Understanding the Basics of ACH Fraud

ACH or Automated Clearing House payments are payments made through the electronic payments network known as the ACH Network in the United States. While there are many benefits to these largely automated ACH payments, there are still ways that ACH fraud can occur.

Ultimately, ACH fraud is relatively rare. A 2018 study that looked at the Federal Reserve Payments found that payment fraud represented only a fraction of 1% of the total value of payments; among all payments, ACH fraud is extremely low at 0.08 basis points, or 8 cents for every $10,000 in payments. However, this does not necessarily mean that it is uncommon or might not occur for your business.

If you provide ACH payment processing for your business or clients, it’s important to recognize that your company is liable for ACH payment fraud so you need to be prepared to mitigate it or prevent it from happening in the first place.

In this article, we want to provide a breakdown of ACH fraud and what you need to be looking for.

What is ACH fraud?

ACH fraud is unauthorized ACH transactions or the fraudulent transfer of funds through the ACH Network. ACH fraud typically targets a specific bank account and takes advantage of the time delay that occurs in ACH processing.

While rare, ACH fraud is easy to execute. All that is needed in order to execute ACH fraud is an account number and a bank routing number. Therefore when someone obtains this information, that is all they need to initiate a payment.

ACH fraud is mitigated by the ACH network. An ACH transfer, which will transfer from one bank account to another, must go through the ACH Network. The ACH Network comprises a number of actors (automated and human) that are in place to ensure that money transfers are secured and successfully processed.

Those in the ACH Network include the Originating Depository Financial Institution (ODFIs) and Receiving Depository Financial Institution (RDFIs), the Clearing House, the National Automated Clearing House Association (NACHA), and the Federal Reserve. Based on the NACHA Operating Rules, each ACH entity must adhere to a set of guidelines in order to ensure that the ACH file that is being processed is checked to ensure that the file submitted adheres to the guidelines set out.

Common ways hackers commit ACH fraud

Obtaining the bank account and routing number is obviously the hardest part of the ACH fraud process, but there are ways that hackers can obtain this information and then execute ACH fraud.

Here are some common ways that hackers can obtain a bank account and routing number information and proceed with ACH fraud:

  • A data breach in commercial credentials: When a criminal gains access to customer credentials, they are able to submit an unauthorized ACH transaction in the originator’s name and quickly withdraw the funds through an ACH debit. In this type of credential theft, there is usually a massive data breach where a group of criminals is able to gain backdoor entrance into sensitive customer credentials.
  • Insider threat scenario: An insider threat is someone who has access to sensitive banking information or credentials. While companies use certain techniques in order to prevent insider attacks, there are some scenarios that can’t be avoided. This is because companies still rely on humans, who are susceptible to being lazy from time to time or choose to perform a criminal act with the information that they have access to.
  • Check kiting scam: Check kiting for ACH is a check fraud scheme where the criminal takes advantage of the lag time when processing ACH transfers. It is commonly referred to as check kiting because this type of action originated when checks were a primary way to move money. In ACH check kiting, a criminal will juggle money bank and forth between accounts at separate banks so that the ACH is registered as valid when it is checked, but then the money is gone by the time the transfer goes through.
  • Spear phishing scam: A spear-phishing scam is when an email is sent to an individual and by clicking on that email the individual is redirected to a website infected with malware. That site will then install a keylogger software that can record all the keystrokes typed on a keyboard. Once the keylogger is installed, the fraudster can monitor the keystrokes and identify when a password is being punched in.
  • Debit card fraud: If you lose a debit card, you are encouraged to report it to the bank so that the bank account can be deactivated. Unfortunately, this does not always happen right away so sometimes a scammer will be able to place an unauthorized transaction with the debit card.

There are a few main ways that criminals can gain access to sensitive banking information. Usually, it is obtained through a malicious attack either by means of an external data breach or an insider threat. And in many cases, the malicious attack will also expose other vulnerable information like a social security number and potentially lead to identity theft.

With the authorization credentials in hand, the thief can access authorized information and use it to send themselves an ACH transfer, pay a bill by means of ACH transfer, or set up recurring billing through an online banking portal.

How to protect and account from ACH fraud

ACH fraud is rare because of the preventative measures that are inherent in the banking and fintech industry as well as multi-factor authentication (MFA), encryption, and secure file transfers.

If your business will be facilitating the transfer of ACH funds, you must ensure that you set up all of these preventative measures.

Here are some ACH fraud prevention measures that your financial institution (such as the bank, credit union, or ACH API that you use) should adhere to:

  • Abide by the NACHA Operating Rules to avoid attacks
  • Make sure to wait the appropriate amount of time (48 hours) after the ACH entry request has been submitted in order to process a return code
  • Practice Know Your Customer (KYC) standards
  • Refer regularly to Office of Foreign Assets Control (OFAC) guidelines
  • Set up ACH fraud mitigation guidelines under NIST cybersecurity maturity levels and other financial cybersecurity protections
  • Set up multi-factor authentication (MFA) for client logins
  • Submit all sensitive personal information over an encrypted and secure network (HTTPs)
  • Practice a risk-based authentication so that the identity of the receiver is confirmed
  • Set up authorization blocks such as an ACH block, which will request authorization for every ACH transfer being passed on a checking account
  • Set up an ACH filter to block a fraudulent transaction

In addition to these security best practices during the ACH transaction period, make sure that the payment data collected is stored securely using PCI approved hardware and software and by using PCI DSS Validated Entity service providers.

Security numbers or electronic track data should not be stored locally or unencrypted and phone recordings containing credit card accounting information need to be encrypted if stored. It is recommended that an ACH alert is set up for each customer so that the customer can monitor and stop an unauthorized ACH debit and stop ACH debit fraud early on.

Technology to prevent ACH fraud

There are additional fraud protection measures to be taken in order to protect your business and clients against ACH payments fraud. You can consider useful technologies such as secure APIs and cryptocurrency as a form of performing ACH transfers securely.

Both of these technologies are built with security in mind, so you know that by investing in an ACH API that the payment data will be kept or transferred securely.

ACH APIs, which are Automated Programming Interfaces dedicated to the sole task of transferring funds over the ACH Network, is a robust yet concise code that requires API authentication in order to access any of the information provided, making the technology virtually hack-proof.

The same goes for cryptocurrency, which encrypts data through a public and private key that publishes transactions through a public accessing blockchain, thereby verifying that the transaction went through while simultaneously keeping the transaction details secret.

An ACH API is the best way to send money as it can be embedded into a financial service and it can use secure third-party service providers in order to ensure authentication and client authorization. An ACH API that uses cryptocurrency will also improve the security of the ACH transfer as the transfer is then confirmed on the blockchain and forever protected.  

If you facilitate ACH transactions then you will have to stay on top of current fraud threats and keep up with trends and fraud regulations around providing secure ACH transactions.
Additionally, providing ACH transactions through a secure ACH API like Sila can nearly guarantee that compliance and security measures are always followed.