Introduced in the early 1970’s to help businesses reduce paper and speed up payment, Automated Clearing House (ACH) payment has been a popular and convenient way for accounts payable teams to pay their vendors for quite some time. In fact, B2B ACH payments were up 12% last year, accounting for 4 billion transactions, according to the National Automated Clearing House Association (NACHA). But like many technologies that are 50 years old, ACH is coming under pressure from 21st century business needs.
A key consideration with ACH payments is their vulnerability to fraud, and unfortunately, this payment method is increasingly attracting the attention of bad actors. In 2019, 81% of companies experienced actual or attempted fraud, according to the Association for Payments Professionals’ (AFP) Fraud Survey 2020, and 55% percent of companies were victims of actual or attempted ACH fraud. In fact, ACH fraud was the only category that increased from the previous year.
Fraudsters use modern techniques to exploit ACH vulnerabilities
One reason that bad actors are increasingly turning to ACH fraud is because it’s relatively easy for them to do. They typically start by breaching internal systems, such as email, to get a foothold into the company, where they can gain access to – and manipulate – invoice and payment-related information. They prey on a weak link in security: people who may not be able to discern an actual request from a fraudulent one, especially as scammers continue to get more sophisticated.
Of particular concern to AP and finance teams is a fraud technique known as vendor email compromise. With this technique, fraudsters aim to impersonate a vendor by: creating a fake but plausible email address; registering a look-alike domain; or gaining control of someone’s actual email through phishing. Once bad actors infiltrate email, there are a few scams that they can run. In one, the scammer poses as the vendor and requests that the AP department update the payment method on file with fraudulent ACH details. In another, the fraudster uses a compromised email account belonging to a vendor employee to monitor the vendor’s email communications. Once the scammer sees an opportunity to strike, he/she uses the legitimate account to jump into an existing email thread and send an invoice with fraudulent ACH details.
These fraudulent email practices – part of the overarching category known as Business Email Compromise (BEC) – represented the largest form of corporate fraud last year, accounting for $1.7 billion in losses.
Another reason that ACH fraud is attractive to bad actors is that they can receive the money relatively quickly. With same-day ACH payment the money is transferred even quicker. Last year there were over 50 million B2B same-day ACH payments.
COVID-19 adds fuel to the fire
Unfortunately, these bad practices are on the rise during COVID-19. The number of BEC payment fraud attacks rose over 80% in the third quarter of this year, according to a survey reported by Tech Republic.
There are several factors contributing to this increase. Some organizations have changed business processes or let controls lapse as they adapt to a changing environment, making it easier for fraudsters to penetrate the organization. Additionally, with the disruptions to the supply chain caused by COVID-19 and the need for companies to look elsewhere for goods and materials, it may not seem unusual for AP to receive invoices from new vendors, immediate requests that need to be processed, updates to payment methods, or other changes that might raise suspicions during other times. Then there are the distractions that employees working from home face, making them more susceptible to phishing and other email attacks, which in turn, makes AP teams more vulnerable to fraud. And, of course, the home environment lacks the same type of technology and security infrastructure that companies institute to help prevent hacks and fraud in the first place.
The impact of ACH fraud on an organization
If a company is a victim of ACH fraud, it might not only potentially lose hundreds of thousands or millions of dollars, but it is also open to other types of damage. A delay in payment can negatively impact your relationship with your vendor, who may also feel uneasy about doing business with you after a breach. In addition to the time, cost and effort needed to fix the problem, there are security issues when sensitive information, such as bank accounts, is compromised. Additionally, you could potentially face damage to your reputation if the breach becomes public.
Fortunately, most ACH payments go off without a hitch, and there are ways you can reduce your exposure to fraud, including training employees to be vigilant, to identify tell-tale signs of fraud, and to confirm changes to payment details by phone, among other best practices.
Fifty years ago when ACH payment was introduced, companies weren’t exposed to the type of ACH fraud we’re seeing today. And, as the industry changed and technology became more sophisticated, so did the fraudsters. In response, more modern and secure payment methods have been introduced to the market. Virtual cards, for example – with unique randomly generated, 16-digit numbers designated for one-time usage – offer much greater protection, with only 3% of organizations reporting that type of actual or attempted fraud in AFP’s 2020 survey.
The good news is that you have multiple payment options, as well as best practices you can implement, to reduce risk and help keep your finances safe – even during the time of COVID-19.