Risk Management · December 15, 2023

Protect Your Business Accounts From ACH Fraud

While digital payments have allowed businesses to facilitate transactions more easily, they've also opened the door to new forms of payment fraud. Learn about ACH fraud and how it typically occurs, plus explore several ACH fraud prevention strategies you can easily implement to safeguard your business.

The days of sending employees to the bank with deposit bags stuffed with cash and paper checks are largely in the past. The evolution of electronic bank-to-bank transfers through the automated clearing house, or ACH, has made it quicker and easier than ever for companies to pay vendors and employees, receive payments and transfer funds between commercial bank accounts.


How ACH fraud works

While checks remain the payment method most vulnerable to fraud, ACH fraud is on the rise. According to the Association for Financial Professionals' 2023 Payments Fraud and Control Survey Report, 30% of organizations experienced fraudulent ACH transfers during the previous year.

ACH fraud can occur in many forms and may be perpetrated by both cybercriminals and familiar contacts alike. Some of the more common methods include direct hacking, phishing scams, business email compromise and internal fraud.

Direct hacking

Criminals may use a variety of methods to steal banking passwords, account information and routing numbers to commit ACH fraud. In some cases, sensitive data may be exposed in a data breach. Likewise, poorly chosen passwords may simplify hackers' access your bank accounts, company servers or sensitive information.

Phishing scams

Criminals may use phishing tactics to trick employees into clicking on malicious links and attachments—ultimately revealing sensitive data. While emails are typically the most familiar form of phishing, criminals may also target employees through text messages or phone calls, often relying on social engineering tactics to create a false sense of urgency or legitimacy.

Business email compromise

An increasing threat comes from business email compromise, or BEC. These schemes typically involve criminals impersonating a known contact, such as an executive, colleague or vendor. Criminals may use spoofing technology or extensively research their targets to be more convincing. Typically, the scammer will request money, a change in payment terms or sensitive information. Because the request appears legitimate, the employee may comply, giving the scammer exactly what they need to access funds.

Internal fraud

As the name suggests, internal fraud is carried out by an employee of an organization through unauthorized transactions, invoice manipulation or embezzlement. A 2022 fraud survey (PDF) conducted by KPMG found that 17% of executives in North America had experienced internal fraud in 2021.

ACH fraud detection

Because employees are often the target in payment fraud attempts, employee education remains an essential ACH fraud prevention tactic. As part of your ongoing fraud and cybersecurity training efforts, educate your team on common red flags and warning signs. These include:

  • Invoices or requests featuring different payment instructions or unfamiliar banking details
  • Email addresses, physical addresses or phone numbers that don't match your records
  • Unexpected or urgent requests for a change to remittance information
  • Customers or vendors who have reported being phished
  • Transactions that occur at unusual times or come from unusual locations
  • A higher-than-normal number of ACH chargebacks
  • Employee complaints about payroll discrepancies
  • Requests for more frequent payments
  • An employee who disregards security protocols
  • An unsolicited request for account information—even if it appears to come from a financial institution or government agency

ACH fraud prevention strategies

While your employees may be a valuable first line of defense, implementing cybersecurity best practices is key to deterring various types of payment fraud. Take the time to establish company policies and procedures such as:

  • Installing and maintaining appropriate malware and antivirus software on all company computers
  • Limiting who has access to your accounts and who can initiate payments
  • Prohibiting browsers to save usernames and passwords—particularly for online access to your commercial bank accounts
  • Requiring verbal verification through a known phone number for any changes to vendor account details or remittance information
  • Verifying internal payment requests by calling employees through a known phone number or speaking with them in person
  • Training employees to never respond to emails asking for sensitive information and to report these emails to the IT department
  • Setting limits and implementing a dual-authorization system for all ACH transactions
  • Creating a system for regular audits and reviews

Taking advantage of any advanced fraud monitoring tools offered through your bank is another way to deter ACH fraud. For example, some financial institutions offer built-in fraud prevention tools like ACH Positive Pay, which is designed to make it easier to detect fraudulent ACH transfers before they're processed.

Lastly, remember to establish clear protocols for reporting ACH fraud and other types of scams or threats. Employees should understand the reporting process for suspicious activity and the importance of acting quickly in these situations. You may also want to establish an anonymous reporting system to make it easier for employees to report instances of internal fraud and other threats.

Key takeaways

  • While ACH transfers may be less vulnerable to fraud than checks, it's important to remain vigilant and adopt ACH fraud prevention tactics.
  • Implementing ACH fraud protection training that involves teaching employees to spot the warning signs of potential fraud and creating prevention and monitoring protocols is an effective first line of defense.
  • Take advantage of any enhanced ACH fraud monitoring tools available through your commercial bank, such as Positive Pay.
  • Be sure to report instances of fraud to your bank and IT department immediately after detection—they can help you take steps to prevent any additional losses.

This material is for informational purposes only and is not intended to be an offer, specific investment strategy, recommendation or solicitation to purchase or sell any security or insurance product, and should not be construed as legal, tax or accounting advice. Please consult with your legal or tax advisor regarding the particular facts and circumstances of your situation prior to making any financial decision. While we believe that the information presented is from reliable sources, we do not represent, warrant or guarantee that it is accurate or complete.

Third parties mentioned are not affiliated with First-Citizens Bank & Trust Company.

Links to third-party websites may have a privacy policy different from First Citizens Bank and may provide less security than this website. First Citizens Bank and its affiliates are not responsible for the products, services and content on any third-party website.

First Citizens Bank is a Member FDIC and an Equal Housing Lender icon: sys-ehl.

NMLSR ID 503941