To commit ACH payment fraud and transfer money out of your account, criminals only need your account and routing numbers. And once they get hold of that information, it stings. One undisclosed healthcare company was robbed of more than $840,000 in April 2022. Implementing specific ACH fraud prevention and detection strategies is key for blocking this type of scam. In this piece, you’ll learn exactly how to combat the attempts of fraudsters,
Trustpair blocks ACH fraud by continuously auditing supplier data and blocking suspicious payments. Contact an expert to learn more!
What is the best protection against ACH fraud?
Preventing fraudulent ACH is important, because reports of this specific type of fraud have grown by 6% between 2021 and 2023. So, how exactly should b2b organizations plan their protection against this growing threat?
- Set internal control policies (and stick to them)
- Segregate duties
- Use strong data storage methods
Internal control policies
Internal controls help companies to standardize how they act and operate, even when more than one team member is responsible for the same job.
For example, a policy on how to submit expenses would help employees to determine which purchases would be approved by the company versus those that wouldn’t. Moreover, this policy would combat attempts of expenses fraud, as workers have a specific guideline to follow and couldn’t use the company card without justification.
It means that internal policies hold team members accountable for their actions.
For fraud prevention, internal policies could include:
- How to use the right payment method (maybe you’d prefer to pay online via the company credit card rather than check)
- How to store financial information (such as bank account number or routing numbers)
- How to request approval for a large transfer (over a specific amount)
Segregate duties
Segregation of duties refers to the splitting up of tasks so that no single person has complete responsibility. Similarly to internal controls, this concept ensures that employees take accountability for their actions – because their work will be seen and possibly scrutinized by another person.
Segregation of duties works to protect against fraud thanks to the four eyes principle. Whether the employee has purposefully attempted to commit fraud, or whether they have been duped by a phishing email, for example, the second set of eyes exists to double check.
Once suspicious activity is discovered, the team can work to prevent any loss of money and investigate what happened. This is made much easier with multiple team members involved, as multiple statements are likely to be more reliable and therefore more trustworthy.
Strong data storage and secure APIs
One of the most common reasons for ACH fraud is data leaks. So it’s important to protect your company’s financial information, even if cyberattackers are successful in breaching your systems.
Strong data storage methods and secure APIs are two ways to prevent ACH fraudsters from accessing the details they need. For example, migrating sensitive information into cloud-based systems provides more robust protection against pharming attacks. That’s compared to logging confidential details on excel spreadsheets for example, which are vulnerable to device host file attacks.
Similarly, attackers might try to exploit third parties associated with your organization in order to find a weak link. That’s why API security is paramount – as it means that the technology that integrates your business with others is stable. While you can’t control how secure any third party might be, you can be sure that the buck stops before the fraudsters penetrate your business’ defenses. Read all about about third party monitoring in this article.
Download our latest fraud report to learn how to block all types of payment fraud!
How to detect ACH fraud?
Fraud prevention and detection go hand in hand. So, setting up measures to detect ACH fraud can be done through:
- Compliance with KYC (and KYB)
- Transaction monitoring
- Multi-factor authentication
Compliance with KYC and KYB
Know Your Customer (KYC) is a regulation that only applies to a select portion of companies – financial services and banking. It requires companies to verify the identity of their customers, and perform ongoing due diligence checks to ensure that accounts are not compromised or defrauded.
But it’s become clear that validating customer transactions isn’t enough. 98% of organizations worldwide are connected to at least one third party that has been breached by fraudsters.
It’s therefore clear that organizations in every industry could benefit from the principles of KYC, and not only apply it to customers, but partners and third parties too. Know Your Business (KYB) is therefore an essential part of due diligence to validate and perform ongoing monitoring on any suppliers, vendors and collaborators.
KYB was initially introduced for anti-money laundering and to prevent terrorist financing. But it’s also effective in detecting ACH fraud, because it helps businesses prove that they operate legitimately. Organizational leaders could take it one step further by risk assessing a partner’s systems, checking for vulnerabilities and plugging anything that could be exploited.
Transaction monitoring
Like the due diligence required in KYC and KYB, companies can perform continuous monitoring of transactions. This informs the “normal” payment volumes, geographic location, device and amount, allowing the detection of suspicious purchase attempts later.
For example, if your organization pays ‘supplier A’ once per month for the amount of $1000 to a bank in Dallas, Texas, it could cause suspicion if they randomly invoiced for $6000 to be received by another institution in Washington.
Ongoing transaction monitoring is time-intensive but it doesn’t have to be manual. By working with a platform like Trustpair, companies can benefit from the automatic and continuous auditing of supplier data. This means that all payments are controlled before they’re executed, and even ACH instant payments won’t go through.
Multi-factor authentication
Multi-factor authentication can help prevent ACH fraud by verifying the identity of the account holder. Moreover, this can be automated for ongoing account management.
Also known as two-factor authentication, it usually involves the account holder having to produce extra pieces of information before a payment can be approved, such as a password.
Multi-factor authentication is effective in blocking ACH fraud in two ways:
- It verifies that there is a real human on the end of the payment request
- It ensures that the human matches the identity of the account holder
A one-time passcode (OTP) is another form of authentication that works to prevent fraud, because it limits transaction approvals to one-at-a-time. It’s usually implemented during debit card payments for online purchases.
What is ACH fraud?
The Automated Clearing House (ACH) is a network that facilitates the transfer of funds from one bank account to another. ACH payments are very popular in US businesses. Unfortunately, cyber fraudsters only need see to the bank account number and routing number to make a transfer of their own.
ACH fraud is therefore a type of financial scam, targeting those who make bank transfers. For businesses in particular, this fraud is likely to be a particular threat as most organizations pay their suppliers through ACH.
$5.94 billion was transferred in B2B transactions through the automated clearing house.
The perpetrators might commit their fraud by purchasing goods or services, or making regular or one-off payments from the victim’s account to their own. Due to the delay – an ACH transfer takes a few days – fraudsters often get away with this type of extortion before it can be detected or prevented.
What are examples of ACH fraud?
Two of the most common ways that ACH fraud is performed are through phishing emails and data breaches.
Healthcare business loses $840,000
In April 2022, an undisclosed healthcare company was attacked by ACH fraudsters, as reported by the FBI.
The perpetrators impersonated a senior employee through phishing emails. In a case of CEO fraud, the con artist successfully mimicked the employee and requested a change of ACH details for one particular supplier.
Unfortunately, the company’s accounts team fell for this ruse, and changed the ACH information to the fraudster’s. What’s worse, a second transaction was made before the fraud was found out – because this supplier provided regular shipments of products to the company.
This recent case of ACH fraud led to the loss of $840,000 as well as significant and ongoing reputational damage, because this provider partnered with 175 other medical providers who were also at risk of being compromised.
Hospital loses $3.1 million
In a similar incident, this time happening in February 2022, another healthcare company was targeted by ACH fraudsters. Instead of phishing emails though, the perpetrators accessed the system through their own hacking skills to create a data breach.
The fraudster gained direct access to the internal systems of the hospital’s partner. He then edited its ACH payment details to a personal account. When the hospital billed it’s partner, the funds were transferred straight into the criminal’s bank, totalling $3.1 million in losses.
The hard part is that this ACH fraud case could have been prevented with an automated transaction monitoring platform like Trustpair. With continuous auditing, vendor data is checked on an ongoing basis against datasources and identity verification info. This automatically blocks payments to fraudsters before the money even leaves your business bank account.
In Summary
Just like how you protect debit and credit card numbers from falling into the wrong hands, your ACH bank account and routing codes should be carefully shielded. Implement strong internal controls and secure APIs to prevent unauthorized access. Monitor transactions with Trustpair to automate and control payment requests before they ever leave your account. In the current economic context, fraud protection is more important than ever!