Fight the Fraud: 5 Ways Your Business Can Secure Electronic Payments.

By Kim Bartsch – Treasury Management Consultant

What’s the 411 on the ACH?

Established in 1974, the Automated Clearing House (ACH) is a U.S.-based digital network used by member banks to process transactions and transfer funds electronically. It was designed to get ahead of fraud as banks began to see larger dollar amounts moving daily, especially with businesses.

Fast-forward to today, fraudsters have become more clever with their social engineering tactics and hacking skills, often getting their greedy hands on sensitive banking information by targeting small- to medium-sized businesses, simply because those businesses tend to have fewer security measures. All fraudsters typically need is an account number and routing number – then they’re off with your money.

But there’s good news! The ACH network remains widely considered as one of the fastest, easiest and safest ways for businesses to move funds between bank accounts. Regardless, it’s still important to stay vigilant when it comes to processing direct deposits, direct payments, loan withdrawals, electronic checks and other transactions. Indeed, it quite literally pays to have the right best practices in place.

5 Tips to Prevent ACH Payment Fraud:

1. 'Nacha' typical protection

   Let’s start with the basics: ACH origination. When someone initiates a one-time electronic payment to or from multiple third parties (or “batches”), the money is then directly deposited to or withdrawn from those accounts. This process is often secure, but fraud can still take place.

   When it comes to payment fraud, it could be that a third-party originator’s account was compromised. It could also be that they were tricked into initiating the transaction. On the other hand, the originator may actually be the culprit! They could intentionally be trying to move money through illegal means.

   There are multiple scenarios to consider when it comes to ACH wire fraud. That’s where the National Automated Clearing House Association (Nacha) comes in. Nacha is a not-for-profit organization that governs the ACH network, overseeing every transfer in an effort to secure sensitive financial information. Visit their website to stay up to date with the latest and greatest in terms of their rules and regulations.

2. Keep up on scams

   You and your employees are the first line of defense when it comes to your business’s digital and physical security. Therefore, it’s important to make sure everyone follows basic security best practices. Strong passwords, secure Wi-Fi, closed-out devices – you’ve heard the mantra. However, it’s especially crucial to be on the lookout for these greatest hits from the ACH fraudster playbook:

   The Phisherman
   Phishing is a classic social engineering technique for fraudsters. They’ll commonly reach out via email, pretending to be someone you’re familiar with, like an executive. They’ll try to trick you into taking a specific action, such as clicking a malicious link or sharing an account number, all to gain access to your system. Once they’ve breached your infrastructure, they’ll maybe sit tight and monitor things for a while.

   Then they’ll make their move. For example, a criminal may initiate a wire transfer once they get a sense of who in the business would normally handle such a transaction. You’ll have fallen for their phishing shenanigans hook, line and sinker. Don’t take the bait! Watch for strange links and behavior, and always verify requests verbally if something doesn’t feel right.

   The Urgent Insurgent
   Scammers will often create a sense of urgency to get you to act fast without thinking, especially with ACH payments. Take a step back and don’t give in to the rush.

   The Pretender Vendor
   Since business ACH transactions often involve third-party organizations, scammers love to pose as vendors. They’ll usually call you up or email you requesting a change in payment instructions. Make no mistake, they’re really good at mimicking the types of vendor requests you’d typically receive.

   The moral of the story: Vet your venders. Again, if there’s ever any doubt, verbally verify before you send funds.​ It also doesn’t hurt to research new venders. Check their financial history, see if they have solid references, scan public reviews and read contracts closely.

   The ‘Oops, I Overpaid!’
   A close cousin of the Pretender Vendor, this tactic involves a fraudster not only posing as someone you know, but sending you an expected check that’s made out for too much. They’ll request that the overage be wired back, and when the check bounces later, they’ll be long gone – and you’ll be out some change.

   The Fake Invoice
   If you suddenly notice any unusual invoices, accounts or payment information, it’s a red flag. When moving money electronically, be sure to always match the requested amount to a legitimate source.

   The third time’s a charm: If you’re ever in doubt about a strange request involving ACH transfers, verbally verify it before taking next steps. This will save you both time and headaches!

3. Set up the right processes and procedures

   In addition to making sure you and your employees are privy to the plague of present-day scams, it’s also important to put strong controls in place. There’s a lot to unpack here, so let’s take things point by point.

   Automation
   In a perfect world, it helps to manually review as many ACH payments as possible. However, if you’re a business that processes hundreds or even thousands of transactions at any given time, this is a bit of a lift. That’s why it’s important to implement a system that automates ACH approvals whenever possible, allowing you to control dollar amounts, date ranges and other details, saving time and stress.

   Verification
   Set up ACH payment voucher forms to make sure recipients are who they say they are, and set withdrawal limits for certain accounts. Make time for regular procedure audits, and implement an automatic block feature on accounts for when scammers strike. Additionally, add an extra layer of security with two-factor authentication. The name of the game – verify, verify, verify.

   Reconciliation
   However your processes are organized, it’s crucial that you do everything in your power to reconcile your accounts daily. After all, if you don’t spot scams now, what’s stopping the fraudster from keeping the party going? Nipping fraud in the bud is paramount to preventing future criminal activity.

   Anticipation
   Let’s face it – fraud is a part of life, and it’s likely going to come knocking at some point. You should be ready to shut the door in its face with physical security measures. Whether it’s locking sensitive storage areas, wearing identity badges, installing a reliable security system or anything in between, think ahead about what threats could present themselves, and enact physical security measures accordingly.

   Digital security should be on your mind, too. Encrypt your ACH data and back up hard drives. Make sure you have strong firewalls and anti-malware software in place. It also helps to keep operating systems up-to-date, as well as have a remote-clean protocol in place in the event devices become lost or stolen.

4. Restrict access to only those with a need to know

   ACH transactions are usually handled by supervisors and upper management. It’s important to limit who can facilitate transactions, as well as how many they can facilitate. Simply put, if someone doesn’t have a job directly related to ACH transactions, they shouldn’t have access to that side of the business.

5. Choose a bank that has your back

   It helps to work with a financial institution that not only offers strong ACH origination and other robust cash management services, but is also capable of detecting wire fraud in real time. If a transaction occurs outside certain parameters you’ve established with the bank, it should trigger an immediate alert, allowing you to confirm or reject the transaction quickly.