While electronic funds transfers have long been considered safe and reliable, wire fraud is steadily on the rise, which is why it’s crucial for businesses to have the right tools in place to secure their ACH payments.
Established in 1974, the Automated Clearing House (ACH) is a U.S.-based digital network used by member banks to process transactions and transfer funds electronically. It was designed to get ahead of fraud as banks began to see larger dollar amounts moving daily, especially with businesses.
Fast-forward to today, fraudsters have become more clever with their social engineering tactics and hacking skills, often getting their greedy hands on sensitive banking information by targeting small- to medium-sized businesses, simply because those businesses tend to have fewer security measures. All fraudsters typically need is an account number and routing number – then they’re off with your money.
But there’s good news! The ACH network remains widely considered as one of the fastest, easiest and safest ways for businesses to move funds between bank accounts. Regardless, it’s still important to stay vigilant when it comes to processing direct deposits, direct payments, loan withdrawals, electronic checks and other transactions. Indeed, it quite literally pays to have the right best practices in place.
Let’s start with the basics: ACH origination. When someone initiates a one-time electronic payment to or from multiple third parties (or “batches”), the money is then directly deposited to or withdrawn from those accounts. This process is often secure, but fraud can still take place.
When it comes to payment fraud, it could be that a third-party originator’s account was compromised. It could also be that they were tricked into initiating the transaction. On the other hand, the originator may actually be the culprit! They could intentionally be trying to move money through illegal means.
There are multiple scenarios to consider when it comes to ACH wire fraud. That’s where the National Automated Clearing House Association (Nacha) comes in. Nacha is a not-for-profit organization that governs the ACH network, overseeing every transfer in an effort to secure sensitive financial information. Visit their website to stay up to date with the latest and greatest in terms of their rules and regulations.
You and your employees are the first line of defense when it comes to your business’s digital and physical security. Therefore, it’s important to make sure everyone follows basic security best practices. Strong passwords, secure Wi-Fi, closed-out devices – you’ve heard the mantra. However, it’s especially crucial to be on the lookout for these greatest hits from the ACH fraudster playbook:
Phishing is a classic social engineering technique for fraudsters. They’ll commonly reach out via email, pretending to be someone you’re familiar with, like an executive. They’ll try to trick you into taking a specific action, such as clicking a malicious link or sharing an account number, all to gain access to your system. Once they’ve breached your infrastructure, they’ll maybe sit tight and monitor things for a while.
Then they’ll make their move. For example, a criminal may initiate a wire transfer once they get a sense of who in the business would normally handle such a transaction. You’ll have fallen for their phishing shenanigans hook, line and sinker. Don’t take the bait! Watch for strange links and behavior, and always verify requests verbally if something doesn’t feel right.
The Urgent Insurgent
Scammers will often create a sense of urgency to get you to act fast without thinking, especially with ACH payments. Take a step back and don’t give in to the rush.
The Pretender Vendor
Since business ACH transactions often involve third-party organizations, scammers love to pose as vendors. They’ll usually call you up or email you requesting a change in payment instructions. Make no mistake, they’re really good at mimicking the types of vendor requests you’d typically receive.
The moral of the story: Vet your venders. Again, if there’s ever any doubt, verbally verify before you send funds. It also doesn’t hurt to research new venders. Check their financial history, see if they have solid references, scan public reviews and read contracts closely.
The ‘Oops, I Overpaid!’
A close cousin of the Pretender Vendor, this tactic involves a fraudster not only posing as someone you know, but sending you an expected check that’s made out for too much. They’ll request that the overage be wired back, and when the check bounces later, they’ll be long gone – and you’ll be out some change.
The Fake Invoice
If you suddenly notice any unusual invoices, accounts or payment information, it’s a red flag. When moving money electronically, be sure to always match the requested amount to a legitimate source.
The third time’s a charm: If you’re ever in doubt about a strange request involving ACH transfers, verbally verify it before taking next steps. This will save you both time and headaches!
In addition to making sure you and your employees are privy to the plague of present-day scams, it’s also important to put strong controls in place. There’s a lot to unpack here, so let’s take things point by point.
In a perfect world, it helps to manually review as many ACH payments as possible. However, if you’re a business that processes hundreds or even thousands of transactions at any given time, this is a bit of a lift. That’s why it’s important to implement a system that automates ACH approvals whenever possible, allowing you to control dollar amounts, date ranges and other details, saving time and stress.
Set up ACH payment voucher forms to make sure recipients are who they say they are, and set withdrawal limits for certain accounts. Make time for regular procedure audits, and implement an automatic block feature on accounts for when scammers strike. Additionally, add an extra layer of security with two-factor authentication. The name of the game – verify, verify, verify.
However your processes are organized, it’s crucial that you do everything in your power to reconcile your accounts daily. After all, if you don’t spot scams now, what’s stopping the fraudster from keeping the party going? Nipping fraud in the bud is paramount to preventing future criminal activity.
Let’s face it – fraud is a part of life, and it’s likely going to come knocking at some point. You should be ready to shut the door in its face with physical security measures. Whether it’s locking sensitive storage areas, wearing identity badges, installing a reliable security system or anything in between, think ahead about what threats could present themselves, and enact physical security measures accordingly.
Digital security should be on your mind, too. Encrypt your ACH data and back up hard drives. Make sure you have strong firewalls and anti-malware software in place. It also helps to keep operating systems up-to-date, as well as have a remote-clean protocol in place in the event devices become lost or stolen.
ACH transactions are usually handled by supervisors and upper management. It’s important to limit who can facilitate transactions, as well as how many they can facilitate. Simply put, if someone doesn’t have a job directly related to ACH transactions, they shouldn’t have access to that side of the business.
It helps to work with a financial institution that not only offers strong ACH origination and other robust cash management services, but is also capable of detecting wire fraud in real time. If a transaction occurs outside certain parameters you’ve established with the bank, it should trigger an immediate alert, allowing you to confirm or reject the transaction quickly.
At Gate City Bank, we get that unauthorized ACH transactions are the worst. They’re hard to dispute, and they take valuable time away from your business, which ultimately affects your bottom line.
Fraudsters may be more brazen today than they were 50 years ago, but if you follow the best practices we’ve outlined above, you’ll be setting yourself – and your business – up for a secure future. We’re here to partner with you every step of the way, making sure your hard-earned money stays protected.
Protect yourself against fraud by following these six security best practices!
If an email, text or phone call requesting sensitive personal information ever feels off, it’s important to follow that gut feeling. It could be a phishing attempt! Check out our four tips for avoiding this common type of fraud.
Some criminals would love nothing more than to get ahold of your personal financial information. Scams and identity theft are on the rise, so check out these six ways to protect yourself against fraud!