ACH Fraud is on the Rise – Keep Your Business One Step Ahead

ACH fraud is a type of cybercrime that involves unauthorized transactions using the Automated Clearing House (ACH) network. While ACH transfers are convenient and cost-effective for businesses, that same efficiency makes them a target for scammers. 

All a scammer needs is your account number and routing number to initiate ACH transactions — transfers, withdrawals, and payments — as if they were their own account, all without your knowledge. It’s alarmingly simple for scammers to gain unauthorized access to your account. It could begin with a stolen check, a breach of your business’s network, or the installation of malware. 

Frequently, criminals begin ACH fraud with a phishing scam. They may target the accounting department or senior executives to trick them into sharing bank account information. It could be a fake email asking to verify account information for a vendor or a phishing website that imitates an online banking portal. If you provide your bank account or login credentials, the fraudster has what they need to funnel money from your account. 

Another common method fraudsters use for ACH fraud is Business Email Compromise. They hack into a company's email network to monitor communication patterns. Once they have enough information, they impersonate the company and contact their clients to provide a new (fraudulent) bank account for payments. If the client follows through, they unknowingly send funds to the scammer instead of the legitimate vendor. This often isn't discovered until the real vendor follows up on a past-due invoice, and by that time the money cannot be recovered. 

Preventing ACH fraud can be challenging. Since businesses have legitimate reasons to share their account information with vendors and others, they need to take precautions to reduce their risk of ACH fraud. 

Here are some ways to reduce your organization’s risk: 

• Check Your Accounts. Regularly review transactions and set up alerts for ACH activity. 
• Enroll in Positive Pay, our automated tool to help spot unauthorized checks and ACH transactions before they impact your account. It works by verifying checks presented for payout against a list of authorized transactions. 
• Keep up with cybersecurity. Keep your antivirus protection up to date on all computers and networks. Regularly update all software with the latest patches. Use strong passwords for all your accounts. Avoid using public or unsecured Wi-Fi.
• Enable multifactor authentication. Require additional verification beyond just username and password for all your organization’s sensitive accounts. This can reduce the risk of fraud even if login credentials are compromised. 
• Be cautious of unsolicited emails, phone calls, or texts asking for sensitive information, as it may be an imposter scam. Always verify the source using known contact details and avoid clicking on links or downloading attachments. 
• Create protocols for verifying payment changes. Before providing payment information or sending money with new payment details, you should always verify the legitimacy of the request. Train your staff to contact the requester directly using known contact details—preferably with a phone call to a verified contact. 
• Train your employees to always follow security procedures. 

What to do if you are targeted by ACH fraud? 

If you believe you were the victim of ACH fraud, take action immediately. 

• Report all unauthorized transactions to the bank. If your checks or debit card are missing or stolen, alert the bank right away. 
• Call the police or local law enforcement to report the incident. 
• Change all account login credentials and monitor future transactions closely. 
• You can also report these crimes to the FBI ic3.gov.