Open Banking
Open Banking
July 9, 2024
5 min

What Is ACH Fraud and How Can Your Business Prevent It?


In 2023, scams and bank fraud amounted to $485.6 billion of losses globally. In the Americas, businesses and consumers lost a total of $151.1 billion, with payments fraud contributing $102.6 billion (68%). According to the Federal Bureau of Investigation,   phishing or spoofing was the most common fraud followed by personal data breach. These trends demonstrate how cybercrimes are getting more costly (and sophisticated) for companies, especially in an increasingly digitized financial service industry. 

Financial transactions flow fast like rivers in online banking and e-commerce. However, if they are not well-monitored, they can get murky. In particular, the constant stream of transactions via the Automated Clearing House (ACH) network is a prime target for fraud because most financial institutions and credit unions heavily use this payment rail to make daily direct deposits and debits.

In this guide, we'll discuss ACH fraud in detail, including:

  • What ACH fraud is
  • How it impacts businesses
  • 3 common scams
  • How businesses can implement fraud prevention, detection, and protection

What Is ACH Fraud?

ACH fraud involves making unauthorized transactions, such as deposits and payments, by illegally acquiring two pieces of financial information: a bank account number and a routing number. Unfortunately, while ACH has simplified payments, it’s also simplified fraudulent activity. With more businesses shifting to online operations, the volume of digital transactions and communications has surged, giving cybercriminals more opportunities to obtain financial data through network breaches, identity theft, and phishing.

One specific type of phishing, Business Email Compromise (BEC), is becoming more common. An example of BEC is when a fraudster mimics your vendor's official email branding (including logos and website links) to send you an “updated invoice” with a new bank account. According to a 2024 Association for Financial Professionals survey, ACH credit payments were the most vulnerable to BEC scams in 2023 (47%), followed by wire transfers (39%) and ACH debit (20%).

How Does ACH Fraud Impact Businesses?

ACH fraud events are costly. For one, financial institutions are always liable for this type of scam and must compensate account holders. Customers are not liable for unauthorized transfers provided they report the incident to their bank within 60 days of the bank statement’s release, according to the Federal Reserve Regulation E and the Operating Rules of the ACH network’s governing body, the National Automated Clearinghouse Association (Nacha). The bank can either reimburse the customer or return the transaction to the Originating Depository Financial Institution (ODFI).

Meanwhile, businesses are not covered under Regulation E protections and only have 24 hours to report. Beyond that time limit, they will be liable instead of the bank. Aside from immediate financial impact, a company can suffer reputational damage if cybercriminals hack their network and acquire bank customers' financial information. The aftermath can also lead to severe operational disruptions, including participating in extensive investigations, managing customer/client lawsuits, and high legal fees/fines and insurance premiums.

3 Examples of ACH Payment Scams

ACH scams target the vulnerabilities in a business’s transaction flow. Three of the most common scams to look for are listed below. Note how your company can address them through fraud prevention tactics and tools.

1. Phishing

What is it?

Phishing scams use complex social engineering. Hackers pose as vendors, government agencies, or any reputable company to trick targets into confirming their banking details or making ACH payments via malicious links embedded in emails and text messages. Once clicked, malware is installed, and sensitive data is exposed to the fraudster.

How to beat the scam

To prevent these scams, companies should implement comprehensive employee training programs to identify tactics, such as spotting edited images or links. Multi-factor authentication (MFA) and secure email gateways can also filter out phishing emails automatically. In addition, many banks offer ACH positive pay service, which allows businesses to submit a list of authorized vendors. This list gets cleared to receive automatic payments and can include filters like maximum transaction amounts.

2. CEO/CFO Fraud

What is it?

A form of identity theft, this scam involves fraudsters posing as the CEO/CFO to send an email or voicemail request for unusually large amounts of EFTs. This type of fraud has been increasingly made possible by generative artificial intelligence (AI). A more sophisticated version of this scam is deepfake video impersonation. In February 2024, a Hong Kong-based finance professional made headlines when they paid a staggering $25 million to scammers who used deepfake to pose as the employee’s CFO and colleagues during a video conference call.

How to beat the scam 

As a prevention measure, companies can establish a verification protocol for all financial requests, such as requiring a tokenized code for transactions over a specific amount. Another strategy is to require two people for verification — one to authorize the payment and another to release it.

3. ACH Kiting

What is it?

This scam involves exploiting the time delay in ACH transfers to move funds between different accounts and banks to withdraw money that is still in transit. This type of fraud is usually done by an insider who withdraws funds from the company at the end of the year. The employee then records the withdrawn money as in-transit and then records a decrease the following year to supposedly “reflect” this fund movement.

How to beat the scam

To address this, businesses can implement real-time analytics to monitor unusual transaction patterns. Additionally, setting up automated alerts for rapid movements of funds between accounts can flag kiting activities before they snowball. For example, Trustly’s risk mitigation solution uses machine learning (ML) models to identify suspicious activities across its merchant network and consumer data ecosystem in real time.

How Are Nacha and Banks Implementing ACH Fraud Prevention?

Because of these scams’ increasing sophistication (and financial damages), Nacha and its member institutions have been implementing the following strategies:

  • Enhanced detection systems. Banks have been exploring advanced anomaly detection systems that use ML and behavioral analytics for real-time fraud detection.
  • Stronger authentication protocols. Adopting next-level cybersecurity for initiating ACH transactions, such as tokenized account authentication (using encrypted codes), MFA, and biometrics, has significantly increased fraud protection by making identity verification more difficult to fake.
  • Education and awareness programs. Banks and Nacha are actively educating their employees, clients, and members about the latest fraud tactics (particularly social engineering methods) and collating resources for best fraud prevention practices, such as setting up strong passwords and cybersecurity protocols.
  • Improved rules for the ACH network. In response to growing BEC-related fraud, Nacha members approved a new set of rules in March 2024. The rules allow the ODFI to request the return of payment as soon as fraud is detected. Meanwhile, the receiving depository financial institution (RDFI) can delay fund availability to investigate further and proactively return flagged transfers even without a customer request or claim.

Trustly Makes ACH Fraud Prevention Easy

ACH fraud incidents are rising, and businesses must be vigilant and proactive by establishing robust prevention strategies. As EFTs become the preferred payment method, you need a system that protects financial transactions at every step of the process. Trustly can help your business stay ahead of fraudsters through our AI-driven risk engine that continuously monitors transactions (and learns from it). In addition, Trustly Pay can seamlessly integrate with ACH payments to maximize approval rates and mitigate risks without sacrificing data security.

Schedule a meeting with an expert to learn how our solutions can give you peace of mind when making banking transactions.

Stay in the know

Get exclusive insights and updates on all things Open Banking and Payments.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Relevant pages and resources

Open Banking
July 8, 2024
5 min
Understanding Instant Payouts: A Complete Guide for Businesses
Open Banking
July 2, 2024
5 min
KYC Verification in Open Banking: Security Made Easier
Financial Services
Open Banking
June 28, 2024
7 min
Increase Onboarding Conversion with Open Banking