News & Events


Electronic banking transactions via the Automated Clearing House (ACH) network are commonplace for even the smallest businesses. As the volume of ACH transactions increases, so does the likelihood of fraud.

Fraud schemes involving electronic payments are often very complicated. Once an ACH fraud scheme is discovered, fraudsters often disappear in cyberspace leaving behind few, if any, tracks to follow. These attacks are commonly called, "account takeovers".

While some ACH fraud is committed from external sources (hackers, phishing emails, etc.), other fraud may be the result of information obtained from a paper check. The bank account and routing numbers on the bottom of a paper check may be all a fraudster needs to buy goods from online merchants that offer "electronic debit" or "e-check" payment options. An ill-placed sticky note on someone's desk or computer with passwords or other confidential data can be the "keys to the vault" for an ACH fraudster.

What can a business do to protect itself? Don't try to reinvent the wheel; many banks offer security tools to prevent unauthorized ACH transactions. One popular tool is commonly called "positive pay". A business using positive pay provides the bank with a register of authorized ACH debits; the bank will only clear preauthorized payments from the list. There is also a "reverse positive pay" program, where the bank allows the business to review and make decisions about ACH debits posted to their account the previous day.
 

Another simple method for combating ACH fraud is to segregate business bank accounts by the nature of the disbursements (general checking, payroll and ACH). ACH transactions can then be confined to a single account where only enough funds are held to cover the planned daily transactions.

 

Also, ACH "blocks" can be used to filter out unauthorized business transactions. A business selects the criteria to block certain ACH debits (i.e. amounts over set limits or from unauthorized companies) and the bank won't process transactions which do not comply with the criteria. ACH blocks are easy to implement and they don't require ongoing monitoring by the business.

Other suggested controls include:

  • Bolster online security measures. Use dedicated computers for online banking; disconnect them from internal networks. Block access to social networking sites and other risky web sites that may contain malware (malicious software) designed to capture login and password information.
  • Use strong passwords (multiple letters, numbers, characters and capitalization) that are unique from the users other passwords. Ensure that secure passwords and ID tokens are changed periodically. Always make changes after an employee is terminated.
  • Require segregation of duties for ACH transactions; don't let one individual have reign over electronic disbursements. Ideally, one person creates the ACH payment file, which another person reviews and approvals before transmitting it to the bank. Each day, have an independent person monitor and reconcile ACH activity posted to the bank.
  • Review online banking information about any failed log in attempts since the prior successful login.

These simple practices may allow your business to remain outside the reach of an ACH fraudster.

"Those who don't find time for prevention, will have to find time for unwelcome outcomes."

The Earl of Derby (para-phrased).

To learn more about how your company can better protect itself against ACH fraud and other fraudulent activities, please contact your local fraud and forensic accounting professional at UHY LLP.