You may not be aware that writing paper checks discloses information that bad actors can use easily to empty your account – or worse if you have overdraft privileges.
Summary
This NCC white paper discusses the risks associated with writing paper checks and provides alternatives for making payments. Writing checks discloses information that can be easily used by bad actors to empty your account. All a forger needs are your bank routing number, name, and checking account number, which are shown on every check you write. We emphasize the importance of treating your checking account number as confidential and you can inform your bank to eliminate physical check writing as an account feature.
An example of a real experience with a fake check is provided. Alternatives to checks are provided, such as credit cards and mobile payment apps. The level of protection once you detect fraudulent checks depends on the policy and practice of the bank.
Additional actions suggested include using identity theft-protection services, opting for multi-factor authentication, and using a separate checking account with a low balance for writing checks. Also emphasized are whitelisting services offered by some banks to protect check recipients and ACH transfers.
You may have thought that the only checks your bank will cash against your account must have your signature. That is not true, you can verify that by asking your bank.
All a forger needs are your bank routing number (public information), your name (also public) and your checking account number (shown on every check you write).
The key is your checking account number – you must treat this as confidential, which means – stop writing and sending checks altogether – and inform your bank you want physical check writing eliminated as an account feature.
Counterfeit checks: There is no standard for check appearance. Someone can easily use your bank account, name and routing numbers to create fake checks and use them to pay for goods and services. A criminal can also easily alter a real check, and your bank will cash that too. Since checks can take days to clear, it may be some time before you realize you’ve been targeted.
Where do the bad actors get your account number?
Every check you write and send has your account number on it – one can easily go awry or can be sold to a bad actor. Perhaps the most prevalent disclosure of check information arises from the dramatic rise in theft of mail from the US Postal Service. Recently USPS conceded that mail theft was far outpacing earlier rates due to letter carriers being robbed on the job and USPS collection boxes being broken into.
USPS has said 412 letter carriers were robbed on the job and 38,500 incidents of “high volume” mail theft were tallied in fiscal year 2022. In the first half of fiscal 2023, USPS said it had already seen 305 carriers robbed and more than 25,000 thefts.
Example of a Real Experience with a Fake Check
I happened to be reviewing my checking account register online and I saw a charge of $150.24 that I did not recognize. I got the check image and studied it further. It did not come from me, yet it was cashed by the bank. After calls and escalations to five different people up the line at the bank (a large national bank), I heard a variety of comments about this check, take a look:
Bank: “It says OnLine Bill Payment Processing on the check.”
Me: “but OnLine Bill Pay history shows no such amount, and my signature is not on it”
Bank: “It says “signature on file”
Me: “anybody can print ‘signature on file.’ Who’s file? Do you just believe because it’s printed?”
Bank: “It says ‘this check has been authorized by your depositor’”
Me: “What does that mean? Who is the depositor? Me? I did not authorize this, and you have no record of me authorizing this either via Bill Pay or with a signature.”
Bank: “Our routing number and your account number are on the check.”
Me: “Really? That is what you used as evidence the check can be cashed even though Bill Pay has no record of it and my signature is not on the check?”
Bank: “Well, if you are saying it is a fraud, declare that to us and we will research it, but you must shut down this checking account and open a new one.”
Me: “OK, then I have to redo all the autopays set up to this account and switch them to the new account. Once I do that, can’t this happen again to the new account?
Bank: “Well, yes.”
Me: “So you are saying that if I have a checking account with check-writing privileges it is vulnerable to anyone who has the account number?”
Bank: “Yes and that is true of every bank. Be careful who you disclose your account number to.”
Me: “The account number is on every check.”
After going through the dialogue above, multiple times and spending countless hours, they basically said “not my problem, especially if you don’t notify us within 30 days of receiving your monthly statement.” The responsibility for security falls on us, the consumer. It’s unfortunate, but a reality in today’s world. The NCC strongly encourage the reader to review these safer alternatives.
Alternatives to Checks
Given the risks associated with writing checks, here are alternatives for conducting payments:
Credit Cards: These provide an additional security, as they require a security code (Card Verification Value or CVV number). A credit card is protected by your card issuer. There may be a credit card fee which is inexpensive insurance compared to losing all of your money.
Mobile Payment Apps: The rise of mobile payment apps, such as PayPal, Venmo, and Zelle offer a convenient method for transferring money without disclosing your account information.
Automated Clearing House (ACH) Payments: Increasingly, vendors are enabling ACH payments to be made online via secure portals. However, ACH can also be hacked if your account number gets into the wrong hands.
Which is Safer, ACH or Credit Card?
There is a higher level of fraud protection for credit card usage in the U.S. Another benefit is that a potential credit card fraud incident won’t directly deplete your operating capital. However, often payment by credit card incurs a fee, especially for larger charges. If a bad actor has your account number, name and bank routing number, they can institute ACH transfers. Often, portals enabling ACH transfers will use two-factor authentication, usually sending a text to your smart phone. But this is one more reason why sending paper checks is dangerous as they disclose your account number which then be used in less secure ACH payments.
Will a Bank Protect You from Fraudulent Checks?
This is highly dependent on the policy and practice of the bank. Usually there are requirements as to how much time you have in order to report a fraudulent disbursement. A typical statement is “You must notify us of any unauthorized transactions within 30 days of when your account statement is made available to you.”
The Push to On-line Payments
We are hearing from the banks that despite the long history of checks, many have no good solutions for check-writing security, hence the push for on-line payments. However, on-line payments have their own vulnerabilities to your phone and/or laptop being hacked which may allow access to your typing of account information to a Bill Pay, ACH portal or mobile payment. Improving your “cyber-hygiene” becomes even more important as you become more depending on electronic payments.
A Few Other Things You Can Do
Get an identity theft-protection service to monitor your bank accounts and alert you to any funny business, be it suspicious withdrawals or information changes.
Use a credit card or a money-transfer app.
Be stingy with your banking information to avoid bank scams.
Go for multi-factor authentication when banking online. That is at least one additional verification (such as a text to smart phone) in addition to account password.
If you must write some checks to people/vendors who have no ability to receive electronic funds, use a separate checking account with check-writing privileges but always keep low balances in that account, log in and look through it at least once/month for bad withdrawals, and do not sign up for overdraft privileges on it. You can also use on-line bill pay that will send a paper check without your account number on it.
Some banks (not all) offer a “whitelisting” service called various names like “check positive” or “positive pay” that allow you to register specific check recipients the bank will allow to cash a check from your account – and no one else. We advocate that feature and we take the position that all banks should offer it, and not just for their business accounts. Some banks also offer this feature for ACH digital transfers which also protects direct bank transfers.
Contact:
Rick Crandall, Chairman, NCC Cyber Committee, Rick@AspenVenture.com, http://www.linkedin.com/in/rlcrandall
NCC Contact:
Ian Grahek, Marketing & Communications Manager, ian.grahek@cyber-center.org