Automated Clearing House (ACH) payments make it easy for businesses and consumers to transfer money to accounts at different financial institutions. They’re simple, fast, and convenient electronic funds transfers (EFT). There’s no need for checks or cash, and the transaction costs are lower than for wire transfers.
The ACH system facilitates a large and growing range of transactions, including payroll, bill payments, and B2B payments. In 2020 alone, ACH payments increased by 8.2% in transaction volume and 10.8% in transaction value. In 2022, U.S. account holders transacted 30 billion ACH payments worth over $76 trillion.
Unfortunately, ACH payments are increasingly used for fraud. The system is based on trust and ease of use, making exploitation more straightforward than other types of EFT. ACH debit fraud is the second most common type of payment fraud after check fraud.
In this article, we explore how criminals commit ACH fraud and what businesses can do to reduce their risk exposure.
What Is ACH Payment Fraud?
ACH payments were introduced in the early 1970s to facilitate money movement between bank accounts at different financial institutions. In the U.S., the National Automated Clearing House Association (NACHA) oversees the ACH network.
ACH fraud is the unauthorized or fraudulent transfer of funds through the ACH network. Criminals engaging in this type of fraud need only two pieces of information: a bank account number and a bank routing number. With these details, they can illicitly transfer funds from a victim’s account.
Minimal credential requirements are not the only reason the ACH system attracts fraud. ACH payments are consolidated and processed in batches at specified times. Batch processing is efficient and cost-effective, but it introduces a time delay in transaction settlement, typically one to two business days.
During this period, the funds are in transit and not immediately debited or credited to the respective accounts, creating a window where unauthorized transfers may go undetected.
Same-day ACH payments, which were introduced in 2017, have become more prevalent in recent years. They are processed and settled on the day they are initiated. However, same-day payments are not available for all transaction types and have cutoff times and transaction limits.
While they offer enhanced speed and decreased risk of criminal activity going unnoticed, they do not eliminate the threat of fraud.
If you’d like to learn more about how the ACH payment system works and how it differs from wire transfer payments, read ACH vs. Wire Transfers.
How Do ACH Fraud Scams Work?
ACH scams focus on obtaining the two pieces of information needed to carry out an ACH payment: bank account and bank routing numbers. Criminals use a range of technological and psychological tactics to obtain these details.
- Phishing: One of the most common methods, phishing involves sending fake emails or texts that appear to be from legitimate organizations. These messages trick victims into revealing sensitive account details by mimicking the look and feel of communications from trusted sources.
- Malware: Botnets install malicious software on victims’ devices without their knowledge. The malware then steals account numbers and login credentials stored on the infected system.
- Data Breaches: When retailers or other businesses with large customer databases experience a data breach, account numbers can be compromised and sold on the dark web.
- Skimming: Skimmers are physical devices illicitly installed on ATMs, gas pumps, and other card readers. They copy card data, which can then be used to generate or access account numbers.
- Social Engineering: This method involves manipulating authorized users, like employees, into making unauthorized transfers, often by exploiting their trust and lack of awareness.
- Insiders: Sometimes, the threat comes from within. Dishonest insiders at banks or businesses may abuse their access to confidential information to steal account data.
ACH scams are often orchestrated by criminal networks, with teams responsible for stealing account details and executing fraudulent transactions. They may also use mules, individuals whose bank accounts receive fraudulent payments before the money is sent to accounts under the criminals’ direct control.
Who Are Victims of ACH Fraud?
Any business or consumer with a checking, savings, credit union, or peer-to-peer payment account may be at risk. ACH fraud impacts many victims, each with unique vulnerabilities and consequences.
The list of victims most at risk includes:
- Individuals: Particularly at risk are elderly individuals who may be more prone to falling for social engineering tactics. These tactics often involve manipulating the victim into divulging account information, either through confidence tricks or deceptive requests that seem legitimate.
- Small Businesses: Small companies frequently lack the advanced cybersecurity measures that larger corporations might have. This makes them more susceptible to phishing attacks and malware. Small business accounts often carry sufficient funds to be attractive targets for fraudsters.
- Non-Profits and Charities: The charitable nature of these organizations can make them targets for fraud. They may be tricked into making unauthorized transfers under the guise of genuine requests for donations or funding.
- Government Entities: Public sector bodies are not immune to ACH fraud. Those involved in collecting payments or distributing benefits, such as tax authorities or social welfare agencies, can be targeted for their substantial financial transactions.
- ACH Transfer Originators: This group includes banks, lenders, and merchants regularly initiating ACH transfers. They risk having their credentials compromised, often through malware.
Each of these groups faces unique risks in the context of ACH fraud. The consequences can range from financial loss to damage to reputation and trust, highlighting the importance of awareness, risk analysis, and preventative measures.
ACH Fraud Protection and Prevention
The widespread use of ACH payments and the sophistication of criminal tactics demand a robust approach to information security and fraud prevention. Here are several key technologies and strategies that can significantly reduce the risk of ACH fraud:
- Employee Education: Educate staff about phishing and social engineering tactics so they recognize and avoid schemes aimed at extracting sensitive account information.
- Transaction Monitoring: Use transaction monitoring and fraud detection tools to identify anomalies and unauthorized payments. Continuous monitoring helps in the early detection of suspicious activities.
- Data Encryption and Secure Transmission: Encrypt stored account details and ensure data is encrypted when sent over networks.
- Limited Access Control: Restrict account access to employees on a need-to-know basis. Limit privileges and monitor who has access to sensitive account information.
- ACH Risk Scoring: Use ACH risk scoring to predict and mitigate return risks. These platforms analyze transaction patterns and flag transactions with a high risk of failure or fraud, allowing businesses to take preemptive action.
- Periodic Risk Assessments: Conduct regular risk assessments to identify and address vulnerabilities in your ACH transaction and account security processes. By understanding where their systems might be susceptible to fraud, you can implement targeted strategies to strengthen those areas.
- Regular Security Updates: Keep security software, firewalls, and antivirus programs current. Regular updates help to protect businesses from malware infiltration and security compromises that leak account details.
Investing in fraud prevention allows businesses to create a multi-layered defense system against ACH fraud, protecting their financial assets, preserving their reputation, and maintaining the trust of customers and partners.
Alessa and ACH Fraud Detection and Prevention
Alessa is a modular AML compliance and fraud management solution. We can help your business to monitor electronic funds transfers effectively, including ACH transactions. We also offer a variety of risk assessment solutions to help businesses identify and eliminate compliance and fraud risks.
Contact our compliance experts today to learn how Alessa can help your business’s compliance and fraud prevention programs.