Mary Schaeffer
Mary Schaeffer

ACH Fraud

How you can prevent it at your firm.

December 3, 2009
by Mary Schaeffer

Does your organization have a bank account? Of course it does. Then you need to be concerned about ACH (Automated Clearing House) fraud. Some executives believe that because they don’t make electronic payments they need not be concerned about electronic payment fraud. Unfortunately, this is just not true. Every organization is at risk and this type of fraud is skyrocketing. But don’t take my word for it. The FBI recently issued an alert about the problem.

Here’s a look at what’s going on and what you can do to protect yourself.

Emerging Problem #1

Most organizations use positive pay today. With this fraud deterrent, companies submit a file to the bank every time they do a check run. It contains a listing of all checks issued. The data provided is the dollar amount and check number. When a check is presented for payment, the bank checks its files and if the check is not on the listing, it is rejected. Similarly, if the check has been paid, it is also rejected.

The criminal elements have been changing the payee name, leaving the dollar amount and check number the same. This has caused some banks to develop a new product called “payee-name positive pay” that includes this vital piece of information.

So what the fraudsters have been doing is taking the positive pay rejects and resubmitting them as ACH debits. Since positive pay only works with checks, the ACH debits are getting through.

Emerging Problem #2

This fraud typically starts with targeted phishing e-mail, aimed at the person in charge of the company's checkbook and the one doing the online transactions. For most companies this is either the accounts payable manager or accounts payable staff. The fraudster tricks the victim into running software, opening a harmful attachment or visiting a malicious Web site.

The criminals then install key-logging software and once the software has been downloaded, the fraudster simply waits for the computer owner to log into the bank site and “catches” the keystrokes, getting the accounts number and passwords. With that information, the crook is good to go. If two people are needed to sign off for the transaction, the schemer has a little more work to do but is often still able to get the needed information. They then add new payees and transfers money to themselves.

Experts believe the only reason it has exploded is that the crooks are having trouble finding legitimate accounts to which they transfer the money. They are currently recruiting unwitting recipients, referred to as money mules on sites like Monster.com. Many don’t know fraud is involved and are victims as well.

What You Can Do

ACH blocks will protect your accounts from any ACH debit, while an ACH filters against unauthorized debits. This will protect you against the first type of fraud but not the second.

Organizations are being advised to set up a separate computer to use for online banking activity — only. This machine should not be used for e-mail or surfing the Internet ever.

Daily bank account reconciliation will help identify unauthorized transactions. Waiting longer will put your organization in a bad place when it comes to trying to reverse transactions and get your money back. It will have left the banking system.


Constant vigilance not only of your accounts but also about what is going on in the banking world is everyone’s responsibility. It is imperative that everyone keep their staff updated to the latest frauds and protections available. They continually change. Don’t wait until your organization is hit. Over half those who experienced this type of fraud reported to the Association of Financial Executives that they could have prevented the fraud if they had put ACH blocks in place. That was the biggest oversight but there were others. What have you done to protect your organization and to make sure your payment staff is kept in the loop?

Additional Resource: Managing the Business Risk of Fraud.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Mary S. Schaeffer is the author of over a dozen business books including The Controller & CFO’s Guide to Accounts Payable (2007 John Wiley & Sons) and Fraud in Accounts Payable: How to Prevent It (2008 John Wiley & Sons). She is the publisher of the CFO & Controllers Accounts Payable Management Journal, a quarterly electronic journal for senior executives concerned about internal controls and cost control in their payment function, writes a monthly newsletter, a free weekly ezine e-AP News, speaks at accounts payable webinars, seminars and conferences and directs the organization’s consulting practice.