Securing ACH Payments: Understanding Best Practices and Alternative Options

Understanding ACH Fraud

What is ACH Fraud?

ACH fraud involves unauthorized transactions made through the Automated Clearing House network. Fraudsters use various means of gaining access to victims' accounts or tricking businesses into initiating fraudulent payments.

ACH fraud poses a significant threat to businesses. In 2024, 38% of organizations reported fraud attacks on ACH debits and 20% reported attacks involving ACH credits. The costs of these crimes include financial losses, reputational damage and the loss of consumer trust.

Types of ACH Fraud

Criminals use a variety of methods to steal funds using the ACH network. Some common types of fraud include:

Unauthorized Debits

The fraudulent actor obtains a victim’s bank account and routing number and uses this information to initiate an ACH debit without authorization.

Account Takeover Fraud

In this case, the fraudster obtains login credentials to gain control of a victim’s account and initiate unauthorized transactions.

Fake Payments

Criminals use tactics such as phishing and social engineering to convince an individual or business representative to authorize a payment. For example, the fraudster could pose as a trusted vendor and send a fake invoice to an unsuspecting employee.  

ACH Kiting

Kiting is the process of quickly transferring funds between different bank accounts, artificially inflating the account balances before the transactions clear. This technique takes advantage of the lag between when the ACH transfer is initiated and when the funds are debited or credited—usually about one to two business days. During this lag time, criminals attempt to withdraw or spend money that doesn't exist.

ACH Fraud Schemes

Watch for common schemes fraudulent actors may use to gain access to financial systems and sensitive data. These tactics can often be prevented through education and enhanced security measures.

Common Tactics

• Phishing attempts: Fraudulent actors may use deceptive emails or websites to capture sensitive information such as a customer's account details. This information can then be used to initiate fraudulent ACH payments.
• Business email compromise (BEC): Fraudulent actors use email phishing techniques to impersonate trusted contacts and trick businesses into initiating unauthorized ACH transactions or changing account information so the criminal can gain control.
• Identity theft: Criminals obtain victims' personal information through data breaches, social engineering or physical theft of personal documents. They use this information to make fraudulent transactions over the ACH network.
• Insider threats: Employers or contractors may abuse their role within an organization by initiating fraudulent ACH payments or changing account information to divert funds.

Best Practices for ACH Fraud Detection, Prevention & Risk Management

Secure ACH Transactions

Businesses can partner with secure ACH operators and financial institutions to ensure payments are made securely and compliantly. Look for payment solutions providers that maintain robust security protocols, including encryption and multi-factor authentication, and monitor ACH transactions for suspicious activity.

By using a payout gateway such as Onbe, businesses can offload the risk of making payouts at scale while providing a smoother experience for recipients. Onbe uses innovative tools, processes and industry best practices, from proactive trend identification to Know Your Customer (KYC) practices, to protect payment programs from everyday attacks. We minimize friction for your customers and workforce, so they can focus on enjoying their payouts—not worrying about fraud. Learn more about how we keep your ACH payments safe.

Pre-Transaction Controls

Know Your Customer (KYC) practices are key to preventing unauthorized ACH payments. Have processes in place to verify the identity of each payee and check this information against fraud databases. Monitor for activity such as the recipient updating their bank account information, which could indicate fraudulent activity.

Data Encryption

Financial records and sensitive data, including account information such as bank routing numbers and account numbers, should be encrypted in transit and at rest. This makes stealing information significantly harder for fraudulent actors if they breach your systems.

Transaction Monitoring

Payout providers may use specialized software to analyze ACH transactions, comparing this activity to established baselines and historical transaction patterns. Real-time monitoring and alert systems can help to detect fraud and stop criminals in their tracks.

Regular Security Audits

Reviewing transactions and conducting random spot audits of ACH payments can help businesses catch fraudulent activity as well as deter employee fraud.

Artificial intelligence and machine learning have simplified the process of analyzing electronic transfers and checking these payments against historic transaction patterns. However, payers are advised to manually check the details of high-risk transactions flagged by their monitoring systems.

Using Alternative Payment Methods

Every payment method has pros and cons. Compared to checks, ACH transactions are faster and more cost-efficient and can enable improved cash flow management.

Businesses and financial institutions can reduce their risk by choosing alternative ways to make financial transactions. For example, virtual cards offer enhanced security and don't require recipients to share their bank account details.

Responding to ACH Fraud

Fraud Response Plan

Along with implementing fraud prevention measures, it's important to have a comprehensive fraud response plan in place. That includes procedures for reporting and responding to ACH fraud.

Employees should be trained on the fraud response plan to ensure they understand their responsibilities and next steps, including:

• Contacting law enforcement and the business's bank
• Conducting internal investigations and completing reporting requirements
• Performing risk mitigation protocols, including freezing accounts

Understanding Your Business Liability

Laws related to ACH fraud and who is responsible for the financial losses are often favorable to consumers. Laws such as the Electronic Fund Transfer Act (EFTA) limit consumer liability for unauthorized ACH payments if account holders report the fraud within the specified timeframe. If businesses or banks do not have the necessary fraud controls and security procedures in place or adhere to regulations governing ACH transactions, they might be liable for the cost of fraud. Not following agreed-upon protocols can also lead to banks and businesses being held responsible.

Resolving ACH fraud often requires negotiation between the affected parties, and sometimes legal action is needed to determine fault. Organizations can reduce their risk and prepare for the worst-case scenario by implementing strong preventative measures and maintaining clear, documented procedures for electronic transactions.

Alternatives to Traditional ACH Payments

Some payment methods may carry more risk than others. Businesses can reduce ACH fraud by choosing alternative ways to issue payouts, such as virtual cards or push payments.

Onbe's platform offers disbursements with a variety of secure, digital payment options that meet every preference. With our white-labeled solution, you can meet a diverse range of payment needs, improving reach, transparency and payment delivery rates. Our industry-leading fraud prevention, detection and risk management tools help to protect your business and recipients. Learn more about our security capabilities.