ACH Payments: A New Front in the Fraud Wars

Data breaches and cyberattacks continue to receive a lot of media attention, while another technology-enabled crime — Automated Clearing House (ACH) fraud — is going relatively unnoticed. Your clients likely use the ACH network every day to make debit and credit purchases, and their account information may be more vulnerable than they realize.

What It Is

The surging popularity of the ACH is understandable. Consumers can use it to make electronic payments directly from their checking or savings accounts to other parties’ accounts, eliminating the need to pay bills with paper checks or physical credit cards. Likewise, companies use the ACH for business-to-business transactions and to pay their employees, contractors and vendors.

Businesses of all sizes can become ACH fraud victims, but small to mid-sized businesses may be most vulnerable. Even when they have substantial financial assets, these companies typically have fewer up-to-date information security measures in place.

How it is Done

To commit ACH fraud, perpetrators need to obtain only an account number and bank routing number. This can be accomplished through phishing (using email to trick recipients into divulging personal data), legitimate, but hacked, websites, malware and account hijacking.

For example, a thief might launch phishing attacks against a bank’s customers. When recipients click on the link in the fake email, they are taken to a phony bank website and prompted to enter their login information. The thief captures that information, using it to access online banking accounts and then initiates ACH payments to his or her own account at a different bank. Finally, the funds are transferred by wire to a third (in most cases off-shore) bank.

Alternatively, account holders might click on a link and unknowingly download malware that collects data they enter into web forms, including those on banking sites. These individuals subsequently receive personalized emails that appear to be from companies with which they already have a relationship, asking them to reset their security code or personal identification number (PIN). By doing so, consumers install a virus on their computers. The next time they log into their bank’s site, the virus executes commands that initiate fraudulent ACH transactions.

Steps to Take

No single defense will provide complete protection for every individual and business that uses the ACH. But some simple steps can reduce the risk of fraud. Perhaps the most important defense is installing firewalls and anti-virus, anti-spyware and anti-malware software on computers and keeping these programs updated. Your clients also need to ensure that every computer, smartphone and network they use requires a complex password that must be changed frequently.

Other preventive measures include:

  • Ignore unsolicited emails with attachments, links contained in the body of the message and popups that request personal information;
  • Use a separate browser for online banking purposes;
  • Check bank accounts daily for unauthorized activity; and
  • Access financial websites only by entering the URL, as opposed to using links in an e-email.

Finally, consumers and employees need to monitor the performance of computers and devices. Slower processing, changing interfaces or repeated rebooting can indicate the presence of malware or a virus.

Technology at a Price

Faster and easier ACH transactions appear to have doomed paper-based payments. As the millions of victims of electronic fraud can attest, technology comes with certain risks. Help your clients avoid the risk posed by ACH payments.