ACH fraud 101: How these scams work and how to prevent them

Payments
Payments

Accept payments online, in person, and around the world with a payments solution built for any business – from scaling startups to global enterprises.

Learn more 
  1. Introduction
  2. Types of ACH fraud
    1. Types of fraudulent ACH transactions
    2. Common ACH fraud tactics
  3. How to trace ACH payments
    1. Gather information
    2. Contact bank
    3. Initiate trace
    4. Review results
  4. Liability in ACH fraud
    1. Unauthorised debits
    2. Business email compromise (BEC)
    3. Account takeover
    4. Data theft
    5. Phishing scams
    6. Insider threats
    7. ACH kiting
    8. Fake payments
  5. ACH fraud detection
    1. Transaction monitoring
    2. Review procedures
    3. Know Your Customer (KYC) practices
    4. Information sharing
    5. Fraud response plan
  6. ACH fraud prevention

ACH (Automated Clearing House) payments are electronic payments that move funds between bank accounts using the ACH network in the United States. This system is managed by Nacha and facilitates a variety of payment types including direct deposits from employers, payments to contractors, automatic bill payments, and peer-to-peer transfers.

Like other types of electronic payments, ACH transfers are vulnerable to fraud. Thirty percent of organisations reported facing this type of fraudulent activity in 2022, up from 24% in 2021. This guide explains what you need to know about ACH fraud, including common fraud methods, liability in the event of ACH fraud, and how to prevent and detect ACH fraud.

What’s in this article?

  • Types of ACH fraud
  • How to trace ACH payments
  • Liability in ACH fraud
  • ACH fraud detection
  • ACH fraud prevention

Types of ACH fraud

ACH fraud includes a variety of tactics that exploit the process of electronic funds transfers within the ACH network. Here are the different types of ACH fraud and common methods used to perpetrate ACH fraud.

Types of fraudulent ACH transactions

Most types of ACH fraud occur when fraudulent actors use ACH debits to transfer funds to accounts they control or can access. They do this by gaining unauthorised access to the victim’s banking data or by manipulating existing payment systems to send unauthorised funds to their own accounts. Fraudulent actors might also employ long-term tactics to avoid detection, slowly embedding themselves into financial workflows or systems.

Unauthorised debits

Fraudulent actors can initiate unauthorised debits when they obtain a victim’s bank account number and bank routing number, which they can use to withdraw funds from that account. They can acquire these details through phishing attacks, data breaches, or by intercepting physical documents such as checks.

  • Execution: Once they have the account details, fraudulent actors can initiate ACH debits by pretending to be the account holder or other legitimate entities authorised to withdraw funds. These transactions might be small to avoid detection.

  • Detection and prevention: Customers and banks can use tools such as ACH filters and blocks that allow account holders to specify which individuals and entities are authorised to make debits. Customers should regularly monitor accounts for any unauthorised transactions.

Account takeover

Account takeover occurs when fraudulent actors gain unauthorised access to a bank account’s digital platforms. Cybercriminals might use malware, phishing, or keylogging to steal login credentials.

  • Execution: Using login credentials, the fraudulent actor can log in to a bank account and initiate ACH transfers to other accounts they control.

  • Detection and prevention: Minimise the risk of account takeovers by implementing multi-factor authentication (MFA) for accessing banking platforms and advanced security measures such as behavioural biometrics, as well as training employees about cybersecurity practices.

ACH kiting

ACH kiting is when fraudulent actors exploit the lag between the initiation of the ACH transfer and when the funds are debited or credited, effectively creating a false balance.

  • Execution: Fraudulent actors transfer funds between accounts they control at different banks to artificially inflate the balance before the transactions clear, allowing them to withdraw or spend money that does not exist.

  • Detection and prevention: Banks can use tools to analyse patterns that might indicate kiting, such as frequent cross-bank transfers of round sums. They can also implement enhanced verification for the release of funds.

Fake payments

This scheme involves sending fraudulent invoices to companies or manipulating existing payment instructions to divert payments to accounts that fraudulent actors control.

  • Execution: By posing as legitimate vendors or creating entirely fictitious orders, fraudulent actors convince businesses to make ACH payments to the wrong accounts.

  • Detection and prevention: Businesses should verify changes in payment details with known contacts via a secure and separate communication channel. Regular training for employees on scrutinising invoices and payment requests can prevent such fraud.

Common ACH fraud tactics

Fraudulent actors can use the following methods to gain access to the data required to commit fraud or convince authorised parties to initiate debits to their accounts. Fraudulent actors might also exploit weaknesses across different systems (banking, email, data storage) to orchestrate a multi-pronged attack, making it more difficult for businesses and banks to track and prevent fraud.

Data theft

A fraudulent actor intercepts or steals customer information that they can use to initiate fraudulent transactions. This might involve hacking into a company’s databases, physical theft such as stealing documents, or social engineering techniques to gather sensitive data.

  • Execution: Once fraudulent actors have enough data, they can use it to initiate fraudulent ACH transactions or sell the data on the black market.

  • Detection and prevention: Businesses can guard against data theft by encrypting sensitive data, maintaining strict IT security practices, and regularly performing security audits. Businesses should ensure that physical documents are stored and disposed of securely.

Phishing scams

Phishing is when fraudulent actors deceive the target into revealing sensitive information such as login credentials and account numbers, usually through fake emails or websites that mimic legitimate entities.

  • Execution: Once the information is obtained, fraudulent actors can use it for unauthorised access and transactions, including ACH debits.

  • Detection and prevention: Educating users to recognise phishing attempts and verify the authenticity of requests for sensitive information can reduce the risk. Businesses should also consider implementing email filters and security protocols to detect and block phishing emails.

Business email compromise (BEC)

In this sophisticated scam, fraudulent actors use phishing tactics to impersonate company executives or vendors.

  • Execution: Fraudulent actors might forge or intercept emails that direct finance personnel to change account information for ACH payments, redirecting these payments to accounts the fraudulent actors control, or directing them to initiate transfers to fraudulent accounts.

  • Detection and prevention: Verification procedures such as secondary sign-offs by another employee can help prevent this type of fraud. Employees should be able to recognise phishing and to be sceptical of changes to payment details that are communicated via email alone.

Insider threats

Sometimes, individuals within an organisation such as employees or contractors might misuse their privileges for personal gain.

  • Execution: Insiders might initiate unauthorised transactions or alter account information to divert funds.

  • Detection and prevention: Regular audits, segregation of duties, and monitoring unusual activity can help mitigate this risk. It’s also important to establish a culture of security and ethical behaviour.

How to trace ACH payments

Tracing ACH payments can help resolve issues such as non receipt of funds, errors, or suspected fraud. The sooner you initiate a trace, the easier it is to track the details accurately.

Gather information

To trace an ACH payment, start by collecting all relevant information about the ACH transaction, including transaction amount, date, transaction ID or reference number, and the originating and receiving account numbers and bank names.

Contact bank

Contact the bank where the transaction was initiated (if you are the sender) or the bank where the funds were sent (if you are the recipient). Phone calls can be more effective than emails for urgent issues. Provide the bank with all transaction details.

Initiate trace

Your bank will probably require you to fill out a form to formally request a trace. They will send this form through the ACH network to the other bank involved in the transaction and verify whether the transaction was processed correctly by each bank, the current status of the transaction, and where any discrepancies or errors occurred. Some banks might charge fees for tracing services.

ACH traces can take several business days to complete. Follow up regularly to check on the progress of the trace.

Review results

Once the trace is complete, the banks involved will provide a report detailing the path of the transaction and any issues that arose. If there was an error, banks can correct the error by reprocessing the transaction or making necessary adjustments to account balances. Document all communications and the results of the trace. This documentation can help resolve disputes and serve as evidence if legal action becomes necessary.

Liability in ACH fraud

The question of liability in ACH fraud will depend on the specifics of each case, although laws are generally favourable towards consumers and have stricter requirements on businesses and banks. Laws such as the Electronic Fund Transfer Act (EFTA) in the US greatly limit consumer liability for unauthorised electronic transactions, as long as account holders act within the stipulated time frames. Businesses might be required to bear the cost of fraud if they cannot demonstrate that they had adequate controls in place, and banks might be liable if their security procedures are deemed inadequate or if they fail to follow agreed-upon protocols.

In many cases, the resolution of liability in ACH fraud scenarios can involve negotiations between the affected parties and might require legal intervention to determine fault. Implementing strong preventive measures and maintaining clear, documented procedures for handling electronic transactions can help organisations mitigate risks and clarify liability in the event of fraud.

Here’s how liability is typically assigned in common scenarios such as unauthorised debits, BEC, or account takeover.

Unauthorised debits

Regulations such as the US EFTA require the customer’s bank to reimburse the customer for unauthorised debits, provided the customer reports the unauthorised transaction within 60 days of the statement showing the debit.

Business email compromise (BEC)

In cases of BEC, liability often falls on the business whose employee authorised the fraudulent transfer, especially if the employee was negligent and failed to follow internal security procedures.

Account takeover

Customers are typically not liable for fraudulent transactions resulting from an account takeover if they notify the bank in a timely manner. Banks might bear the liability if they failed to implement reasonable security measures.

Data theft

When a company’s data is breached, the company can be held liable if they were negligent in how they secured their data. Negligence might include failing to comply with industry security standards or not taking adequate preventive measures.

Phishing scams

If a customer falls victim to a phishing scam and reports unauthorised transactions in a timely manner, the bank will typically cover the losses. If the customer was grossly negligent (e.g. sharing PINs or passwords), they might bear some or all of the loss.

Insider threats

The organisation where the insider operates typically bears the liability for these losses, especially if inadequate controls or oversight facilitated the fraud. In some cases, banks might pursue action against the individual perpetrator.

ACH kiting

The perpetrator of ACH kiting can be held liable for fraud. Banks might also face liability if they failed to detect and stop the suspicious activity because of a lack of proper monitoring systems.

Fake payments

Liability might fall on the entity that failed to verify the authenticity of the payment request or invoice, particularly if they did not perform due diligence. Banks are generally not liable if they processed the transaction in accordance with the instructions received.

ACH fraud detection

Detecting ACH fraud requires diligent monitoring, reviewing, and sharing information. Here’s what you should know.

Transaction monitoring

Implement specialised software that continuously analyses your ACH transactions against established baselines and historical patterns. Machine learning and artificial intelligence can learn your business’s typical payment behaviour and flag potentially suspicious transactions based on complex patterns that humans might miss. The following might be signs of potential fraud.

  • Unusual IP addresses or devices associated with transactions

  • Deviations in transaction volume or amounts compared to historical averages

  • Payments to new beneficiaries, especially those in high-risk geographic locations

  • Irregular transaction times (outside of standard business hours)

  • Urgent requests (e.g. emails or calls demanding immediate action) pressuring businesses to expedite payments or send money to unfamiliar accounts

  • Inconsistencies in names, account numbers, or other details within a payment request

Review procedures

  • Manual scrutiny of high-risk transactions: Carefully examine the transactions that your monitoring tools flag. Dedicated staff should check for irregularities in beneficiary details, payment history, and any associated communications.

  • Spot audits: Conduct random audits on a subset of ACH transactions. Even if you do not discover any fraud, some fraudulent actors might be deterred if they know a business is scrutinising transactions closely at any time.

  • ACH return analysis: Monitor ACH returns closely. High return rates can point to unauthorised debits or fraudulent beneficiary information. Analyse reasons for returns and look for patterns.

Know Your Customer (KYC) practices

  • Customer verification: Before initiating recurring payments or adding new beneficiaries, conduct due diligence. Verify addresses and business legitimacy and check against sanctions lists and fraud databases.

  • Relationship monitoring: Check regularly for changes in recipient behaviour, communication style, or updated bank account information that could indicate an account has been compromised.

Information sharing

  • Bank collaboration: Maintain open communication with your bank’s fraud prevention department. They can alert you to emerging fraud patterns and collaborate on investigations.

  • Industry networks: Join industry associations and fraud prevention networks. Sharing threat intelligence and best practices helps everyone stay a step ahead of fraudulent actors.

Fraud response plan

Don’t wait until an incident happens to decide what to do. Proactively create a plan that includes the following steps.

  • Who to contact at your bank

  • Internal reporting and investigation protocols

  • Steps to mitigate further damage (e.g. freezing accounts, changing credentials)

  • Requirements for law enforcement involvement

ACH fraud prevention

ACH fraud poses a significant threat to businesses, including lost funds and reputational damage. Here’s how to fortify your defences and prevent ACH fraud attempts.

  • Multi-factor authentication (MFA): Enforce MFA for all logins and financial transactions. Require an additional verification step beyond just a username and password. This reduces the risk of unauthorised access even if login credentials are compromised.

  • Pre-authorised payments: This ACH debit verification system allows businesses to pre-authorise legitimate recipients and amounts for ACH debits. Any deviations trigger alerts for review before processing, preventing fraudulent withdrawals.

  • Staff training: Train staff to recognise phishing attempts, social engineering tactics, and red flags associated with ACH fraud. Educate them on proper procedures for handling ACH transactions and reporting suspicious activity.

  • Segregation of duties: Implement a system in which different employees handle tasks such as initiating payments, approving transactions, and reconciling accounts. This reduces the risk that a single employee will manipulate the system for fraudulent purposes.

  • Real-time monitoring: Use real-time transaction monitoring tools to identify anomalies and suspicious activity and stop them before they’re processed.

  • Reconciliation procedures: Establish thorough reconciliation procedures to compare expected payments against actual debits and credits. Regularly review bank statements and identify any discrepancies that could indicate fraudulent activity.

  • Data encryption: Ensure all sensitive data, including account information and financial records, is encrypted at rest and in transit. This makes it much harder for fraudulent actors to steal valuable information even if they breach your systems.

  • Access controls: Implement strict access controls for financial data and ACH processing systems. Only grant access on a need-to-know basis and use strong password policies with regular password changes.

  • Fraud prevention services: Consider partnering with fraud prevention specialists that offer advanced threat intelligence and monitoring services. These services can provide additional layers of security and expertise in detecting sophisticated fraud attempts.

  • ACH network participation: Participate in ACH network risk mitigation initiatives. These initiatives offer resources and tools to identify emerging threats and best practices for combating ACH fraud.

The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.
Payments

Payments

Accept payments online, in person, and around the world with a payments solution built for any business.

Payments docs

Find a guide to integrate Stripe's payments APIs.