Digital Fraud Wiki

Your source for the latest fraud intelligence, insights, research, and commentary.

What is ACH Fraud – and How to Prevent It

An employee receives paychecks through direct deposit. One day at work, she receives an email prompting her to visit a website that looks like it belongs to her bank—except, it’s an infected website that exists for the sole purpose of collecting credentials for malicious reasons. The employee doesn’t know that, however, and proceeds to enter her information—an account number and routing number—which the fraudster can now use to impersonate the employee and withdraw funds via ACH. That’s why you need ACH fraud protection!

What is ACH Fraud?

ACH fraud is any unauthorized transfer from a bank account using the Automated Clearing House network. The ACH is a financial transaction network and central clearing facility for all electronic fund transfer (EFT) transactions that occur in the U.S. New digital payment methods such as Venmo, Paypal, Zelle and others leverage ACH to complete payments between individuals and businesses.

Unfortunately, ACH fraud is fairly easy to commit—fraudsters only need two pieces of stolen information: a checking account and a bank routing number.

ACH Fraud Protection

Businesses and individuals rely on ACH fraud protection to find ACH fraud and prevent it. ACH Fraud Protection can detect ACH scams through transaction monitoring, device fingerprinting, and advanced technology like unsupervised machine learning.

Common ways hackers commit ACH fraud

Fraudsters may commit imposter scams by using Authorized Push Payments (APPs) that trick customers into making ACH transactions. Or they can use a real customer’s credentials to submit unauthorized ACH transactions in the customer’s name and take out funds via ACH debit. There are several tools available to fraudsters – and their tactics have become increasingly sneaky and sophisticated.

Here are some ways that fraudsters commit ACH fraud:

  • ACH kiting: Moving funds back and forth between accounts and financial institutions. Usually, ACH kiting happens within a company, often right before the year’s end.
  • ACH lapping: A payment from a bank account is diverted or marked as received. Subsequent payments from other accounts are made to cover up the fraud.
  • Insider threats: Someone on the inside of a company uses legitimate credentials to steal money via ACH or pass it to another fraudster.
  • Phishing: An employee or authorized individual is tricked into providing their credentials, and a fraudster uses them to impersonate the individual and withdraw funds.

How Common is ACH Fraud?

Today, 93% of U.S. employees receive payment from their employers via ACH. Additionally, the use of digital payment apps that use ACH for transferring funds between accounts is also increasing. As the number of people who receive ACH payments increases, so does the number of criminals scamming people using this network.

Can I dispute ACH fraud transactions?

Consumers may dispute a fraudulent ACH transaction within 60 days of receiving a statement from the financial institution listing the transaction or within 60 days of the settlement date. In other words, the consumer must report the fraud in a reasonable timeframe to be reimbursed by the bank.

Who is liable for ACH fraud?

Financial institutions are liable for ACH fraud and must compensate consumers for fraudulent ACH transactions. That’s because consumer electronic transitions are governed by the Federal Reserve Regulation E and the National ACH Association (NACHA), both of which state the consumers are not liable for unauthorized ACH transfers unless they fail to report them within 60 days of the bank providing a statement showing the transaction. NACHA specifies that if the consumer reports the ACH fraud within 60 days of the settlement date, the bank must credit the consumer the amount of the translation. The bank can also return the transaction to the institution it originated from.

ACH fraud on business accounts

A personal account holder has up to 60 days to report ACH fraud to their bank, while businesses have just 24 hours. That’s because businesses aren’t protected under Regulation E. Rather, ACH fraud protection for businesses falls under the Uniform Commercial Code (UCC). After 24 hours, the business is liable for the translation, not the bank. It’s important for businesses to reconcile accounts promptly and review online activity regularly, in order to catch ACH fraud early and reduce the risk of fraud losses.

Can ACH payments be traced?

ACH payments can be traced, and banks can investigate suspected ACH fraud by reviewing the transaction data and looking for any anomalies or indications of potential fraud. Data to review can include timestamps, location information, IP address and more—anything that would provide evidence that the actual cardholder wasn’t involved in completing the transaction. Additionally, ACH transactions have two “Trace IDs”—the destination and source IDs. These are listed on the consumer’s bank statement under “transaction details.”

How do you ensure ACH fraud protection?

ACH fraud prevention is sometimes achieved by applying ACH blocks—putting blocks on your accounts that require the consumer to manually review and approve a transaction before it can be completed.

In the absence of ACH blocks, fraud platforms like DataVisor can help with ACH fraud detection early by leveraging a combination of rules and machine learning models and analyzing events and account-level data holistically. Learn more about how DataVisor helps with ACH fraud prevention, as well as preventing other types of transaction fraud, without adding friction to the customer experience.