ACH fraud occurs when funds are stolen through the ACH (Automated Clearing House Network). A fraudster needs two things to accomplish ACH fraud: A bank account number and your bank’s routing number. (A bank’s routing number is public information). With this information, the fraudster can transfer money from the victim business account, in a lump sum or as recurring payments. They can also make unauthorized payments for goods or services via a website or phone. Payments to fraudsters can also be made unwittingly under false pretenses.

Fraud attempts and fraud transactions created under false pretenses and other schemes are on the rise. Be proactive and utilize best practices and tools to help mitigate your risk.

Be aware of common ACH Fraud Schemes:

Unauthorized Access or Account Takeover (ATO) Fraud

Account takeover fraud is a form of identity theft where fraudsters overtake an online account and pose as real users.  ATO can be a result of compromised credentials, by social engineering or device takeover. Account information can be obtained by clicking on a link in a phishing email, which sends the user to a malicious website that infects their computer with malware. The victim’s keystrokes can be tracked and their banking credentials discovered.

Fraud committed under False Pretenses

Payments made under false pretenses are created when the business voluntarily sends payment to a fraudster’s account, believing it is to a known or legitimate recipient. Vendor impersonation, Business Email Compromise (BEC), payroll impersonation, payee impersonation, impersonation of personnel with authority to act on behalf of another person are all ways account information is obtained under false pretense. Fraudulent invoices, fraudulent requests to change payment method and requests to update incoming ACH instructions by mail, fax or email can be generated.

Timely reporting is crucial:

Recovering funds lost to ACH fraud can be difficult. Electronic payments move fast and oftentimes once they are deposited to the fraudster’s account, the funds are withdrawn and the account closed, leaving no funds to return to the sender. Consumers have 60 days to report ACH Fraud. Businesses are not as fortunate. In most instances, businesses are provided only one day to catch fraudulent activity. Tens or even hundreds of thousands of dollars can be stolen, and not recoverable, which can leave a business in financial distress.

In addition, transactions sent voluntarily under false pretenses are almost nearly impossible to recover. There are no regulations requiring another bank to cooperate with returning the funds in these instances once the transaction has processed.

Your goal should be to prevent a fraudulent transaction from processing.

Ways to help protect your business:

It is critical to have good fraud controls in place. Well trained staff, daily banking reconciliation, utilizing dual control and dual authorization for any function that moves money out of the account, safeguarding user ids, codes and passwords are recommended. Develop and implement polices that control how financial transactions are made. Review authorization procedures regularly.

It is essential to secure and maintain your computer system.  Do not download or install software from an unknown source. Do not open an email or email attachments from an unknown source. Ensure you have up to date firewalls, anti-virus software and spyware prevention for all computers. Maintain the physical security of your computers and limit access to computers that are used for sensitive functions. If possible, for your business, using a stand-alone, completely locked down computer system solely used for online banking, not for mail, not for browsing or file sharing.

Consider restricting access and rotating duties so that no one person is responsible for all financial tasks. Personally review your bank statements and restrict access to financial documents, checks, credit cards and cash. Disable former employee account access immediately.

Watch for Red Flags in communications: Obvious spelling and grammar mistakes, extra letters in hard to spot places such as company name or email addresses. Additional Red Flags are urgent calls with request for payment, claims of only being able to correspond via email or no callback number. 

Call your vendor to confirm payment instructions and use previously known contacts and phone numbers. Do not make changes based on emails, texts or invoice and letter.

Make sure your payment amounts match a legitimate invoice.

Utilize bank provided fraud protection tools and mitigate your risk by enabling and actively using ACH Positive Pay (Check positive pay is also recommended). Positive Pay is intended to alert you to potentially fraudulent transactions and allows you the option to return fraudulent and unauthorized transactions automatically before they process and within the allowable return timeframe.

Consider using a ghost card or virtual pay credit card payment option when possible.

If you see anything suspicious, immediately call your Treasury Solutions Manager.

To discuss fraud mitigation services and credit card payment options please call Kelly Mueller at 414-235-5897 or Kathy Macht at 414-235-5306.