Electronic banking transactions via the Automated Clearing House (ACH) network are commonplace for even the smallest businesses. As the volume of ACH transactions increases, so does the likelihood of fraud.
Fraud schemes involving electronic payments are often very complicated. Once an ACH fraud scheme is discovered, fraudsters often disappear in cyberspace leaving behind few, if any, tracks to follow. These attacks are commonly called, "account takeovers".
While some ACH fraud is committed from external sources (hackers, phishing emails, etc.), other fraud may be the result of information obtained from a paper check. The bank account and routing numbers on the bottom of a paper check may be all a fraudster needs to buy goods from online merchants that offer "electronic debit" or "e-check" payment options. An ill-placed sticky note on someone's desk or computer with passwords or other confidential data can be the "keys to the vault" for an ACH fraudster.
What can a business do to protect itself? Don't try to reinvent the wheel; many banks offer security tools to prevent unauthorized ACH transactions. One popular tool is commonly called "positive pay". A business using positive pay provides the bank with a register of authorized ACH debits; the bank will only clear preauthorized payments from the list. There is also a "reverse positive pay" program, where the bank allows the business to review and make decisions about ACH debits posted to their account the previous day.
Another simple method for combating ACH fraud is to segregate business bank accounts by the nature of the disbursements (general checking, payroll and ACH). ACH transactions can then be confined to a single account where only enough funds are held to cover the planned daily transactions.
Also, ACH "blocks" can be used to filter out unauthorized business transactions. A business selects the criteria to block certain ACH debits (i.e. amounts over set limits or from unauthorized companies) and the bank won't process transactions which do not comply with the criteria. ACH blocks are easy to implement and they don't require ongoing monitoring by the business.
Other suggested controls include:
These simple practices may allow your business to remain outside the reach of an ACH fraudster.
"Those who don't find time for prevention, will have to find time for unwelcome outcomes."
The Earl of Derby (para-phrased).