How to keep ACH fraud away from your bank

Outsmarting the cybercriminals starts with understanding their ever-evolving approach to fraud.

By Colleen Morrison

Payments fraud reached a record high in 2017. While the ACH Network continues to boast the lowest attempted and confirmed fraud of any payments system, it, too, has experienced an uptick.

“What we’ve seen [in fraud] is an increase,” indicates Peter Hohenstein, senior director, NACHA—The Electronic Payments Association, the steward of the ACH Network. “When you talk about ACH risk threats, the threats are not really in the ACH Network. It’s those input points in front of the network that tend to be compromised.”

These “point-of-entry” attacks drive growth in ACH fraud. With increasingly sophisticated threats, how can community banks protect themselves? It starts with understanding a fraudster’s approach.

Today’s top ACH fraud threats have one thing in common: Each relies on the manipulation of individuals. The three main types of ACH fraud today include business email compromise, vendor impersonation fraud and payroll impersonation fraud (see sidebar, bottom of article). All three personalize the attack and take advantage of a customer’s trust.

Quick stat


Percentage of U.S. organizations that were targets of payments fraud in 2017

“The clients or the customers of the bank are sometimes the weakest link,” notes Peter McVey, senior vice president and director of treasury services at Lead Bank, a $260 million-asset community bank in Kansas City, Mo. “Even as a receiving bank, customers could ultimately open the door to some potential loss or fraud.”

These targeted customer attacks may intensify as payments speed up. While NACHA reports that no financial institutions have experienced an increase in fraud attempts since the inception of Same Day ACH, with faster payments, the windows to catch fraud shrink.

“I’m a big believer in Same Day, but when you speed up that transaction, the risk increases,” says Chris Doyle, president and CEO of $1.07 billion-asset Texas First Bank in Texas City, Texas. “We haven’t seen an increase in losses, but we have stepped up monitoring because of it.”

Mitigation techniques

Transaction monitoring, both manual and automated, plays a widespread and vital role in mitigating fraud. In fact, a study from the Federal Reserve Bank of Minneapolis concluded that manual review processes are used by more than 80 percent of financial institutions, and 74 percent of those $1 billion or more in size report use of anomalous behavior screening.

“First and foremost, you have to have data analytics; fraud prevention through AI [artificial intelligence] is the biggest safeguard,” advises Doyle. “So when activity on an account is unusual, these type of transactions will kick out a red flag. We also monitor our accounts through our operations department on a more manual basis for large-ticket items.”

In addition to screening, setting strict policies helps fend off attacks. For example, bank procedures may require strong authentication, and the use of dual-controls and out-of-band verification. Yet, these policies are only as strong as the staff who adhere to them.

“Bad guys try to create a sense of urgency,” cautions Hohenstein. “If they can get you out of your normal procedure, you could fall into the trap of sending a payment to a fraudulent destination.”

That’s why both staff and customer education are critical to thwarting threats. In nearly every case of an ACH attack, the “human component” opens the door to the fraud.

“Staff training is absolutely the key inside the financial institution, and customer education is key at the customer level. It’s hard to stress how important those really are,” Hohenstein concludes.

More education may feel like another pull on limited resources, but training does not need to be a drain. Tools are available to arm staff and customers with key information (see sidebar, below).

And, as McVey points out, banks are often better prepared than they recognize. “In most cases, banks already have the people and the systems in place. It’s just a matter of taking individuals and giving them some additional education.”

What are the primary types of ACH fraud?

  • Business email compromise. Occurs when a legitimate business email is commandeered and used to give fraudulent payment instructions.
  • Vendor impersonation fraud. Takes place when a valid contractor’s, vendor’s or business partner’s name is used to institute a change of payment instructions.
  • Payroll impersonation fraud. Ensues when a payroll provider is impersonated with a request for employees to confirm or update information.

Where to learn more about fraud prevention tools for financial institutions

Colleen Morrison is a writer in Virginia.