Home
  /  
Learning Center
  /  
What is ACH fraud? Examples and how it works

What is ACH fraud? Examples and how it works

Author
Brendan Tuytel
Contributor
Author
Brendan Tuytel
Contributor
Table of contents
Check out additional BILL resources
Learn more

The Automated Clearing House (ACH) network has become a backbone of banking and peer-to–peer transfers. Every day, a massive volume of ACH transfers are securely processed on the network, moving funds seamlessly from one bank account to another.

Despite being a tried and tested system of sending money, the ACH network is not without its vulnerabilities. Through tactics like social engineering, stolen credentials, and phishing scams, cybercriminals threaten to take hard-earned money from businesses without them knowing.

Your business may be at risk if you don’t know what to look out for. Read on to learn the basics of ACH fraud, the warning signs to look for, and how to protect your business from fraud attempts.

Key takeaways

ACH fraud happens when scammers trick or hack businesses to send money through fake bank transfers.

Most ACH fraud comes from phishing emails, stolen passwords, or insiders abusing access to payment systems.

You can prevent ACH fraud by using strong security, verifying payments, and training your team to spot scams.

What is ACH fraud?

ACH fraud refers to any unauthorized or deceitful transactions that use the ACH network. The ACH network is managed by Nacha and is used to provide peer-to-peer transfers for payments like paychecks, online bill payments, and contractor payments.

In 2024, 33.56 billion payments were processed using the ACH network with a total value of $86.2 trillion. Cybercriminals know that with this volume, it’s possible to push through fraudulent transactions without the business noticing.

How ACH fraud occurs

There’s a wide array of tactics cybercriminals use to commit ACH fraud. They may use banking information to create fraudulent transactions while others may rely on human oversight to send a payment that was never warranted.

The most common ACH fraud techniques include:

  • Social engineering attacks: Scammers imitate somebody like a vendor or financial institution to trick the payer into authorizing fraudulent ACH payments
  • Compromised credentials: Login credentials are stolen through a data breach, phishing email, or malware to gain access to a business bank account and create ACH payments
  • Weak internal controls: Vendors take advantage of businesses with poor internal controls to elicit unauthorized transactions like duplicate payments
  • Insider threats: Someone within the business uses their access to the financial systems to manipulate ACH payments for their own gain

What’s important to remember with ACH fraud is that it can happen on two fronts: the cybercriminal may be exploiting the system or someone who processes payments. A business needs to consider both angles when reviewing for ACH fraud or protecting themselves against future attempts.

Learn more about ACH payments with BILL.
Learn more

Types of ACH fraud and examples

While ACH fraud can take multiple forms, these eight types of ACH fraud are the most common to look out for.

Fake ACH payments

Fraudsters create altered invoices or fake payment requests to prompt the business to send an ACH payment. They may imitate a legitimate vendor, but the payment instructions will differ from the usual process as funds are directed to the fraudster’s account.

Example: A business receives an invoice from their usual cleaning company for their monthly services, but the payment instructions are requesting an ACH payment to a different bank account.

Unauthorized debits

A fraudster submits a request for an ACH debit to a business bank account using the bank account number and routing number. Funds are then withdrawn from the bank account without the account holder’s consent.

Example: A business’s bank information is taken through elicit means. Once the information is in the hands of the fraudster, they initiate ACH debits to withdraw funds from the bank account.

Account takeover

When bank account login information falls into the hands of a fraudster, they gain access to the account through the bank’s online portal. They use this to initiate payments from the business bank account to their own.

Example: After a cyberattack, the business’s bank login information is sold to a fraudster. They log into the account and create ACH transfers to deposit funds in their own account.

Phishing scams

Phishing scams occur mostly over email. Using tactics like impersonation, creating urgency, and mimicking genuine websites or emails, the fraudster tries to get sensitive information like login credentials and banking information. With this information, they can start creating fraudulent ACH payments.

Example: An email comes in from what appears at first glance to be a genuine vendor regarding a refund. The email requests the banking information to deposit the money directly, but this information will actually be used to create ACH payments

Data theft

Sensitive information is stolen through data breaches, malware, phishing scams, or insider leaks. This information is used to gain access to the business’s bank accounts and create fraudulent ACH transactions.

Example: Someone in the business opens an email attachment that contains malware and scrapes the business’s bank login information. With access to the bank account, the fraudster creates fraudulent ACH transfers to their own account.

Insider threats

An employee with access to an ACH payment system or bank account manipulates the system to create new transactions or redirect existing transactions to their own bank account. They may take extra steps to try and hide their tracks and avoid detection.

Example: Someone within the organization with payment authorization submits fake invoices, posing as a contractor. Using their payment authorization, they approve each invoice with payments directed to their own bank account.

Business email compromise

By gaining access to someone’s email account, the fraudster poses as an executive or vendor. They submit requests for payment or instruct employees to process fraudulent ACH transactions.

Example: Someone gains access to the payroll administrator’s email account. They then send an email to the finance team regarding a non-existing payment to an employee that bounced, requesting that it be reattempted to their own bank account.

ACH kiting

ACH kiting is unlikely to affect businesses as it requires the fraudster to control all bank accounts involved in the transactions to commit. They exploit the time lag of transactions through the following steps:

  1. A payment is initiated from bank account A to bank account B, increasing the balance of bank account B
  2. Funds are withdrawn from bank account B before the payment clears
  3. The payment is cancelled, but the funds that are pulled back have already cleared

Example: A fraudster opens up a new bank account with a $0 balance. They transfer $10,000 into the new account, quickly withdraw the full amount, then cancel the payment. The $10,000 can’t be pulled back from the new account.

Who is liable for ACH fraud?

Generally speaking, ACH fraud has less consumer protections than something like credit card fraud

In most cases, the ACH fraud liability falls on the account holder unless they can prove they have sufficient security measures in place. If a business is a victim of ACH fraud and the bank finds they didn’t take sufficient precautions, they’re on the hook for the lost money.

This means it’s even more valuable to instill ACH payment security measures to reduce liability risk in the case of ACH fraud.

How to prevent ACH fraud

Preventing ACH fraud requires businesses to look at their systems, tools, workflows, and people with authorization. Each facet has potential vulnerabilities that are avoidable with the right precautions.

The key steps a business should take to prevent ACH fraud are:

  • Use multi-factor authentication (MFA): MFA adds an extra layer of security so someone can’t access the bank account with the login information alone. MFA could be attached to a phone number, email, or authentication software.
  • Restrict account access: Only give account access to those who absolutely need it. In the case of accounts receivable and accounts payable, look for a software that has role restrictions (like BILL) so users have permission to the features they need, but nothing more.
  • Implement vendor verification: As part of the payment approval workflow, add in a touchpoint with the vendor that confirms the payment was requested, what order it pertains to, and the account the payment is being sent to.
  • Train employees on fraud attempts: Make sure everyone is aware of the signs of attempted fraud and the process on flagging it to someone internally. Improve cybersecurity awareness with our tips and training.
  • Have all payments require multiple authorizations: Having multiple authorizations means a payment can’t be sent unless approved by multiple people. This ensures a payment is reviewed multiple times before being approved.
  • Regularly monitor account activity: It’s always best practice to take time to review bank statements and transaction logs for any unusual or unexpected activity.
Choose BILL for secure ACH payments.
Get started

What to do if you become a victim of ACH fraud

The moment you recognize ACH fraud may be overwhelming, but immediate action is critical to protecting the business from any damages.

If you identify a payment as ACH fraud, take the following steps:

  1. Contact the bank: Report the unauthorized transaction and request a reversal (if possible) as soon as possible. If the payment was caught soon enough, the bank may be able to void the transaction and retrieve the funds.
  2. Notify law enforcement: Fraud should be reported the Federal Trade Commission (FTC) via reportfraud.ftc.gov.
  3. Secure all accounts: Change passwords and login information for bank accounts and payment platforms. Review the permissions on all accounts and remove anyone who is non-essential.
  4. Inform all affected parties: Notify any vendors, customers, or employees who may have been compromised or otherwise affected by the fraud attempt.
  5. Conduct an investigation: Get to the bottom of how the fraud occurred and where your controls may have failed. 
  6. Implement changes: If there are any vulnerabilities in the ACH payment process, look for ways to patch them up and make your ACH payments more secure.

See for yourself why 98% of customers feel their AP is more secure with BILL by booking a free demo.

Automate your financial operations—demo BILL today.
Demo

Frequently Asked Questions

Can you dispute ACH fraud transactions?

You can dispute an ACH fraud transaction, but you’re not guaranteed to recover the funds from the transaction. It’s best to dispute an ACH fraud transaction as soon as it’s identified.

Can you recover ACH fraud payments?

Yes, an ACH fraud transaction can be recovered, but time is of the essence. There will be a short period of time where the transaction hasn’t cleared and the bank may be able to reverse the transfer.

Even if you the ACH fraud is long in the past, you should notify the bank and the authorities. If there’s any vulnerabilities, they’ll want to know about it so they can improve their security protections.

How common is ACH fraud?

According to the 2024 AFP Payments Fraud and Control Survey Report, 80% of organizations were victims of payment fraud attacks or attempts in 2023. ACH fraud is a focus for businesses given the increasing prevalence of electronic and peer-to-peer payments.

Given the high percentage, it’s best to be aware and put the security measures in place to minimize the risk when sending money.

What’s the impact of ACH fraud?

The main impact of ACH fraud is on your cash balance and cash flow. Even if the money is recovered, it could be days or weeks until it’s back in the bank account and usable in operations. 

But beyond the financial impact, ACH fraud can damage a business’s reputation and hurt the relationships with vendors or customers who may have also been affected by the fraud attempt.

Safer ACH payments with automation

Increasing the security of your ACH payments doesn’t have to mean extra effort. With BILL’s account payable platform, you save time, simplify your processes, and have greater control over payments.

Documents and transactions are matched with our automatic 2-way sync, using integrations with the leading accounting systems. And with approval workflows seamlessly flowing from one user to the next, invoices are approved faster and without communication breakdown.

Author
Brendan Tuytel
Contributor
Brendan Tuytel is a freelance writer, who writes content for BILL. He draws from his studies of economics and multiple years of bookkeeping experience where he helped businesses understand and measure their financial health.
Author
Brendan Tuytel
Contributor
Brendan Tuytel is a freelance writer, who writes content for BILL. He draws from his studies of economics and multiple years of bookkeeping experience where he helped businesses understand and measure their financial health.
Security

Continue learning with BILL

Dashboard mockup
BILL and its affiliates do not provide tax, legal or accounting advice. This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on, for tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any transaction. BILL assumes no responsibility for any inaccuracies or inconsistencies in the content. While we have made every attempt to ensure that the information contained in this site has been obtained from reliable sources, BILL is not responsible for any errors or omissions, or for the results obtained from the use of this information. All information in this site is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied. In no event shall BILL, its affiliates or parent company, or the directors, officers, agents or employees thereof, be liable to you or anyone else for any decision made or action taken in reliance on the information in this site or for any consequential, special or similar damages, even if advised of the possibility of such damages. Certain links in this site connect to other websites maintained by third parties over whom BILL has no control. BILL makes no representations as to the accuracy or any other aspect of information contained in other websites.