Demo

What is ACH Fraud and How to Combat It

Reduce Fraud Risk

We all know the degree to which the COVID-19 pandemic has shifted the workplace landscape. Back in the early days of the pandemic, businesses quickly evolved their processes seemingly overnight to accommodate new work-from-home set ups for their employees. Despite their best efforts, businesses subsequently suffered from new security challenges. This disruption created a perfect storm for fraudsters and bad actors to exploit new vulnerabilities, particularly those within AP teams, many of which still exist today.

ACH payment scams are a growing concern for businesses of all sizes, as cybercriminals increasingly exploit Automated Clearing House (ACH) networks to perpetrate fraudulent transactions. Every year, organizations lose millions of dollars in revenue due to these schemes. In order to prevent ACH payment scams, you must first understand the current state of ACH fraud and the most common scamming methods. Let’s take a closer look.

Key takeaways

  • ACH fraud continues to rise, with more businesses falling victim to scams each year.
  • BEC and malware attacks remain significant threats to ACH payments.
  • Implementing AP automation, strong internal controls, and secure payment methods can reduce fraud risk.

 

state-of-ap-report

 

What is ACH fraud?

Automated clearing house (ACH) fraud occurs when cybercriminals exploit ACH networks to fraudulently transfer funds. They typically use tactics like business email compromise (BEC) or account takeover to manipulate payment details and divert funds to fraudulent accounts. ACH fraud can lead to significant financial losses, reputational damage, and operational disruptions for organizations.

 

What are ACH payment scams?

ACH payment scams are a type of fraud committed by using Automated Clearing House (ACH) payments. ACH is an electronic system for transferring money between financial institutions via digital transactions. The security measures in place for ACH payments may not always be enough to protect against fraudulent activity, making them a prime target for cybercriminals. As an example, a fraudster may impersonate a vendor — often through BEC or account takeover — and contact the AP team to update payment information to a fraudulent account. In doing so, the AP team thinks that they’re paying the vendor. Unfortunately, often times once an AP team realizes they’ve initiated payment to a fraudster, the funds are long gone.

The state of ACH fraud today: How common is ACH fraud?

In recent years, a significant majority of organizations have been targeted by payment fraud attempts, with 96% of businesses reporting at least one fraud attack in 2023. Checks and ACH debits were the payment methods most impacted by fraudulent activity. Additionally, cybercriminals are becoming increasingly sophisticated in their methods, using more advanced technologies such as malware and ransomware to steal confidential information and funds from victims. As a result, organizations must remain vigilant and take proactive measures to protect themselves against these threats.

What are the different types of ACH fraud techniques?

Bad actors are increasingly turning to ACH fraud because it’s relatively easy for them to do. They typically start by breaching internal systems, such as email, to get a foothold into the company, where they can gain access to – and manipulate – invoice and payment-related information. They prey on a weak link in security: people who may not be able to discern an actual request from a fraudulent one, especially as scammers continue to get more sophisticated. Here are some of the most common types of ACH fraud schemes used today:

  • BEC emails
  • Malware and ransomware attacks
  • Check kiting scams
  • Chargeback fraud
  • ACH lapping
  • Ghost funding
  • ACH specific scams

BEC emails

BEC (Business Email Compromise) emails are a type of phishing attack in which cybercriminals pose as legitimate businesses or organizations and send targeted emails requesting payment information or updates to their account payment information. These malicious actors use social engineering tactics, such as contacting an AP team and requesting they update payment information into a fraudulent account or manipulating victims into providing confidential data, such as bank account numbers and passwords.

According to the State of AP Report, 96% of organizations report that phishing is one of the most common types of fraud they face, with business email compromise being a rising concern. The Accounts Payable (AP) team is the most susceptible department in terms of this attack, with 58% of those surveyed noting their AP teams were compromised. Moreover, 47% of organizations noted that ACH and wire transfer payments were targets of BEC scams in 2023.

Malware and ransomware attacks

Malware and ransomware attacks involve using malicious software to gain access to sensitive information or data. These attacks can be used to steal money from bank accounts, encrypt important files and hold them for ransom, or spy on confidential conversations. For example, in 2023, ransomware incidents saw a significant uptick, with over 2,825 complaints reported, an 18% increase from 2022. These attacks resulted in a 74% rise in reported losses, from $34 million to $59 million. Cybercriminals have adapted their tactics, deploying multiple ransomware variants against the same victim and using data-destruction methods to pressure victims into negotiations (FBI IC3 Report, 2023).

Check kiting scams

Check kiting scams involve fraudsters taking advantage of the way that banks process checks. When a bank receives a check, it usually waits until the funds are available before releasing them to the customer’s account. By taking advantage of this delay, cybercriminals can write a check on one account and deposit it into another to illegally inflate their account balances.

In addition to check kiting, fraudsters also use similar tactics with ACH payments, such as:

  • ACH kiting: Moving money between accounts to make balances look higher, especially around year-end.
  • Insider threats: Employees use their credentials to steal money or pass it to outsiders.
  • Phishing: Tricking authorized users into giving up their login info, which is then used to steal funds.

Chargeback fraud

Chargeback fraud occurs when a customer disputes a legitimate ACH payment but claims they did not authorize the transaction, despite having made the payment. Then the customer requests a chargeback from their bank, which reverses the payment and refunds the amount. This type of fraud is often used by fraudsters to retain both the goods and the funds.

ACH lapping

ACH lapping is a form of fraud where a fraudster manipulates ACH payments to cover up stolen funds. The fraudster typically uses incoming payments to “cover” previous fraudulent transactions, creating a continuous cycle of theft. For example, they may use funds from a new ACH payment to offset the stolen amount from an earlier transaction which causes a “lapping” effect to hide the original theft. This fraud is often an inside job, with an employee or vendor taking advantage of their access to payment systems to manipulate the process and hide their theft.

Ghost funding

Ghost funding fraud occurs when fraudsters gain early access to funds that have not yet been fully processed through the ACH system. For example, a user may initiate an ACH transfer to an investment platform, which credits the user’s account before the payment clears, enhancing the user experience. However, the user then uses these credited funds to buy assets or transfer them elsewhere. Days later, the ACH transfer is returned due to insufficient funds, leaving the platform with no way to recover the money since the users have already spent it.

ACH specific scams

Scams can also enter the ACH debit or ACH credit process. Credit scams involve criminals crediting payment requests through ACH with false or fraudulent account numbers to redirect payments to their own accounts. On the other hand, debit scams involve fraudsters using a stolen bank account number to request a transfer of funds from another victim’s bank account.

MineralTree is designed to protect customers from these kinds of scams. Our AP platform is set up to perform ACH credit, which provides more control over collecting, validating, and storing information compared to higher risk ACH debits.

What’s the impact of ACH fraud on an organization?

If a company is a victim of ACH fraud, it could potentially lose hundreds of thousands or millions of dollars and be susceptible to other types of damage. A delay in payment can negatively impact your relationship with your vendor, who may also feel uneasy about doing business with you after a breach. In addition to the time, cost, and effort needed to fix the problem, there are security issues when sensitive information, such as bank accounts, is compromised. Additionally, you could potentially face damage to your reputation if the breach becomes public.

Fortunately, most ACH payments go smoothly, and there are ways to reduce your exposure to fraud, including training employees to be vigilant, identify tell-tale signs of fraud, and confirm changes to payment details by phone.

Fifty years ago when ACH payment was introduced, companies weren’t exposed to the type of ACH fraud we’re seeing today. And, as the industry changed and technology became more sophisticated, so did the fraudsters. The good news is that you have multiple payment options, as well as best practices you can implement, to reduce risk and help keep your finances safe.

 

How to detect ACH scams

Detecting ACH scams requires vigilance and the implementation of proactive measures. Organizations should regularly monitor ACH payments for suspicious behavior, verify vendor payment details before updating them, and implement fraud detection tools. Training employees to identify red flags such as urgent requests for payment changes or unfamiliar vendor details can also help spot scams early.

 

Best practices for preventing ACH fraud

To protect against ACH fraud scams, organizations should utilize a combination of prevention and detection strategies. Some methods include creating strong passwords for electronic banking accounts, verifying all transactions by multiple individuals, and creating a system for flagging suspicious activity.

Here are 9 key methods to combat ACH fraud schemes:

  1. Strong internal controls
  2. Implement segregation of duties
  3. Utilize dual-factor authentication
  4. Close monitoring
  5. Modern cybersecurity strategy
  6. Vendor verification
  7. Employee training
  8. Bank account validation
  9. Embrace more secure payment methods

1. Strong internal controls

Internal controls help reduce the risk of fraud by ensuring that only authorized personnel have access to financial information. Organizations should also implement procedures for approving transactions and monitoring accounts to detect any unusual activity.

2. Implement segregation of duties

The same principle of checks and balances that is the foundation of our nation’s government should also be a foundation of your accounts payable process. Segregation of duties means that one person is responsible for queueing up business payments, and one person is responsible for approving those payments before funds are released.

While invoice payments can be time-sensitive, and sometimes it is quicker and simpler for AP managers to manage an invoice payment from start to finish on their own, this leaves the door open for fraud. And while this payment control seems like a no-brainer, 31% of businesses still haven’t implemented it.

3. Utilize dual-factor authentication

Dual-factor authentication adds another layer of security by requiring employees who approve payments to enter a unique security code that they receive via text or email every time they release funds. This extra layer of security mitigates the risk of fraud by discouraging fraudsters that are constantly on the lookout for businesses that lack vigilance around cybersecurity.

4. Close monitoring

Organizations should monitor ACH payments regularly to identify suspicious behavior or transactions. This can include reviewing payments for inconsistencies or out-of-the-ordinary activity.

5. Modern cybersecurity strategy

By staying up to date with the latest security measures and technologies, such as encryption and two-factor authentication, organizations can protect against unauthorized account access and maximize payment security.

6. Vendor verification

Organizations should ensure that all vendor information is accurate and up to date. This includes verifying the bank account numbers associated with each payment request, to ensure that payments are always sent to the correct recipient.

7. Employee training

Organizations should educate their employees on the potential risks associated with ACH payments and share tips on identifying suspicious activity or transactions.

8. Bank account validation

Organizations should perform regular bank account validation checks to ensure that the bank accounts associated with payments are valid. This helps prevent fraudulent transactions from being processed.

9. Embrace more secure payment methods

Making ACH payments more secure also involves shifting as much spend as possible to more secure payment methods. A great method for secure payments is virtual cards. Virtual cards are a randomly generated set of 16-digit numbers that work like credit cards but can only be charged one time for a specified amount. This not only leads to easier payments with improved accuracy, but eliminates the risk of vendors re-using your business’ credit card information by accident and the risk of fraudulent payments. As organizations increasingly embrace digital solutions, virtual cards are gaining popularity—22% of organizations have already shifted to virtual cards, reflecting their growing comfort with these faster and more secure alternatives to traditional payment methods.

Utilizing AP automation technology solutions can further reduce the risk of ACH fraud. For example, MineralTree allows businesses to automate their accounts payable process, streamline invoice data entry, and verify payments before they’re sent out. This helps minimize the number of fraudulent or unauthorized transactions that take place. Additionally, MineralTree’s advanced reporting capabilities allow users to quickly identify fraudulent activity and take corrective action in a timely manner. With MineralTree’s AP automation solution, businesses can reduce the risk of ACH fraud and protect their bottom line.

The role of MineralTree’s AP automation solution in reducing fraud risk

Organizations that use MineralTree’s AP automation solution can reap multiple benefits, including enhanced fraud protection and greater control over financial transactions. The platform’s fraud protection measures include:

  • The use of randomized, one-time use 16-digit virtual card numbers in transactions
  • An exact match rule that prevents vendors from pulling a different amount than what was originally approved
  • Automated checks are in place to identify potential fraud as ACH transactions flow through the system
  • Proactive notification when vendor bank account information is changed in the system
  • Automatic cross-checking of vendor information

Final Thoughts

Fraudulent activity continues to be a major concern for organizations, and ACH payment scams are no exception. To help protect against these types of fraud schemes, organizations should implement a combination of prevention and detection strategies, such as strong internal controls, payment monitoring, and employee training.

Additionally, utilizing an AP automation solution like MineralTree can further reduce the risk of ACH fraud and help ensure that all payments are secure. With these measures in place, organizations can rest assured knowing their accounts payable processes are well-protected against ACH fraud. Request a free demo today to learn more.

 

state-of-ap-report

 

Frequently asked questions about ACH fraud

Tl;dr? If you’re short on time, the frequently asked questions below provide a quick snapshot of what you need to know about ACH payment fraud.

Can you recover ACH fraud?

Recovering from ACH fraud is challenging but not impossible and some fraud may be reversible if detected quickly enough. Businesses should contact their bank immediately to initiate an investigation and potentially reverse the transaction. However, recovery often depends on the speed of reporting and the bank’s policies.

What are the risks of ACH payments?

The primary risks of ACH payments include fraud, data breaches, and payment errors. Fraudsters can intercept ACH transactions, update vendor payment details, or impersonate vendors to steal funds. However, in most cases, ACH payments can be reversed or disputed, but its important to note that cash flow can be temporarily disrupted until the issue is resolved.

What is an example of an ACH payment?

An Automated Clearing House (ACH) payment is an electronic transfer of funds between banks. A common example is a direct deposit for payroll, where an employer transfers wages directly into an employee’s bank account via the ACH network.

Brian Chase

As a Payment Optimization Manager at MineralTree, Brian Chase advises clients on how to align their payments with their greater business strategy. Prior to joining MineralTree in 2022, Brian served in Client Success roles and as a Senior Solution Consultant at Bottomline Technologies. He also served as a Staff Sergeant in the U.S. Army.

Keep Reading