Automated Clearing House, better known as ACH, offers an electronic way for consumers and businesses to make payments quickly and easily for goods and services. ACH uses bank routing and account numbers to move money between parties. Have you considered the risks associated with sharing such sensitive account details?
According to Nacha, the governing body over ACH, the number of ACH transactions increased to 6.6B in 2023. It is arguable that an increase in the number of transactions also leads to an increase in fraud cases against them.
The Association for Financial Professionals published a report stating that out of surveyed businesses, 37% of had been targets of ACH fraud.
Accounts payable (AP) teams are no strangers to fraud. Because they often rely on paper checks to pay their vendors and suppliers, they have become sitting ducks for fraudsters. However, even as AP clerks start replacing paper checks with digital payment methods such as ACH, they still have a target on their backs.
Our blog will specifically explore the different types of ACH fraud and the tools you can use to protect your business against them.
What is ACH Fraud?
There are many tactics that fraudsters use to attack ACH transactions.
- Phishing – Cybercriminals send seemingly legitimate emails/texts/calls to collect sensitive information, such as payment data, login credentials, etc. ProofPoint states that phishing typically involves links to fake sites and downloading malicious files to obtain the data.
- Fraudulent returns – Common for ACH transactions, fraudulent returns occur when a customer makes a purchase, files an ACH return for that purchase, and keeps the good/service, netting a loss to the business.
- Account takeover – When a bad actor gains unauthorized access to an account that doesn’t belong to them. Once in, they will change the login information, preventing the actual owner from getting in. I recently experienced this with a popular online shoe retailer.
- Cyberattacks – The National Institute of Standards and Technology defines a cyberattack as “any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.” These attacks can take many forms, including malware, ransomware, spyware and viruses.
- Invoice spoofs – Fraudsters will alter a legitimate invoice to get the business to send the funds to them instead of the vendor. They will often change the payment information (which can go undetected for a long period of time) or request an urgent update to their payment information to rush a clerk into sending the payment immediately, prior to performing the proper validations.
- Insider threats – As Gen Z says, sometimes “the call is coming from inside the house.” Rogue employees can wreak havoc when they have access to sensitive data within their company. They can alter the payment information to divert funds to themselves, create fake invoices, facilitate duplicate payments, the list goes on.
- Ghost funding – This method takes advantage of the longer ACH clearing and settlement times. If a fraudster initiates a transfer, their bank may issue immediate credit to them who then pulls out the money before the bank can verify that the funds were good in the first place. Because ACH can take several days to settle, the fraudster will likely be long gone with the money before it is detected.
Why is ACH a Target?
Fraudsters and cybercriminals find ACH transactions to be attractive targets for many reasons.
In the previous section, we alluded that ACH funds can take several days to settle, often 1-3 business days. Because ACH does not offer realtime verification, payments and transfers can be made without sufficient funds available.
ACH transactions are extremely complicated. The end-to-end lifecycle of these transactions involves numerous parties: processors, ODFIs, RDFIs, originators, and receivers. Multiple touchpoints can increase vulnerabilities, opening the door for attacks.
Additionally, the window for businesses to request a return on an ACH is very small; only 24 hours. Bad actors can slip away before the ACH clears and the business can react.
How to Protect Against ACH Fraud
Stopping ACH fraud requires due diligence and awareness throughout the entire transaction lifecycle and across your entire organization. Some payment processors can help.
Nacha requires payment processors to validate any web-initiated ACH transactions to protect against new threats within the ACH network. ACH validation looks at the following, with processors declining a transaction if any of these are true.
- Previous instances of fraud
- A history of Insufficient Funds (NSF)
- Returns for account closed or incorrect amount
Nacha’s ACH validation rules aim to stop fraudulent ACH transactions before they happen and:
- Reduce ACH return ratios
- Expedite failed payment responses
- Decrease fraud events
There are more measures businesses should utilize!
- Use and encourage complicated passwords for platforms that house sensitive payment data. These should also be required to be changed at regular intervals.
- Regularly monitor bank accounts and processing activity.
- Enlist additional fraud detection solutions.
- Confirm the validity of vendor payment details prior to sending the funds.
- Train employees on what to look for and ensure those with clearance to sensitive data have been properly vetted.
Who is Responsible for ACH Fraud?
As previously mentioned, businesses have only 24 hours to report instances of ACH fraud to their financial institution, whereas consumers have 60 days.
ACH fraud responsibility falls on the business after this 24-hour window has closed.
Give Vendor Payment Protection to REPAY
Not every business has the resources or expertise to stop or mitigate payment fraud. Additionally, ACH validation can be expensive and technologically challenging.
REPAY’s vendor payment automation platform includes ACH validation at no additional cost. And ACH fraud isn’t all we protect against. Let’s schedule a call to discuss our no-cost, robust payment protection toolkit! We take on vendor payment security, so you don’t have to.