What is ACH Fraud and How to Combat It

We all know the degree to which the COVID-19 pandemic has shifted the workplace landscape. Back in the early days of the pandemic, businesses quickly evolved their processes seemingly overnight to accommodate new work-from-home set ups for their employees. Despite their best efforts, businesses subsequently suffered from new security challenges. This disruption created a perfect storm for fraudsters and bad actors to exploit new vulnerabilities, particularly those within AP teams, many of which still exist today.

ACH payment scams are a growing concern for businesses of all sizes, as cybercriminals increasingly exploit Automated Clearing House (ACH) networks to perpetrate fraudulent transactions. Every year, organizations lose millions of dollars in revenue due to these schemes. In order to prevent ACH payment scams, you must first understand the current state of ACH fraud and the most common scamming methods. Let’s take a closer look.

hacker at computer

What are ACH Payment Scams?

ACH payment scams are a type of fraud committed by using Automated Clearing House (ACH) payments. ACH is an electronic system for transferring money between financial institutions via digital transactions. The security measures in place for ACH payments may not always be enough to protect against fraudulent activity, making them a prime target for cybercriminals. As an example, a fraudster may impersonate a vendor — often through BEC or account takeover — and contact the AP team to update payment information to a fraudulent account. In doing so, the AP team thinks that they’re paying the vendor. Unfortunately, often times once an AP team realizes they’ve initiated payment to a fraudster, the funds are long gone.

The State of ACH Fraud Today

71% of organizations were victims of payment fraud attacks or attempts in 2021. Checks and ACH debits were the payment methods most impacted by fraudulent activity. Additionally, cybercriminals are becoming increasingly sophisticated in their methods, using more advanced technologies such as malware and ransomware to steal confidential information and funds from victims. As a result, organizations must remain vigilant and take proactive measures to protect themselves against these threats.

What are the Different Types of ACH Fraud Techniques?

Bad actors are increasingly turning to ACH fraud because it’s relatively easy for them to do. They typically start by breaching internal systems, such as email, to get a foothold into the company, where they can gain access to – and manipulate – invoice and payment-related information. They prey on a weak link in security: people who may not be able to discern an actual request from a fraudulent one, especially as scammers continue to get more sophisticated. Here are some of the most common types of ACH fraud schemes used today.


BEC Emails

BEC (Business Email Compromise) emails are a type of phishing attack in which cybercriminals pose as legitimate businesses or organizations and send targeted emails requesting payment information or updates to their account payment information. These malicious actors use social engineering tactics such as contacting an AP team and requesting them to update payment information into a fraudulent account or by manipulating victims into providing confidential data, such as bank account numbers and passwords.

In 2021, 68% of organizations were targeted with a BEC scam. The Accounts Payable (AP) team is the most susceptible department in terms of this attack, with 58% of those surveyed noting their AP teams were compromised. Moreover, 41% of organizations noted that ACH and wire transfer payments were targets of BEC scams in 2021.

Malware & Ransomware Attacks

Malware and ransomware attacks involve using malicious software to gain access to sensitive information or data. These attacks can be used to steal money from bank accounts, encrypt important files and hold them for ransom, or to spy on confidential conversations. For example, the Zeus Trojan virus was used to gain victims’ personal data and financial information. In 2010 cyber thieves acquired $70 Million using Zeus by attaching the malware into emails. Although the code for ZeuS was exposed in 2011, other versions of this virus began to spread. Its successor, Gameover, infected between an estimated 500,000 to 1 million computers worldwide with the goal of extracting personal and financial data.

Check Kiting Scams

Check kiting scams involve fraudsters taking advantage of the way that banks process checks. When a bank receives a check, they usually wait until the funds are available before releasing them to the customer’s account. By taking advantage of this delay, cybercriminals can write a check on one account and deposit it into another in order to illegally inflate their account balances.

ACH Specific Scams

Scams can also enter into the ACH debit or ACH credit process. Credit scams involve criminals crediting payment requests through ACH with false or fraudulent account numbers to have payments redirected to their own accounts. On the other hand, debit scams involve fraudsters using a stolen bank account number to request a transfer of funds from another victim’s bank account.

MineralTree is designed to protect customers from these kinds of scams. Our AP platform is set up to perform ACH credit, which provides more control over collecting, validating, and storing information compared to higher risk ACH debits.

What’s the Impact of ACH Fraud on an Organization?

If a company is a victim of ACH fraud, it could potentially lose hundreds of thousands or millions of dollars and be susceptible to other types of damage. A delay in payment can negatively impact your relationship with your vendor, who may also feel uneasy about doing business with you after a breach. In addition to the time, cost and effort needed to fix the problem, there are security issues when sensitive information, such as bank accounts, is compromised. Additionally, you could potentially face damage to your reputation if the breach becomes public.

Fortunately, most ACH payments go off without a hitch, and there are ways you can reduce your exposure to fraud, including training employees to be vigilant, to identify tell-tale signs of fraud, and to confirm changes to payment details by phone.

Fifty years ago when ACH payment was introduced, companies weren’t exposed to the type of ACH fraud we’re seeing today. And, as the industry changed and technology became more sophisticated, so did the fraudsters. The good news is that you have multiple payment options, as well as best practices you can implement, to reduce risk and help keep your finances safe.

How to Prevent ACH Fraud

To protect against ACH fraud scams, organizations should utilize a combination of prevention and detection strategies. Some methods include creating strong passwords for electronic banking accounts, verifying all transactions by multiple individuals, and creating a system for flagging suspicious activity.

Here are 9 key methods to combat ACH fraud schemes:

Strong internal controls

Internal controls help reduce the risk of fraud by ensuring that only authorized personnel have access to financial information. Additionally, organizations should also implement procedures for approving transactions and monitoring accounts to detect any unusual activity.

Implement Segregation of Duties

The same principle of checks and balances that is the foundation of our nation’s government should also be a foundation of your accounts payable process. Segregation of duties means that one person is responsible for queueing up business payments, and one person is responsible for approving those payments before funds are released.

While invoice payments can be time sensitive, and sometimes it is both quicker and simpler for AP managers to carry an invoice payment from start to finish on their own, this leaves the door open for fraud. And while this payment control seems like a no-brainer, 31% of businesses still haven’t implemented it.

Utilize Dual-Factor Authentication

Dual-Factor Authentication adds another layer of security by requiring employees who approve payments to enter a unique security code that they receive via text or email every time they release funds. This extra layer of security mitigates the risk of fraud by discouraging fraudsters that are constantly on the lookout for businesses that lack vigilance around cybersecurity.

Close monitoring

Organizations should monitor ACH payments on a regular basis to identify suspicious behavior or transactions. This can include reviewing payments for any inconsistencies or out-of-the-ordinary activity.

Modern cybersecurity strategy

By staying up to date with the latest security measures and technologies, such as encryption and two-factor authentication, organizations can protect against unauthorized account access and maximize payment security.

Vendor verification

Organizations should ensure that all vendor information is accurate and up to date. This includes verifying the bank account numbers associated with each payment request, to ensure that payments are always sent to the correct recipient.

Employee training

It is important for organizations to educate their employees on the potential risks associated with ACH payments. They should also share tips to identify suspicious activity or transactions.

Bank account validation

Organizations should perform regular bank account validation checks to ensure that the bank accounts associated with payments are valid. This helps prevent fraudulent transactions from being processed.

Embrace more secure payment methods

Making ACH payments more secure also involves shifting as much spend as possible to more secure payment methods. A great method for secure payments are virtual cards. Virtual cards are a randomly generated set of 16-digit numbers that work like credit cards but can only be charged one time for a specified amount. This not only leads to easier payments with improved accuracy, but eliminates the risk of vendors re-using your business’ credit card information by accident and the risk of fraudulent payments.

Utilizing technology solutions such as MineralTree’s AP automation solution can further reduce the risk of ACH fraud. MineralTree allows businesses to automate their accounts payable process, streamline invoice data entry, and verify payments before they’re sent out. This helps minimize the number of fraudulent or unauthorized transactions that take place. Additionally, MineralTree’s advanced reporting capabilities allow users to quickly identify fraudulent activity and take corrective action in a timely manner. With MineralTree’s AP automation solution, businesses can reduce the risk of ACH fraud and protect their bottom line.

The Role of AP Automation in Reducing Fraud Risk

Organizations that use MineralTree’s AP automation solution can reap multiple benefits, including enhanced fraud protection and greater control over financial transactions. The platform’s fraud protection measures include:

  • The use of randomized, one-time use 16-digit virtual card numbers in transactions
  • An exact match rule that prevents vendors from pulling a different amount than what was originally approved
  • Automated checks in place to identify potential fraud as ACH transactions flow through the system
  • Proactive notification when vendor bank account information is changed in the system
  • Automatic cross-checking of vendor information

Final Thoughts

Fraudulent activity continues to be a major concern for organizations, and ACH payment scams are no exception. To help protect against these types of fraud schemes, organizations should implement a combination of prevention and detection strategies, such as strong internal controls, monitoring of payments, and employee training.

Additionally, utilizing an AP automation solution like MineralTree can further reduce the risk of ACH fraud and help ensure that all payments are secure. With these measures in place, organizations can rest assured knowing their accounts payable processes are well-protected against ACH fraud. Request a free demo today to learn more.


hacker at computer

Brian Chase

As a Payment Optimization Manager at MineralTree, Brian Chase advises clients on how to align their payments with their greater business strategy. Prior to joining MineralTree in 2022, Brian served in Client Success roles and as a Senior Solution Consultant at Bottomline Technologies. He also served as a Staff Sergeant in the U.S. Army.