Back to Blog
Published at | Updated:

ACH payment fraud: How SMBs can prevent and mitigate risks

A carpenter sending an ACH payment in her woodshop.

Regardless of industry, stage, or size, a major part of running a business is sending and receiving payments. Unfortunately, wherever money is involved, criminals see a potential for scams and fraud.

While most financial fraud attempts are still focused on checks, ACH payment fraud is on the rise. According to a recent report by the Association for Financial Professionals, in 2022, 30% of companies reported they were targets of ACH payment fraud.

Small and medium-sized businesses (SMBs) are especially vulnerable to financial fraud. That’s because they often lack both the resources to monitor and prevent it as well as the cash reserves to stay afloat despite the losses incurred. But, that doesn’t mean you should avoid ACH, one of the most popular and cost-effective, money transferring methods.

Instead, we suggest you educate yourself about the potential threats and how to protect your small business, starting with this article. Here, we’ll cover some basic definitions regarding ACH fraud and explore vulnerabilities and prevention measures for SMBs.

First, what’s an ACH payment?

An ACH (automated clearing house) payment (or ACH bank transfer) is an electronic funds transfer (EFT) made through a network of financial institutions (also known as clearing houses).

The ACH network allows for the secure electronic transfer of money between bank accounts in the U.S. and around the globe. To transfer money through the network, member institutions must abide by the rules and regulations enforced by its governing organization, Nacha.

The ACH network moved 7.7 billion payments worth a total of $19.7 trillion in Q1 2023. Its popularity can be partly explained by relatively low fees, ranging from a few dollars through most banks to free on some digital accounts payable (AP) tools like Melio.

Common types of ACH payment fraud that affect small businesses

Any theft of funds via an unauthorized or fraudulent ACH payment is considered ACH fraud. Once they have illegally obtained the money, in most cases, the offender will quickly withdraw the funds to a debit card or another account before a dispute can be opened.

Here are the most common ways fraudsters target SMBs for ACH payment fraud.

Stolen credentials

The simplicity of ACH payments is also what makes life so easy for some fraudsters. All they need to do is retrieve your bank account number and routing number. They then use your bank information to send money to an account they control or set up payments for services and goods that you never bought.

These are some of the ways scammers use to get their hands on private banking information:

  • Data breach. Your bank information is likely logged not just in your systems but in those of your vendors, service providers, and customers. If any one of those is breached, this could make you vulnerable to an attack.
    What we’re trying to say is, never keep your bank details out in the open for everyone to see.
    By the way, a data breach doesn’t have to be the result of hacking (more on that later). For example, if you keep a sticky note with your bank info on your screen for easy access, then anyone passing through your office could immediately gain access to your funds. Another scenario is accidentally capturing the note in an unfortunate selfie, then posting it online for all to see.
  • Insider threat. Trust is an important component in every team but sometimes employees may be tempted to stick a hand in the cookie jar and become offenders. They may then steal your credentials and use them to transfer funds themselves or trick another employee into unwittingly sending them money from your account.
  • Hacking. Some cyberattacks involve tricking legitimate users into installing spyware on the company’s computers. This type of malware includes keyloggers that record every key you press on your keyboard, including your user names, passwords, and, of course, banking information.
  • Phishing attacks. In a phishing attack, you or your team receive an email or text message containing a link that leads to a website controlled by the attacker. The website may look exactly like your bank’s site or another service that requires a login. Once you fill in your username and password you will either be redirected to the right website or receive an error message. Either way, your attacker will already have your credentials and can start accessing your data and performing actions on your behalf.
  • Mail theft. What is a check in the mail if not just your bank info in an envelope traveling alone across the country?
  • Social engineering

    In this scenario, an attacker will impersonate one of your employees or vendors to get you to transfer money to the wrong account. Identity theft often involves the use of some genuine stolen information to increase credibility and make it more likely for you to take the bait.

    For identity theft-based ACH fraud, an attacker may use:

    • A legitimate but hacked email owned by the person they’re impersonating.
    • A fake email with an address that looks similar enough for you to mistake it for genuine.
    • Fake invoices with some of your vendor’s real details but the fraudster’s own bank information on them.
    • SMS spoofing, which refers to text messages that appear to originate from the person being impersonated.

    Kiting

    The illegal activity in which the criminal utilizes the time it takes banks to process transactions to fraudulently gain credit or steal additional money is known as kiting.

    In essence, they are using non-existing funds to artificially inflate their cash reserves by moving them around between accounts. This cycle may repeat until the offender is caught or gets enough cash to no longer have to kite. If you’re caught in the middle of the cycle, you may never notice the transgression but if your payment is caught in the end of it, you’ll be in for a loss.

    Kiting was originally done with paper checks but can also be implemented with ACH transactions that typically take a few days to process.

    Here are two scenarios to explain how ACH kiting may affect your small business.

    Scenario 1: The fraudster uses ACH to pay from one account with insufficient funds. Before the money is deducted, they use a second account with insufficient funds to send another ACH transfer to cover the first one.

    Doing so, they convert the ACH payment into short-term credit without the necessary financial backing.

    Scenario 2: A customer makes a purchase and pays using an ACH bank transfer. They then claim there’s an issue with the product, requesting a full or partial refund in cash, via debit or any other immediate method while the ACH transaction is still being processed.

    The unsuspecting business issues the refund only to discover a few days later that the original payment was rejected due to insufficient funds, as the scammer already drained the account.

    8 ACH payment fraud prevention strategies for small businesses

    SMBs don’t typically have a lot of resources to fight fraud attempts but not everything costs money. By being more aware of the risks, keeping a close eye on details, and implementing a few extra security measures, you can significantly reduce your business’s exposure to ACH fraud.

    Below are 8 tips to mitigate risks without breaking the bank (or letting anyone break in).

    1. Keep bank details on a need-to-know basis

    security risk, allowing criminals to pull funds from your account. So, it’s important to minimize the number of people who are exposed to this sensitive information.

    Your bookkeeper obviously needs to have them, but not every employee that comes through the door should have this access. Use your good judgment to decide who really needs this information to do their day-to-day job. If an employee is only sending an occasional payment once every few weeks, it might be better to handle it yourself or send it to your accountant than to risk exposure.

    2. Use 3-way matching

    One way to fend off invoice-based ACH fraud is to perform 3-way matching to make sure you’re paying the right person for the right thing. This process includes comparing the contents of the invoice you received against your purchase order and order receipt. The most important details that need to be matched are the sum, the goods provided, and the vendor’s payment information.

    This cybersecurity best practice isn’t limited to preventing financial fraud. Malicious links are one of the most common ways hackers use to infect your devices with malware and spyware. These malicious programs can be used by an attacker to cause substantial damage to your business through fraud.

    So, always be wary of links and only click them when you’re 100% sure you know who sent them and why and that they are reliable.

    4. When in doubt, call

    Whenever anything looks suspicious, for example, an email riddled with typos or just an out-of-the-blue request to update the payment details, pick up the phone to double-check with your vendor or employee before sending a payment.

    Don’t be tempted to simply text back as you could find yourself conversing with your attacker. With a call, you’ll have a much better chance of knowing you’re talking to the right person. Also, make sure the number you’re calling is the one in your files, not in the suspect invoice or message.

    5. Educate yourself (and your team)

    As technology advances, attackers are constantly getting more sophisticated so it’s important to stay up to date on the threats relevant to your industry. It’s also crucial to periodically train your team on potential threats and ways to detect them.

    6. Make sure you’re covered

    If you do fall victim to ACH fraud from an insider threat, having fidelity insurance can help significantly cut your losses. This type of insurance covers your company against monetary and physical damage caused by fraudulent or otherwise dishonest activity by someone on your team.

    7. Keep an eye on your money

    While Nacha and the bank offer protection against unauthorized and fraudulent ACH payments, it’s your responsibility to monitor the movements in your account and promptly report anything suspicious. So, it’s very important you know exactly what’s going on in your account at all times.

    Check with your bank to see if it offers notifications via email or text whenever a transaction is made. This can help make sure no transaction goes unnoticed without requiring daily logins to your account.

    8. Use digital payment platforms

    A digital payment platform like Melio allows you to manage incoming and outgoing payments for your business while keeping your payment information safe. You no longer have to give out your details to customers in order to get paid or to your employees to allow them to pay.

    When you input your payment and bank details, they are kept hidden and encrypted to ensure your money stays yours.

    These platforms also allow you to establish payment approval workflows so you get the final say on every payment before it goes out.

    Keep your business safe and in business

    Where there’s money, there are fraudsters, and no business is 100% safe from an attack. But, taking the measures outlined above can go a long way in preventing ACH fraud.

    Start by taking a few moments to sign up for Melio today to manage your payments in a secure and transparent way. The best part? There are no subscription fees or strings attached.

    *This blog post is intended for informational purposes only and is not intended as financial advice.
    **Melio does not provide legal, tax or accounting advice, and you should consult with a professional advisor before making any financial decisions.