Hackers and ACH Fraud

The text "Stopping ACH Fraud Keep Your Transactions Safe" on a white and grey textured background.

Over the last 15-20 years, Automated Clearing House (ACH) transactions have become standard payment methods for things like payroll, accounts receivable, and most other transfers to and from an organization’s bank account.

ACH solutions have been relatively low risk and affordable, which is why most businesses utilize them. However, ACH fraud is on the rise—increasing 6% since 2021—thanks to mobile banking and payment systems (Zelle, Venmo, CashApp, etc.), and needs to be protected against. 

What Is ACH Fraud 

Automate Clearing House fraud involves unauthorized transactions through the ACH network—which processes large volumes of credit and debit transactions daily—including direct deposits, payroll, and vendor payments. 

Typically—and simply put—a bad actor needs two things to accomplish ACH fraud: 

  • A bank account number 
  • A bank routing number

Once a hacker has those two numbers, they will initiate a fraudulent transfer, or a legitimate transaction is made via the ACH, but they will claim the ACH payment was fraudulent, and request a refund.

Because the process of these transactions is partially automated, and because ACH fraud is fairly easy to commit, the risk of losing money is significant.

It should be noted that the overall amount of ACH fraud is a small percentage of the total fraudulent transactions in the payment system environment. Credit or debit card fraud far outpaces it in terms of total losses. However, the single loss expectancy of a fraudulent ACH transaction is much higher since most credit cards have predetermined spending limits, which are usually much lower than most ACH transactions.

Burglar stealing coins ACH Graphic

How Does ACH Fraud Happen?

 

ACH fraud can take several different forms and often targets small to medium-sized businesses, healthcare providers, and educational institutions.  

Common ACH Fraud Methods:

  • Insider Employee Fraud: Example: A large healthcare company lost $840,000 when a hacker impersonated an employee and altered ACH instructions. Employees with access to sensitive data can also commit fraud by approving fake invoices or redirecting payments to personal accounts.
    • Data Breaches: Criminals often use stolen customer credentials from data breaches to access bank accounts and withdraw funds through the ACH network.
        • Loss or Theft of Debit Cards: If a lost or stolen debit card is not reported immediately, criminals can use it to perform unauthorized ACH withdrawals.
          • Phishing Attacks: Threat actors trick individuals into revealing sensitive bank information through deceptive emails or texts, which they use to initiate unauthorized ACH payments. Sometimes using QR codes or malicious links asking victims to “reset” their password.
            • Ghost Funding: Fraudsters exploit immediate access to funds credited by investment apps before ACH payments settle, spending or transferring the money, which later results in insufficient funds.
              • Account Takeover Fraud: Using social engineering, the bad guys gain access to bank accounts to make unauthorized transfers or use the accounts for further fraudulent activities.

                Fraudulent ACH Returns

                ACH returns can also be exploited by criminals, either through bank-initiated or customer-initiated returns.

                • Bank-Initiated Returns: These usually happen due to insufficient funds. Cybercriminals may take advantage by transferring money to an investment account, purchasing crypto, and then having the transaction return for insufficient funds, leaving the bank unable to recover the money.
                  • Customer-Initiated Returns: Hackers may claim they did not authorize a legitimate transaction to get their money back while keeping the purchased product. Alternatively, they might use stolen account information to authorize a payment, leading the real account owner to dispute the transaction and receive a refund.

                    How to Prevent ACH Fraud
                     

                    We advocate for a holistic approach to cybersecurity and will continue to do so. One of the best first steps is to have an educated and vigilant human firewall. Since 90% of all cybercrime stems from human error or behavior, your most important resource (yourself and your people) should be one of your best lines of defense.

                    Additional defenses against ACH fraud are:

                    • Multi-factor authentication: One of the easiest ways to prevent unauthorized ACH transactions is to use two factor authentication to initiate transfers. This means, something you know—like a password—and something you have—like a one-time token generator—are both required before a transaction can be approved. This helps ensure that the person initiating the transaction is truly authorized and not an imposter.
                    • Transaction limits: Strong procedures around push transactions—individual transaction limits, limits on total transaction amounts, volumes per day or week, etc.—can also help thwart attacks. While they may not eliminate a hacker from getting funds, they may limit the amount. 
                    • Strict IP address restrictions: This, admittedly, may be a bridge too far for some, but limiting the ability to create new users or initiate transactions based on a pre-approved location would force a hacker to impersonate someone on your network. This increases the complexity of the attack and improves your chances of detecting malicious activity through the rest of your security tools.
                    • Tightly control new ACH user creation: Two levels of approval should always be required to ensure that one compromised account can’t be used to create another account. If this is not prevented, those two accounts could be used to provide dual control authorizations for large transfers.
                    • Vendor verification: Verify the authenticity of new vendors before processing any ACH payments.
                    • Set up alerts: Configure your banking system to send real-time alerts for all ACH activities.

                    An illustration of a hand holding a mobile device with a red alert symbol, indicating the possibility of ACH fraud.

                    These steps will severely limit your vulnerability to ACH fraud, but even despite your best efforts, fraud may still occur. Having a response plan is crucial. 

                    ACH Fraud Recovery and Response 

                    • Contact your bank: Notify your bank immediately to freeze the account and prevent further unauthorized transactions. Depending on your financial institution, you may only have 24-48 hours to attempt to reverse the transaction and recover funds.
                    • Investigate: Work with your bank and possibly law enforcement to trace the fraudulent transaction(s) and identify the perpetrator. 

                    Recovering stolen funds depends on the type of ACH fraud, how it was perpetrated, and the different parties involved. Unfortunately, in some cases, you or your organization could bear the monetary loss from ACH fraud, and legal steps might be needed to resolve disputes and attempt to recover any funds.  

                    Automated Clearing House fraud threatens businesses and individuals, but with the right strategies and tools, you can protect your assets.