Money e-transfers: How safe are they?
Electronic funds transfer (EFT) is a quick and practical way to send money back and forth. They run smoothly, in ordinary conditions and do not pose a problem.
However, wherever large amounts of money is moving around, you will find criminals practicing their craft – cybercriminals to be precise.
In this day and age, digital heists are heavily publicized by the media, and people are shown to have lost thousands of dollars in fraudulent EFT operations. It’s no surprise the general public questions EFT security
Are electronic funds transfers safe? This article will explain the mechanics behind EFT and the methods banks use to protect against identity theft, how they investigate fraudulent operations, and what you can do to protect your safety when using EFTs.
What is an EFT?
We can define an EFT as,
“A funds transfer initiated through an electronic terminal, telephone, computer (including online banking) or magnetic tape for ordering, instructing, or authorizing a financial institution to debit or credit a consumer’s account.”
Different countries and cultures have different names for EFT. So, for instance, “e-check” is common in the US while in the UK the term “bank transfer” is preferred. Most countries in the European Union choose “giro transfer.”
How do EFTs work?
People still wire money, but the most popular way to move money is via a money transfer. Online financial operations don’t actually send money anywhere. Instead, they send (or receive) the digital data that represents money from one person to another. Thus they are instantaneous as there is no physical process associated (directly) with them.
Everything starts with contact information of some kind, such as a phone number or an email address, for each of the parties involved in the process. Then a web-based service will perform the service for a small fee.
While the process is technologically sophisticated the basic mechanics are simple enough, and we can narrow them down to the following steps:
- The sender begins an online banking session. The sender specifies the operation’s parameters: the recipient’s data, the amount being sent, a security question, and its answer. After that, the funds are instantly debited as is the fee.
- The sender uses another medium to convey the security answer to the recipient. Again, this is done for safety.
- The recipient receives an SMS text, or an email informing them there’s a transfer operation requiring their attention. The SMS, or email, will provide instructions about fund retrieval and how to answer security questions.
- The recipient provides the answer to the security question correctly. If they fail more than a specified number of times, the money may be returned to the sender.
- If the recipient doesn’t claim the money after a fixed period, the transfer will not t be completed. This time varies between institutions.
One advantage of an EFT is having access to a bank account is not mandatory for either the sender or the recipient. Also, transfers can be completed between credit cards, or in cash, generally for higher fees.
Is EFT safe?
EFT fraud happens when a party, other than the recipient or the sender finds, its way into a person’s email account and discovers the answer to the security question. The stolen information allows the third party to claim the transfer, so it never reaches the intended recipient.
EFT scams usually start with somebody asking for money in exchange for a product or service or as a donation for a cause. The current trend is Coronavirus scams in which people are “given the opportunity” to commence an EFT that funds vaccines, PPE, and testing kits – which will never be delivered.
So are EFT safe? There is no definite answer to this question. Consider that there is no money exchange system, whether digital or traditional, which is 100 percent secure. With that thought in mind, EFTs are safer and quicker than conventional methods. And there are several security measures that ensure the integrity of each operation. Those include:
- Multiple data encryption layers. This means that one or several encryption algorithms are applied more than once to the data so that, if intercepted, it looks like gibberish to the interceptor
- Fraud prevention. The best services in the industry always require their clients to provide an answer to a security question, or a unique code, or some sort of identity verification. This helps ensure the transfer’s safety
- Identity verification. Sessions which expire after a given period or the requirement to provide a safe password may be bothersome, but it shows the service’s provider is taking precautions to keep you, and your money, safe during transfers
- Automated Clearing House (ACH). Every banking transaction carried out in the US is processed by the Automated Clearing House (ACH), an independent agency that offers security in transmitting financial data.
The protection level you can have in a given transfer depends on the service you hire. For example, you can have added security measures such as confirmation calls to both parties (who must verify their personal details), confirmation emails, and even insurance policies. Some providers will also set upper or lower limits on the amount of money that can be sent in a given period.
The industry is regulated, so governmental authorities grant licenses to the business who specialise in money transfers. So choosing a reputable, reliable and, above all, licensed money transfer service is not only about branding but security.
If you are going to send money to someone, as the sender, you have some responsibilities:
- Provide the correct email address for the recipient
- Choosing a security question correctly so a random person can’t easily guess the answer
- Protecting the password, or code, in the message which accompanies the transfer
- You must make sure the authentication information is something that only the recipient knows.
EFT and identity theft
A criminal can steal money from your bank accounts, or perform operations on your behalf if they come into possession of a few pieces of personal information.
These can include your social security or national insurance number, passwords to essential services, account numbers, personal financial history, or credit card details.
They can even go further and use your name to take out a loan or have a credit card issued in your name. That’s what is known as identity theft.
Identity theft has the potential to become a grievous situation. It can ruin your credit rating, credit history, and your financial reputation. Restoring your good name (and credit) can take years if enough damage is done.
So how can someone steal your identity? Some criminals use the old-fashioned technique of going through your dustbin. In there, they can find bills or other documents which may include your personal or financial information. This rubbish can provide your account numbers, health insurance details, or credit card details.
If they get their hands on your social security, or national insurance, number on top of that information, they can create a whole new identity based on you. While this could seem like an outdated strategy in these digital times, it remains an effective one. The good news is shredding any potentially relevant document before throwing it in the bin can go a long way to thwarting this method.
But that’s just the start. Criminals have grown resourceful over time, and they have found very sophisticated and technologically savvy ways to target the innocent. Here are some of their latest tricks:
The criminal sends you spam emails posing as a financial institution, a company, or a governmental agency. The mail directs you to a website in which you must provide several pieces of sensitive data, usually for a seemingly valid reason.
Hackers know several ways to force their software onto other people’s computers. Malware is a category that includes keyloggers, trojans, spyware, viruses, and any computer program which grants the hacker illegal access to your device, the information stored in it, or the information you produce as you use the internet.
In this scenario, the criminal completes a change of address form so that some, or all, of your mail arrives in a different physical location under the criminal’s control.
A “skimmer” is a little toy that looks and feels like a legitimate device for processing credit card payments. This gadget steals your credit or debit card information so the hacker can use it to their advantage. Some of these can even be found attached to cash machines which pose as the slot into which you insert your bank card.
Good old-fashioned stealing is not out of style among criminals. They still know how to get hold of your wallet, purse, mail, bank or credit card statements, credit card offers, among other things to obtain your personal information.
What are the banks doing about this?
The problem with fighting online banking theft is that it is not as flashy as traditional banking theft. The bank needs to know that something wrong has happened before investigating the facts and correcting them. A competent thief starts small because they know the victim possibly won’t notice small amounts of cash going missing. Indeed there are documented cases of fraudsters who hacked a card for years and were able to continue undetected because they kept the discipline of spending small amounts of money on goods that could be resold, like gift cards.
The scenario described in the previous paragraph shows why your monthly bank or your card statement should not be just thrown away (especially not without shredding it). However, you need to read it carefully to notice any anomalies that you should report to your bank. Once your bank knows there’s something fishy going on, it can act. But not before.
Your bank will ask you to provide details about the unauthorized charges and evidence that fraud is involved.
How the bank treats the situation varies depending on jurisdictions and institutions. That’s why you must know your consumer rights in your country and with your bank. Knowledge is power.
If you live in the US, you’ll be glad to learn that the Electronic Fund Transfer Act of 1978 limits your liability to 50 USD if the fraud is reported within two days of the statement. If you take longer than two days, but fewer than 60, your liability is still limited but to 500 USD. But if you wait any longer than those 60 days, you become liable for every penny of the fraudulent operations –which is why you must read your statements.
Once the bank is informed, it should answer your dispute within a month. Most often, it will have 90 days to do its due diligence and deal with the problem. But, again, this can vary depending on the institution and location.
Each bank has an internal credit fraud investigation unit trained to deal with fraud cases as a norm. Law enforcement can also be involved if the bank deems it necessary, depending on the nature and extent of the fraud.
Typically the bank will suggest the customer to ask for a fraud alert to be placed in their file in the major credit reporting agencies. The measure prevents the opening of new credit accounts unless the creditor and the consumer can speak face-to-face and stringent identity authentication protocols are followed.
Protecting yourself from e-transfer theft
Sending and receiving money safely requires caution. However, knowing internet security best practices can help protect you against theft. Below are some tips you can follow in this regard:
- Send money to people you know and trust only. You would never send cash to a stranger. So please don’t send them an electronic transfer either
- Communicate with the person requesting money for identity verification purposes. Ensure that you have the correct contact data
- The answer to your security question should never be obvious. Birthdays, names, hometowns, and general information about you that somebody can learn from your social media profile do not belong in security questions or answers
- Keep the security question separate from the e-transfer message
- Always choose a strong password. Good password practices can fill several articles. For now, just choose a good password for each online account you use. Every password must be unique, and you must never use it on public computers – even on your own computer over public WiFi services
- Beware of suspicious emails. If you receive a new message in your inbox inviting you to click on a link urgently, don’t do it. Never click on any link if you’re not sure that the sender is legitimate
- Do not call any phone numbers that are sending unsolicited messages. If the number claims to belong to an organization, search for its official number and call it. Otherwise, you’re doing the fraudster’s job for them
- Protect your email account. Always log out from your email service if you’re not reading or writing messages. Even if you go to get a cup of coffee, your account must not remain open
- Use e-transfers only when you need them. E-transfers resemble cash transactions very closely. It’s hard to dispute them successfully. Pay for your goods and services with your debit or credit cards so you can enjoy the system’s protections
- Trust but verify. Not everybody is who they say they are. Don’t be paranoid, but do some preliminary research before you commit your money to anything
- If they’re asking for money upfront, be suspicious. Whenever a person or an “organization” approaches you to sell you something you never requested, signed up for, or were already expecting, refuse as a matter of principle. Ask questions and make sure that the story makes sense. Again if a “company” is involved, find its phone number and call it yourself.
- Never surrender your PINs or passwords. There is no legitimate reason for anybody to ask you to give them your passwords or PINS. Banks do not do that; neither does the police nor any governmental agency. If somebody requests that from you, don’t trust them
- If your bank has a fraud alert system, sign up for it
- To securely store essential documents during important transfers, people also use physical (PDR) or virtual data rooms for banking (VDRs)
- Look for the “S.” When you’re directed to a website, look at your address bar carefully. If it starts with “HTTP” instead of “HTTPS,” the chances are that it’s a fraudulent web page
- Mind the spelling and the grammar. Legitimate organizations worthy of handing or receiving your money hire competent people who can proofread their work. Scammers are often sloppy about that.
- Always take your time. If the information you’re being offered comes with a sense of urgency, be wary. Urgency is a scammer’s strategy because the sooner they convince you to give them the money or the information they want, the better their chances of succeeding. So please don’t fall for it, don’t act on impulse. On the other hand, if the claim looks that good, then it’s worth it to spend a few minutes researching it.
I’ve fallen for ETF fraud of theft. What can I do now?
Your first priority is to contact your bank as soon as possible. Explain your situation in full and ask if you can have your money back after falling for the scam. Cancel any recurrent payments. Think about temporarily freezing any accounts which could have been affected.
Once you’ve noticed that something is wrong, change every password for every account you use.
If you suspect identity theft, tell the police and the relevant law enforcement agency in your country.
Law Enforcement Agencies by Country
The United States of America
TransUnion, Experian, and Equifax are the country’s major credit agencies. Contact all three and discuss with the experts if you should place a fraud alert on your file.
Every suspicious contact can be reported to the Federal Trade Commission.
IdentityTheft.gov can help you with a recovery plan tailored to your situation.
The United Kingdom
If you have not heard back from your bank within two months, go to the Financial Ombudsman Service website and fill out a form. If you have a rejection letter from your bank suggesting to use the Ombudsman, it can speed things up.
Also, be aware of the Citizens Advice Scams Action and Action Fraud (https://www.actionfraud.police.uk).
IDCARE (idcare.org) will work with you to develop a plan to control the possible damage from identity theft. It’s free.
Scamwatch (created by the Australian Competition and Consumer Commission) collects data about Australian scams. Your report will help it to alert the community.
The Canadian Anti-Fraud Center (just Google it) will provide you with support and assistance if you report your identity theft.