ACH fraud is the theft of funds through the US Department of the Treasury's Automated Clearing House financial transaction network. The ACH network acts as the central clearing facility for all electronic fund transfer (EFT) transactions in the United States, representing a crucial link in the national banking system.
The ACH is a program of the Treasury Department's Bureau of the Fiscal Service. This system, established in the mid-1970s facilitates online payments and electronic funds deposits for financial institutions.
In the U.S., financial institutions, government agencies, businesses, and the general public use the ACH as the primary system for EFTs such as direct deposit payments for payrolls. Electronic-only payment processors, including PayPal and Venmo, also use the ACH to facilitate payments.
Steps used by the ACH to process and validate financial transactions generally include the following:
Cybercriminals have found ways to steal funds through the ACH network, perpetrating ACH fraud. If they can obtain a victim's bank account (checking or savings account) number and a bank routing number (printed on the bottom left corner of checks), they can take unauthorized actions such as the following:
Such criminal actions are lumped under the definition of ACH fraud.
ACH transactions often involve some element of time delay, which provides criminals a small window to engage in ACH fraud.
Here are a few examples of ACH fraud:
While ACH fraud can impact anyone making EFTs (i.e., using the ACH network), the impact of such events on businesses and financial institutions is much larger than it is on individuals.
If a receiving bank is the victim of multiple incidents of ACH fraud, its fraud losses can add up quickly. This is because receiving institutions are held financially liable for chargebacks if they allow their customers to use the received funds before they are completely cleared.
The institution sending an ACH transaction can also suffer financially in the event of ACH fraud. If they allowed a transaction to leave a customer's account even though the customer did not authorize the transaction, which represents an unauthorized transaction, and they might be required to compensate the customer for the loss of funds.
In addition to financial losses, the institution might suffer reputational damage, which can affect its existing customer relationships. The bank might also find it harder to attract new business if it suffers a large-scale ACH fraud scam.
Companies that experience ACH fraud might have to pay regulatory fines due to compliance violations. Depending on the scale of the fraud, they might also find themselves on the wrong end of a legal battle with affected customers.
The frequency and scale of ACH fraud scams are on the rise. Considering the potential impact of even a single such event, businesses and financial institutions must take steps to protect themselves from ACH fraud.
It's crucial to keep an eye on account balances and reconcile accounts frequently.
Other important practices that can help to prevent ACH fraud include:
Organizations can also block unauthorized transfers from a customer's account and use secure application programming interfaces (APIs) to detect fraud. Additionally, they can implement behavioral or biometric analytics systems that differentiate between expected and unexpected (e.g., fraudulent or malicious) account behaviors. Both technologies enable institutions to mitigate risk as soon as it arises (in near real time) and minimize instances of ACH fraud.
Increasingly, many institutions also implement fraud detection solutions, including those powered by artificial intelligence (AI) and machine learning that verify identities, screen payments, and monitor transaction data. These solutions provide added protection that helps mitigate ACH fraud risk and protects the institution and its customers from losses.
Learn about the future of cybersecurity and why companies should use AI for fraud management and detection. Read about 13 common types of cyber attacks and how to prevent them.
16 Nov 2023