Topics Types of Bank Fraud 12 Most Common Types of Bank Fraud Account Takeover (ATO) Fraud Advance Fee Fraud Check Fraud ACH Fraud Real-time Payment Fraud First-Party Fraud Wire Fraud Zelle Fraud Types of Card Fraud Credit Card Fraud Debit Card Fraud Lost or Stolen Card Fraud Card Skimming Card Cloning Chargeback Fraud Card Not Present (CNP) Fraud Anti-Money Laundering (AML) Anti-Money Laundering (AML) Money Laundering Money Mule Scams Suspicious Activity Reports (SARs) Fraud Defenses Behavioral Biometrics Crowdsourced Abuse Reporting Device Fingerprinting Real-time monitoring Email Reputation Service IP Reputation Service SR 11-7 Compliance Supervised Machine Learning Tokenization Transaction Monitoring Two-Factor Authentication (2FA) Unsupervised Machine Learning Fraud Tactics Bot Attacks Call Center Scams Credential Stuffing Data Breaches Deepfakes Device Emulators GPS Spoofing P2P VPN Networks Phishing Attacks SIM Swap Fraud URL Shortener Spam Web Scraping Fraud Tech Anomaly Detection Device Intelligence Feature Engineering Generative AI Identity (ID) Graphing Network Analysis Natural Language Processing Fraud Types Application Fraud Transaction Fraud Payment Fraud Pump and Dump Scams Bust-Out Fraud Buyer-Seller Collusion Content Abuse Cryptocurrency Investment Scams Fake Cryptocurrency Exchanges Fake Cryptocurrency Wallets Loan Stacking Romance Scams Rug Pull Scams SIM Swapping Synthetic Identity Theft Cryptocurrency Scams Pig Butchering Scams What is ACH Fraud – and How to Prevent It An employee receives paychecks through direct deposit. One day at work, she receives an email prompting her to visit a website that looks like it belongs to her bank—except, it’s an infected website that exists for the sole purpose of collecting credentials for malicious reasons. The employee doesn’t know that, however, and proceeds to enter her information—an account number and routing number—which the fraudster can now use to impersonate the employee and withdraw funds via ACH. That’s why you need ACH fraud protection! What Is ACH Payment Fraud? ACH fraud is any unauthorized transfer from a bank account using the Automated Clearing House network. The ACH is a financial transaction network and central clearing facility for all electronic fund transfer (EFT) transactions that occur in the U.S. New digital payment methods such as Venmo, Paypal, Zelle and others leverage the ACH network to complete payments between individuals and businesses — and cybercriminals know how to exploit it. ACH fraud is fairly easy to commit—fraudsters only need two pieces of sensitive data: the victim’s bank account and a bank routing number. How Common is ACH Fraud? ACH fraud is on the rise as more businesses and individuals rely on electronic funds transfers, making it a growing concern in the digital payment landscape. Today, 93% of U.S. employees receive payment from their employers via ACH. Additionally, the use of digital payment apps that use ACH for transferring funds between accounts is also increasing. As the number of people who receive ACH payments increases, so does the number of criminals scamming people using this network. The adoption of digital payment systems, combined with sophisticated cybercrime techniques, has contributed to the increasing frequency of ACH fraud incidents. According to the Association for Financial Professionals (AFP), ACH fraud is now one of the most common forms of payment fraud, with a 2022 survey revealing that 37% of organizations experienced ACH debit fraud, and 32% reported ACH credit fraud. A significant portion of ACH fraud is linked to Business Email Compromise (BEC) schemes, where cybercriminals hack legitimate email accounts to alter ACH payment instructions, often resulting in large financial losses. The FBI reports that BEC-related attacks have cost billions, much of which involves ACH transfers. Vulnerable sectors include industries that frequently process large-scale payments, such as payroll, vendor payments, and real estate transactions, where fraudsters exploit the lack of visibility in electronic transfers. What Is ACH Fraud Protection? Businesses and individuals increasingly depend on ACH fraud protection tools to safeguard against the rising threat of ACH fraud. With electronic transfers becoming a central part of financial transactions, it’s critical to have systems in place that can detect and prevent fraudulent activities. ACH fraud protection solutions are designed to monitor suspicious behaviors, analyze patterns, and quickly identify potential fraud before it results in financial losses. These systems work by continuously scanning transactions, cross-referencing them with known indicators of fraud, and flagging any unusual or unauthorized activities for further investigation. This proactive approach helps businesses maintain security and trust in their payment processes. Key technologies, such as transaction monitoring and device fingerprinting, play a vital role in preventing ACH fraud. Transaction monitoring tracks all incoming and outgoing payments in real time, looking for inconsistencies or red flags that signal fraud attempts. Device fingerprinting adds another layer of protection by analyzing the devices used to initiate payments, identifying any discrepancies or anomalies that could indicate unauthorized access. Advanced technologies, including unsupervised machine learning, further enhance ACH fraud protection by detecting new and evolving fraud patterns that traditional rule-based systems might miss. By continuously learning from new data and adapting to emerging threats, these systems provide robust protection against the ever-changing landscape of ACH fraud. How Do ACH Scams Work? Fraudsters may commit imposter scams by using Authorized Push Payments (APPs) that trick customers into making fraudulent transactions, using phishing emails or through business email compromise. Or they can use a real customer’s credentials to check account balances, perform an account takeover. Then they may submit unauthorized ACH transactions in the customer’s name and make withdrawals via ACH debit. There are several security measures available to fraudsters – and their tactics have become increasingly sneaky and sophisticated. Here are some ways that scammers commit ACH fraud: ACH kiting: Moving funds back and forth between accounts and financial institutions. Usually, ACH kiting happens within a company, often right before the year’s end. ACH lapping: A payment from a bank account is diverted or marked as received. Subsequent payments from other accounts are made to cover up the fraud. Insider threats: Someone on the inside of a company uses legitimate credentials to steal money via ACH or pass it to another fraudster. Phishing: An employee or authorized individual is tricked into providing their credentials, and a fraudster uses them to impersonate the individual and withdraw funds.How Common is ACH Fraud? Can I dispute ACH fraud transactions? Consumers have a specific window of time to dispute a fraudulent ACH transaction, typically within 60 days of either receiving a statement from their financial institution that includes the unauthorized transaction or within 60 days of the settlement date of the transaction itself. This timeframe is set to ensure that consumers carefully monitor their accounts and report any discrepancies promptly. By acting within this 60-day period, consumers increase their chances of being reimbursed by their bank or credit union for any unauthorized or fraudulent transfers. It’s important for consumers to regularly review their account statements and online banking activity to identify any irregularities as soon as possible. Failing to report fraudulent ACH transactions within the 60-day window can limit the consumer’s ability to recover lost funds. Financial institutions are bound by regulations to investigate and, in many cases, reimburse fraudulent ACH transactions, but only if they are notified in a timely manner. This deadline serves as a safeguard for both the consumer and the bank, ensuring that fraud is caught and addressed swiftly. Who is liable for ACH fraud? Financial institutions are liable for ACH fraud and must compensate consumers for fraudulent ACH transactions. That’s because consumer electronic transitions are governed by the Federal Reserve Regulation E and the National ACH Association (NACHA), both of which state the consumers are not liable for unauthorized ACH transfers unless they fail to report them within 60 days of the bank providing a statement showing the transaction. NACHA specifies that if the consumer reports the ACH fraud within 60 days of the settlement date, the bank must credit the consumer the amount of the translation. The bank can also return the transaction to the institution it originated from. ACH fraud on business accounts A personal account holder has up to 60 days to report ACH fraud to their bank, while businesses have just 24 hours. That’s because businesses aren’t protected under Regulation E. Rather, ACH fraud protection for businesses falls under the Uniform Commercial Code (UCC). After 24 hours, the business is liable for the translation, not the bank. It’s important for businesses to reconcile accounts promptly and review online activity regularly, in order to catch ACH fraud early and reduce the risk of fraud losses. Can ACH payments be traced? ACH payments can be traced, and banks can investigate suspected ACH fraud by reviewing the transaction data and looking for any anomalies or suspicious activity that may indicate potential fraud. Data to review can include timestamps, location information, IP address and more—anything that would provide evidence that the actual cardholder wasn’t involved in completing the transaction. Additionally, ACH transactions have two “Trace IDs”—the destination and source IDs. These are listed on the consumer’s bank statement under “transaction details.” How do you ensure ACH fraud protection? ACH fraud prevention is sometimes achieved by applying ACH blocks—putting blocks on your accounts that require the consumer to manually review and approve a transaction before it can be completed. This safeguards against fraudulent activity such as social engineering, phishing scams, and any other type of ACH fraud that might result in unauthorized transactions. No matter the type of fraud, strong passwords and multi-factor authentication are also important cybersecurity measures for protecting account information. These should be applied to your credit card, debit card, and other account to protect against any vulnerabilities. In the absence of ACH blocks, fraud platforms like DataVisor can help with ACH fraud detection early by leveraging a combination of rules and machine learning models and analyzing events and account-level data holistically. Learn more about how DataVisor helps with ACH fraud prevention, as well as preventing other types of transaction fraud, without adding friction to the customer experience.