Early in 2020, Isaiah Jordan obtained an “arrow” key stolen from the U.S. Postal Service. Jordan passed the key to Brian Nevils, who used it to steal mail from blue collection boxes in and around Carbondale, Ill. Jordan used social media to recruit people (aka, money mules) willing to use their bank accounts in his check washing conspiracy; he also helped willing accomplices who didn’t have a bank account of their own open an online account at Discover Bank.
The mail stolen by Nevils and Jordan included checks drawn on The Bank of Carbondale, First Mid Bank & Trust, First Southern Bank, Legence Bank, Regions Bank and Wells Fargo — checks subsequently altered and deposited, funds hurriedly moved between banks, with the result being lots of peoples’ money surreptitiously vanished. During the three-month period leading up to the arrest of Jordan, Nevils and their associates, more than 100 checks were stolen and altered; losses totaled about $400,000.
That figure, however, should not be considered the true cost of this particular fraud case. “The cost of fraud mitigation is about four times the amount of the actual fraud” for banks, said Russell Taylor, president of Finovifi, a firm that offers tech-powered fraud protection solutions to financial institutions of all sizes. The higher cost is paid in time, increased insurance premiums, loss of resources, and eroding reputation. Banks pay the lion’s share of the rising preponderance of check fraud, which is traced to a rise in street crime, slackening USPS oversight, and the fundamental lack of security inherent in a “vintage” payment option.
Old habits die hard
Paper checks were supposed to be on hospice by now. In 2012, a study published by the Federal Reserve Bank of Philadelphia said the number of checks written each year was dropping by about 1.8 billion. Accelerating this decline was the rise of e-commerce, adoption by small businesses of payment apps, and the rise of P2P payment solutions. Looking at the trendline at the time, the prediction was clear: Paper checks would disappear entirely by 2026.
Yet what seems so last century is proving resilient. In 2023, the average daily volume of checks processed by the Fed was 12.6 million with a combined value of $33.8 billion.
“While the volume of checks written is going down, the value of the checks is going up,” said Paul Benda, executive vice president for risk, fraud and cybersecurity at the American Bankers Association.
And, while businesses are getting better at figuring out electronic funds transfers, they’re still using checks a lot, he added. “A lot of small business customers have built checks or Cash App or other P2P payment apps, using Zelle into their auditing processes,” Benda said. It’s a process designed with paper and supported with staples and paper clips and stiff beige folders: Bookkeepers receive a check in response to an invoice. There’s a stub or a photo copy affixed to that invoice, all of it tucked into a filing cabinet.
“They’ve structured their systems around that, and they still want to use checks even though there’s a lot of risk putting those checks in the mail,” Benda said.
Paying by check, and specifically mailing a check, is a habit bankers are advised to encourage their customers to break, Taylor said. Because it’s the bank that loses when the system breaks down. And it has, in a big way. In all of 2023, there were 1.96 million SARs filed by U.S. depository institutions, more than double the number from a decade earlier, according to FinCEN. And in a press release issued last fall, FinCEN said mail-theft related check fraud amounted to more than $688 million just between February and August of 2023.
Criminal intent
As was the case in Carbondale, the leak in the system is often the blue box on the street corner. Keeping mail secure has become a problem in the United States, with few solutions. Arrow keys are stolen. Checks are lifted enroute. Mail carriers are jumped and their bags taken. The postal eagle has a blackened eye and a bruised beak. Even the Internal Revenue Service is encouraging people who owe taxes to choose an electronic payment option instead of sending payment through the mail.
Frank Albergo, president of the Postal Police Officers Association, said there’s a postal crime wave in the United States. He places the blame squarely on the U.S. Postal Service itself, for its 2020 directive limiting its own police force to postal facilities. U.S. Postal Police can no longer patrol routes or protect carriers or mail in transit, he explained.
According to data from the U.S. Postal Inspection Service, mail theft complaints rose by 327 percent from 2018 to 2023. In 2018, there were 59,775 complaints. In 2023, that number was 255,183. Mail theft arrests reportedly dropped 44 percent during that same time period.
That opened the door to what Taylor called “an unprecedented surge” in sophisticated check washing and fraudulent endorsements. Exacerbating the problem is a dwindling force within postal police ranks. The U.S. Government Accountability Office says there were 600 reported cases of robbery against postal workers in 2023, up sevenfold from 2019. There were also 400 assaults.
“What makes this especially concerning is the direct link to systematic mail theft, where stolen checks are being expertly altered and deposited through fraudulently opened accounts,” Taylor said.
Ironically, one reason check fraud is so hot right now is because the industry has successfully beaten back other types of fraud. “Five years ago, cyber criminals could break into servers without human access,” said Kris St. Martin of CBIZ, which provides insurance to the industry. “But now the firewalls, especially, are so good.” Third party authentication has also brought down cyber crime, forcing criminals to adapt — and adopt new approaches.
“A lot of the check crimes have dwindled down to street gangs,” said Mike Burke, senior robbery and crisis management consultant for Johnston, Iowa- based Shazam, whose career includes years in law enforcement. “They’re migrating out of the narcotics trafficking and getting into financial crimes. It’s such an easy crime to commit.”
Crooks are networked and sophisticated, even deploying AI tools to wash and alter checks. Taylor’s firm tracks stolen checks for sale on the dark web through a tool called FraudXchange. [Author sidenote: Taylor demonstrated the tool by inviting me to name three banks at random. I named U.S. Bank, Alerius and Grand Rapids State Bank before he revealed checks from innumerable banks posted on the site for sale, including the ones I named.]
Bankers can dig through messaging apps that have groups organized for selling stolen checks. “You can go right into Telegram,” Taylor explained. “Search for checks for sale and you’ll come up with a whole lot of marketplaces … there’ll be images of checks … The service they’ll offer is to send me the check and I’ll alter it myself, or they’ll alter the check for me. People will make payments for those checks, usually using crypto. They will even give you a money back guarantee. This is big, big business.”
Yet the reliance on checks continues. At an industry meeting, Benda said he asked a room filled with bankers if any had considered no longer offering checks. Not a single hand went up. “We’d love to see continued decline in check use, to move toward more secure electronic payments,” Benda said.
Building a bulwark
Securing a house involves more than closing the front door. You also need to lock it. Close and lock the windows, too. Add a fence. Close the gate. Maybe buy a dog. Fingers crossed, that’s deterrent enough for the would-be thief to move along.
Bankers are encouraged toward a multi-pronged counter-offensive to stem check fraud that includes tech solutions, better and more frequent training — for staff and for customers — along with understanding where the bank’s own policies and tools might be considered gaps in the security system.
Training frontline staff is critical, especially when there’s been turnover or when adding younger staffers who can be unfamiliar with checks. “When I train our banks on different frauds and different scams going on, I’m really pushing the frontline staff to pump the brakes,” Burke said.
Sometimes mules will walk into banks with their fraudulent checks, understanding that a human presence is naturally disarming. Asking them to wait while the account or check is verified through a phone call might be enough to spook them out the door, Burke explained.
Bankers can likewise mitigate their risk by not deploying a one- size-fits-all process for checks, Benda said. ABA’s compliance hotline fielded a call where a banker asked about extending its hold time for a check believed to be fraudulent.
“Once you accept that check, it now falls under the hold times dictated by Reg CC, and you can’t extend them due to fraud,” Benda said. “But if they put that check into the collections process, they could have actually gone and made sure that was a valid check before it was funded, and those Reg CC hold times wouldn’t have applied.”
Because checks deposited through remote means are difficult to validate, and they aren’t subject to Reg CC, they can be held until reasonably validated, Benda explained, adding that process is difficult because “those images aren’t as good as they need to be.”
Education, paired with technology, especially education aimed at customers, will also help banks reduce their fraud losses, Taylor said. Talking to customers to set limits and alerts, and encouraging them to use Positive Pay, these are proactive steps that will build goodwill that might be needed when or if check fraud is encountered. Because even though a bank will end up taking the financial hit in check fraud cases, the customer suffers too.
“My bank is supposed to be protecting me, but by the time it takes the bank to sort it out, it could be four months, six months or longer,” Taylor said.
Gerard Leval, a Washington lawyer and fraud victim, put his anger — directed at the USPS, law enforcement and his bank — into an op-ed published by the Wall Street Journal in December. “Our bank agreed to investigate the matter, but only after months of demands and the threat of a lawsuit did it finally return our stolen money,” he wrote. “When your customer is out talking to newspapers and saying, ‘My bank said I’m on my own and they were no help at all,’ that is not a good look for your bank,” St. Martin said.
St. Martin often leads fraud training sessions using tabletop exercises designed to help bankers at all levels, including members of the board, to develop and practice action steps in response to all types of fraud. He encourages banks to hold seminars on fraud that include customers and non-customers alike.
“If you can prevent your clients from stepping in bad stuff, it’s much better for the bank,” he said. Training, however, must be supported by technology. “I think the industry was caught a little flat-footed with the rise we saw a couple of years ago,” Benda said. Artificial intelligence is now being deployed by criminals to create increasingly sophisticated check fraud, a trend Taylor dubbed “alarming.”
Banks, depending upon their size and fraud tolerance, can deploy a patchwork of tools, led by tech and supported by training. But until there’s a single, standardized payment system in the United States, winning the battle against fraudsters will be a challenge, Taylor opined.
Sophisticated technology can examine check images for signs of fraud (akin to biometric, or facial recognition technology), and also predict and understand a customer’s check writing behavior, Taylor explained.
Machine learning adapts to a customer’s check writing habits over time. When Finovifi takes on a bank as a client, Taylor explained, it feeds six months of data into its solution in order to learn and understand customers’ transactional history. Once it does that, it can identify in a manner of minutes which checks need closer examination. “The technology is out there,” Taylor said. “The sad thing is most banks are not using it, or they’re using a really old version of technology that doesn’t do a great job.”
Using the Treasury Check Verification System as its model (or its inspiration), the ABA has undertaken a feasibility study to look at establishing a national check verification system.
“You have Positive Pay vendors, you have bill pay, so the issuing bank has a lot of this information,” Benda explained. The question then becomes: Can the industry create data standards to allow banks and vendors to share information with a centralized database so that the “bank of first deposit” can validate the check in real time?
“We think these are the kinds of things that we really need to look at,” Benda said. The ABA plans to present the results of its feasibility study at its Financial Crimes Conference in October.
A dim light on the horizon
What of those USPS collection boxes secured by “arrow” keys? Benda said the USPS has planned an upgrade to 40,000 of them to use biometric keys. The problem is, there are nearly 140,000 of those blue collection boxes in service across the country. The USPS has also increased monetary rewards to catch those who assault their postal carriers. The USPS is “trying,” Benda said, but banks could do more, including incentivizing business customers to move toward automated payments.
“There’s never in our lifetime going to be a time when you look at [fraud] and go, ‘Okay, we conquered this,’” St. Martin said. There’s too much money at stake. “The criminals are not just going to give up.”
And because checks are an inherently insecure method of payment, the industry must continually ask itself: When is the end justified? Most expected the end of the check to already have arrived, obituary fully drafted.