What is ACH fraud and how to prevent it

The Automated Clearing House (ACH) network is a way of transferring money from one bank account to another. Supporting both credit and debit transfers, payments and withdrawals are sent to the clearing house where they await authorization before arriving at their final banking destination. In the US, this network is overseen by the National Automated Clearing House Association (NACHA). 

What is ACH fraud?

ACH fraud occurs when funds are stolen through the ACH network. A criminal needs two things to carry out ACH fraud: 

• A bank account number
• A bank routing number 

With this information, they can transfer money from the victim’s account, either as a lump sum or as recurring payments. They can also make unauthorized payments for goods or services. The time delay with ACH payments is a key vulnerability that financial criminals exploit. 

How common is ACH fraud? 

Although not the most widespread fraud method, ACH scams are increasing. In 2021, the Association For Finance Professionals found that the percentage of survey respondents reporting fraudulent activity via ACH debits increased from 34 percent in 2020 to 37 percent in 2021. 

Examples of ACH fraud

ACH fraud tends to affect medium-sized banks, businesses, and schools. In September 2022, the Federal Bureau of Investigations (FBI) Cyber Division issued a notification relating to cybercriminals increasingly targeting healthcare payment processors to redirect victim payments. In one case, a large healthcare company lost $840,000 in an ACH scam, where a hacker impersonated an employee and changed the ACH instructions. 

In addition to “insider employee fraud” typical examples of ACH scams include:

• Data breaches: Criminals often gain access to customer credentials via a data breach. In this scenario, fraudsters log into bank accounts with bought or stolen information from the dark web before withdrawing funds through the ACH network. 
• Email phishing ACH scams: When a customer clicks a link in a phishing email, which sends them to a malicious website that infects their computer with malware. Fraudsters can track the customer’s keystrokes and discover their banking credentials. This is also known as spear phishing.
• Check kiting: In this type of ACH fraud, criminals move money back and forth between accounts at different banks. When the transfer is approved by the clearing house, it looks like the money is in the account, but it has already been moved.
• Loss or theft of debit card: If the loss or theft of a debit card is not immediately reported, criminals can use this window of time to carry out an unauthorized ACH withdrawal.

Many of these methods reveal other information that can lead to identity fraud and/or account takeover fraud. In fact, the Financial Crimes Enforcement Network (FinCEN) has frequently highlighted the connection between ACH fraud and identity fraud, with money being illegally transferred via ACH transfer to accounts that were set up with stolen or fake identities. 

What is the impact of ACH fraud on businesses?

The impact of ACH fraud can be costly for organizations in terms of remediation time and money, both of which can negatively affect relationships with customers and prospects. Indeed,  a 2020 merchant survey found that “avoiding organizations or services I don’t trust” was the top way consumers say they protect the privacy and security of their personal data online.

Furthermore, in our 2023 global compliance survey, more than one in three senior compliance professionals cited “reputational risk” as the factor most likely to drive change within their organization. This was a 6 percentage point rise from the previous year and was the only factor to see a year-on-year increase. And with global executives attributing 63 percent of their firm’s market value to its reputation, it’s easy to see why concern levels are so high. 

ACH fraud also increases the likelihood of chargeback fraud, which occurs when a consumer requests a refund (or chargeback) from the card issuer despite having received goods from a merchant. 

How to detect ACH scams

ACH fraud detection is essential for firms of all sizes across all sectors. Current trends in the ACH fraud detection space include: 

• Secure API: Application programming interfaces (API) allow firms to detect fraud faster and more efficiently as it enables two systems to communicate and integrate with one another. For example, with ComplyAdvantage’s RESTful API, firms can improve their operational efficiency and reduce false positives with access to real-time data. 
• Biometrics: Various biometric types, known as physical, linguistic, and behavioral modalities, can aid firms in detecting ACH fraud as they help identify the actual human being that is interacting with a device or service. 
• Enhanced behavioral analytics: Behavioral analytics that utilize machine learning capabilities can help firms build an accurate picture of “expected” versus “unexpected” account behavior, so action can be taken to mitigate risk in near to real-time.

When employing any of the above fraud detection solutions, firms must ensure they are calibrated in such a way that reflects their organization’s risk appetite. When adopting a risk-based approach, firms should consider the level of threat ACH fraud poses to their business and deploy solutions accordingly. Transaction monitoring tools should also be fine-tuned to detect specific ACH red flags, including:

• ACH transactions taking place across different geographic areas
• Customers using a different device or account to their preferred choice
• Employees who are found breaking security protocols
• Customers showing signs of being phished
• Customers with a high rate of ACH chargebacks

How can companies prevent ACH fraud?

ACH fraud prevention measures used by businesses may include:

• ACH freeze barrier: This allows companies to block unauthorized transfers from a customer’s account.
• ACH fraud filter: This allows companies to filter between authorized and unauthorized debits and credits.
• Authorized user list: Customers can create a list of allowed regular transactions.
• Multi-factor authentication (MFA): Requiring customers to use MFA when logging in and making transfers.
• One-time payment (OTP) authorization: One payment is authorized at a time – this is also known as “positive pay”.

Company employees need to be fully trained in how to prevent ACH fraud. Compliance and fraud professionals must stay on top of new typologies and trends, as well as regulatory updates and in-house know your customer (KYC) policies.

Firms should also have strong security measures in place, for example using data encryption when storing and sending customer credentials – including credentials given over the telephone where calls are recorded. This information should never be stored locally.