An ACH payment is a secure way to send money from one bank account to another. However, every day, millions of dollars are compromised due to ACH fraud.
While the ACH Network is secure, and there are measures in place that ensure that it is continually secured, all parties play a role in maintaining security requirements.
If you are an ACH operator, you need to maintain the level of security required by the National Automated Clearing House Association (NACHA). Additionally, stopping fraud is up to the business and the Originating or Receiving Depository Financial Institution (ODFI or RDFI).
Here’s what you need to know to prevent fraud on ACH systems:
Where ACH Fraud Comes From
According to the Federal Reserve, ACH fraud is very rare and ACH payments have the lowest rates of fraud by value. According to their 2018 survey, the Federal Reserve found that ACH payments fraud is only represented in a fraction of 1 percent of the total value of ACH payments sent, equating to 8 cents for every $10,000 in payments.
This low number is most likely due to the security measures in place for authorizing ACH payments combined with the fact that the ACH system is nearly one hundred percent automated.
While ACH fraud rates are low, they still occur. So where does ACH fraud come from?
ACH fraud mostly occurs when a transaction is sent by a third party without the authorization, agreement, or voluntary assistance of the authorized user (usually the cardholder or the account holder). ACH fraud almost always has the intent for personal financial gain.
ACH fraud is typically carried out by a third party and it takes advantage of vulnerabilities in a security system, security failure with payment, or another security failure in an initiated payment method or system.
How ACH Fraud Might Affect Your Business
ACH processing is usually initiated and performed through online payment methods. This presents an inherent and elevated risk for malicious attackers to compromise ACH transactions. Current ACH users are threatened by cyberattacks, email phishing, account takeovers, vendor impersonation, and much more.
It is up to the bank to set up security measures to protect their accounts and customers against fraud on ACH systems. This means that all sensitive data must be passed through an encrypted network, stored behind authentication measures, and be authorized by the bank account owner.
In 2018, thanks to the Federal Reserve’s Working Group “Fraud Definitions Work Group,”, the FraudClassifier model was developed. The FraudClassifier model is a set of tools and materials that help financial institutions to classify and understand the magnitude of fraudulent activity as well as understand how fraud occurs across the payments industry.
Train your staff using the FraudClassifier model so that they are aware of the types of fraud that could be occurring as well as its severity and prevalence. It may help to prevent widespread and devastating fraud before it does any serious damage.
How to Spot Suspected ACH Fraud Activity
There are generally five types of ACH fraud activity: ACH credit risk, ACH debit risk, ACH operational risk, ACH fraud risk, and ACH systemic risk. These types of ACH fraud activities merely describe how the fraud transpired.
For example, a bank account holder might be the victim of an ACH debit fraud when their ACH transaction was stolen from under them. However, if the transaction is part of an account takeover, then it may be a sign of a larger ACH systemic fraud.
There are specific ACH fraud activities that are also easier to spot. Here some common fraudulent ACH activities:
- ACH kiting: ACH kiting is when funds move back and forth between separate bank accounts at different banks. This is to take advantage of the lag time associated with ACH transactions. Kiting will continue to occur during the estimated wait period (which can range from one business day to four business days). This type of fraud usually happens in a company and the person committing the fraud will be stealing from a company right before the year-end. In this instance, the employee would record the release of funds as in-transit in year one and then records a decrease in the account in year two.
- ACH lapping: ACH lapping is a type of fraud that occurs when a payment from one bank account is diverted elsewhere and manually marked as received to cover up the original theft. The theft from the first customer account is covered up by a payment from a second customer account, and that payment is covered by a third, and so on.
- Insider threat: An insider threat is an individual on the inside of a company who has credentials allowing them access to sensitive banking information and maliciously uses those credentials. This might mean that the insider gains access to a privileged area to steal sensitive information, to steal money, or to pass on that money to another malicious actor. Potential insider threats include employees, contractors, third-party vendors, departing employees, or employees that are negligent with their security.
- Spear phishing (email): In a spear phishing scam, an employee with authorization for ACH transactions receives an email that leads him to an infected site, which installs a keylogger to access authentication information. The thief can then impersonate the company’s authorized representative and withdraw funds.
- Criminal access through customer credentials: Similar to that of an insider threat, someone obtaining criminal access of a customer credential will be a malicious actor who hacks into a consumer’s computer and can record the keystrokes of the user to obtain their banking credentials.
- Criminal obtainment of checking account number and bank routing number: The account number and bank routing number are two sensitive pieces of banking information that people keep hidden. If a criminal actor obtains this information, they have illegally gained full control over someone else’s bank account and can request or authorize an ACH transaction.
Other forms of fraud are meant to be deterred by the ACH system in place. For example, ACH credit risk will occur when an ACH file arrives at an RDFI and it is requesting that money is deposited into a bank account. The fraud occurs when the transaction is made but there are not enough funds in the originating bank account to make the transaction.
If the RDFI does not have the holding period in place, the RDFI would have deposited the funds into the receiver’s account before the holding period. Then, the funds would be pulled from the originating bank account and the RDFI loses the money in the transaction.
While a simple procedure, this type of fraud is easily avoided with return codes. NACHA requires that all RDFIs wait at least 48 hours for a return code before processing the transaction.
This processing time can be expedited in same day ACH transactions, so it is up to the RDFI and ODFI to practice Know Your Customer (KYC) rules so that they verify that the bank account owner can be trusted. This ensures that same day ACH transactions are only occurring with long-time banking customers or customers who can absolutely verify their identity.
Best Practices for ACH Payment Fraud Prevention
Since targeted ACH fraud attacks can be so devastating, financial institutions typically set up protective measures to limit unauthorized ACH transactions and identity theft. These are the two most common safety measures that could protect an account from ACH fraud.
Here are other ways to prevent ACH fraud:
- Set up an ACH debit block, which auto-returns ACH debits and/or credits directed at a specific bank account.
- Set up an ACH debit filter, which auto-returns all ACH items for a designated account unless the ACH item was pre-authorized. This type of ACH fraud protection will not allow any unauthorized transaction to occur.
- Set up an ACH alert and activity monitoring for all electronic transactions
- Set authorization limits at both the company and individual levels
- Return unauthorized ACH debits to your account within 24 hours
- Limit who has privileged access to recipient information and monitor changes to these fields
- Run background and credit checks on all new employees or anyone who will have access to the account
- Get changes to vendor payment accounts in writing with a phone call to verify
- Keep account authorizations up-to-date and notify the bank of any changes
- Verify that other types of fraud activities can’t cross over into the ACH system
To operate as an ODFI or RDFI on the ACH network, the bank must ensure that they are always compliant under NACHA guidelines. Therefore, it is in the best interest of the financial institution to protect customers against all measures of ACH risk.
How to Prevent Fraud on ACH Systems
To protect ACH systems against hacking risk, consider the following:
- Comply with all PCI and NACHA protocols for storing sensitive banking data, including using PCI approved hardware and software, NACHA approved service providers and encrypting the storage of all financial data, including credit card, debit card, and banking information
- Be FDIC insured
- Regularly perform internal and external cybersecurity audits, seek an appropriate NIST maturity level, and perform regular ACH risk assessments
- Test for return codes and proper authorization procedures is a requirement for being approved.
It is also important that your customers are educated about the best practices to protect against ACH fraud. Customers should be encouraged to:
- Avoid sharing their account information over the internet unless the server is verified to be secure and/or encrypted
- Carefully consider how VOID checks are sent out; if sending electronically, they should be sent as an encrypted PDF or password-protected file, or sent by fax or mail
- Detect and avoiding phishing emails
- Set up two-factor authentication when signing on to online banking
ACH payments can be made more secure with a secure API, like the Sila ACH API. ACH APIs provide each user with secure account linking, encrypted data sharing, and can offer flexibility in ACH payments through implementation into a digital wallet.
If you suspect that a fraudulent transaction has occurred at your financial institution, it is imperative to fight back and immediately stop the transaction from continuing. ACH fraud settling can be done in-house or through a third party to minimize the losses.