by the courts
when legal disputes over fraud arise.

9. Investments in Addressing This Problem
“Behavioral analytics is a big area of spending we're
seeing, both to ward off the threats as well as to
comply with the FFIEC (Federal Financial Institutions
Examination Council) guidance.”
Julie McNelley, Aite Group
58% of FIs implemented anomaly detection and
cited it as effective in reducing Account Takeover
Fraud.
FS-ISAC ABA 201 Account Takeover Survey

10. FFIEC Guidance, RMAG Sound Business Practices

11. Behavior-based Fraud Prevention Solutions
Proven Approach
 Individual behavioral analytics
 Maximum detection, minimum
alerts
Retail Business
Most complete protection
 Instant, 100% coverage, no
adoption issues
 Stops widest array of fraud
attacks
 Not threat specific
Dynamic Account ModelingTM
TM
Easy to deploy and manage
 SaaS Offering
 Fast time to security with no
customer impact
 No IT maintenance
 No rules to write/maintain

12. Introducing FraudMAP ACH
 Best protection against sophisticated criminal
attacks
• Automatically analyzes ACH origination files for
suspicious activity
FRAUDMAP ® ACH • Dynamic Account Modeling™ determines risk
RISKAPPLICATION
based on individual originator behavior
 Eliminate manual file review and streamline
investigation
• Prioritize highest risk batches and transactions
FRAUDMAP ® ACH RISKENGINE • Risk reasons inform investigations
• Rich behavioral history provides context
 Fast time to security, low ongoing maintenance
• Rapid implementation
• No rules required

13. Behavior-Based Anomaly Detection for ACH Files
File Batch Transaction
• Customer Account • Company Name • Transaction Code
• File date • Effective Entry Date • Amount
• File time • Batch/credit amount • Destination Account
• File ID modifier • Standard Entry Class • Receiver name
•… Code •…
•…
FRAUDMAP ® RISKENGINE
Are the customer’s ACH actions normal? For this
time in history? (occurrence, frequency, sequence, timing,
type amounts, number)
Are the transactions typical? Are the transactions being
Given past relationship between made to a risky receiver?
customer/ receiver? (type, amount) (confirmed/suspected mule)

14. FraudMAP ACH DEMO

15. FraudMAP ACH Customer Story
"The customer e-mails us to tell us the total amount of the batch, but with
hundreds of transactions in one batched file, Burris says it's impossible to catch
everything with a manual review.”
“With FraudMAP, the review of ACH files will be completely automated,
detecting if any payees, for instance, have been changed or if line-item amounts
in the batch are atypical.”
"We know the threats aren't going away, and there is only so much you can do to
educate your customers."
“And even if we covered a loss, we could run the risk of losing the client. We have
not had any account takeovers in the past, but we consider ourselves lucky.
Many banks and credit unions our size have been hit."

16. For More Information
 info@guardiananalytics.com - Monthly Fraud Factor and
ongoing Fraud Informers
 www.guardiananalytics.com - Copy of the Business Banking
Trust Study or the Operation High Roller Report
 elabadie@guardiananalytics.com
 triley@guardiananalytics.com

17. Thank You