What is ACH Fraud and How to Combat It

We all know the degree to which the COVID-19 pandemic has shifted the workplace landscape. Back in the early days of the pandemic, businesses quickly evolved their processes seemingly overnight to accommodate new work-from-home set ups for their employees. Despite their best efforts, businesses subsequently suffered from new security challenges. This disruption created a perfect storm for fraudsters and bad actors to exploit new vulnerabilities, particularly those within AP teams, many of which still exist today.

ACH payment scams are a growing concern for businesses of all sizes, as cybercriminals increasingly exploit Automated Clearing House (ACH) networks to perpetrate fraudulent transactions. Every year, organizations lose millions of dollars in revenue due to these schemes. In order to prevent ACH payment scams, you must first understand the current state of ACH fraud and the most common scamming methods. Let’s take a closer look.

hacker at computer

What are ACH Payment Scams?

ACH payment scams are a type of fraud committed by using Automated Clearing House (ACH) payments. ACH is an electronic system for transferring money between financial institutions via digital transactions. The security measures in place for ACH payments may not always be enough to protect against fraudulent activity, making them a prime target for cybercriminals. As an example, a fraudster may impersonate a vendor — often through BEC or account takeover — and contact the AP team to update payment information to a fraudulent account. In doing so, the AP team thinks that they’re paying the vendor. Unfortunately, often times once an AP team realizes they’ve initiated payment to a fraudster, the funds are long gone.

The State of ACH Fraud Today

71% of organizations were victims of payment fraud attacks or attempts in 2021. Checks and ACH debits were the payment methods most impacted by fraudulent activity. Additionally, cybercriminals are becoming increasingly sophisticated in their methods, using more advanced technologies such as malware and ransomware to steal confidential information and funds from victims. As a result, organizations must remain vigilant and take proactive measures to protect themselves against these threats.

BEC Emails

BEC (Business Email Compromise) emails are a type of phishing attack in which cybercriminals pose as legitimate businesses or organizations and send targeted emails requesting payment information or updates to their account payment information. These malicious actors use social engineering tactics such as contacting an AP team and requesting them to update payment information into a fraudulent account or by manipulating victims into providing confidential data, such as bank account numbers and passwords.

In 2021, 68% of organizations were targeted with a BEC scam. The Accounts Payable (AP) team is the most susceptible department in terms of this attack, with 58% of those surveyed noting their AP teams were compromised. Moreover, 41% of organizations noted that ACH and wire transfer payments were targets of BEC scams in 2021.

Malware & Ransomware Attacks

Malware and ransomware attacks involve using malicious software to gain access to sensitive information or data. These attacks can be used to steal money from bank accounts, encrypt important files and hold them for ransom, or to spy on confidential conversations. For example, the Zeus Trojan virus was used to gain victims’ personal data and financial information. In 2010 cyber thieves acquired $70 Million using Zeus by attaching the malware into emails. Although the code for ZeuS was exposed in 2011, other versions of this virus began to spread. Its successor, Gameover, infected between an estimated 500,000 to 1 million computers worldwide with the goal of extracting personal and financial data.

Check Kiting Scams

Check kiting scams involve fraudsters taking advantage of the way that banks process checks. When a bank receives a check, they usually wait until the funds are available before releasing them to the customer’s account. By taking advantage of this delay, cybercriminals can write a check on one account and deposit it into another in order to illegally inflate their account balances.

ACH Specific Scams

Scams can also enter into the ACH debit or ACH credit process. Credit scams involve criminals crediting payment requests through ACH with false or fraudulent account numbers to have payments redirected to their own accounts. On the other hand, debit scams involve fraudsters using a stolen bank account number to request a transfer of funds from another victim’s bank account.

MineralTree is designed to protect customers from these kinds of scams. Our AP platform is set up to perform ACH credit, which provides more control over collecting, validating, and storing information compared to higher risk ACH debits.

Methods for Combatting ACH Fraud Schemes

To protect against ACH fraud scams, organizations should utilize a combination of prevention and detection strategies. Some methods include creating strong passwords for electronic banking accounts, verifying all transactions by multiple individuals, and creating a system for flagging suspicious activity.

Here are 7 key methods to combat ACH fraud schemes:

Strong internal controls:

Internal controls help reduce the risk of fraud by ensuring that only authorized personnel have access to financial information. Additionally, organizations should also implement procedures for approving transactions and monitoring accounts to detect any unusual activity.

Close monitoring:

Organizations should monitor ACH payments on a regular basis to identify suspicious behavior or transactions. This can include reviewing payments for any inconsistencies or out-of-the-ordinary activity.

Modern cybersecurity strategy:

By staying up to date with the latest security measures and technologies, such as encryption and two-factor authentication, organizations can protect against unauthorized account access and maximize payment security.

Vendor verification:

Organizations should ensure that all vendor information is accurate and up to date. This includes verifying the bank account numbers associated with each payment request, to ensure that payments are always sent to the correct recipient.

Employee training:

It is important for organizations to educate their employees on the potential risks associated with ACH payments. They should also share tips to identify suspicious activity or transactions.

Bank account validation:

Organizations should perform regular bank account validation checks to ensure that the bank accounts associated with payments are valid. This helps prevent fraudulent transactions from being processed.

Embrace more secure payment methods:

Making ACH payments more secure also involves shifting as much spend as possible to more secure payment methods. A great method for secure payments are virtual cards. Virtual cards are a randomly generated set of 16-digit numbers that work like credit cards but can only be charged one time for a specified amount. This not only leads to easier payments with improved accuracy, but eliminates the risk of vendors re-using your business’ credit card information by accident and the risk of fraudulent payments.

Utilizing technology solutions such as MineralTree’s AP automation solution can further reduce the risk of ACH fraud. MineralTree allows businesses to automate their accounts payable process, streamline invoice data entry, and verify payments before they’re sent out. This helps minimize the number of fraudulent or unauthorized transactions that take place. Additionally, MineralTree’s advanced reporting capabilities allow users to quickly identify fraudulent activity and take corrective action in a timely manner. With MineralTree’s AP automation solution, businesses can reduce the risk of ACH fraud and protect their bottom line.

The Role of AP Automation in Reducing Fraud Risk

Organizations that use MineralTree’s AP automation solution can reap multiple benefits, including enhanced fraud protection and greater control over financial transactions. The platform’s fraud protection measures include:

  • The use of randomized, one-time use 16-digit virtual card numbers in transactions
  • An exact match rule that prevents vendors from pulling a different amount than what was originally approved
  • Automated checks in place to identify potential fraud as ACH transactions flow through the system
  • Validation of vendor information before any transaction is initiated
  • Use of white-glove payment services to ensure additional human oversight
  • Automatic cross-checking of vendor information

Final Thoughts

Fraudulent activity continues to be a major concern for organizations, and ACH payment scams are no exception. To help protect against these types of fraud schemes, organizations should implement a combination of prevention and detection strategies, such as strong internal controls, monitoring of payments, and employee training.

Additionally, utilizing an AP automation solution like MineralTree can further reduce the risk of ACH fraud and help ensure that all payments are secure. With these measures in place, organizations can rest assured knowing their accounts payable processes are well-protected against ACH fraud. Request a free demo today to learn more.


hacker at computer

Brian Chase

As a Payment Optimization Manager at MineralTree, Brian Chase advises clients on how to align their payments with their greater business strategy. Prior to joining MineralTree in 2022, Brian served in Client Success roles and as a Senior Solution Consultant at Bottomline Technologies. He also served as a Staff Sergeant in the U.S. Army.