Security: Good News, Bad News About ACH Fraud

Elizabeth Whalen

While the data are mixed about ACH fraud, what banks and companies can do to keep it under control is quite clear.

Recent data give mixed signals about automated clearing house fraud as the number of ACH transactions and the number and types of ACH originators grows. A widely watched survey from the Association for Financial Professionals (AFP) suggests ACH fraud is growing, albeit slightly. But recent data from NACHA, the governing body of the ACH network, suggest it remains on a downward trajectory.

The results of the 2013 Payments Fraud and Control Survey by the AFP, released in March, show overall payments fraud declined. Sixty-one percent of the 625 respondents in corporate financial offices indicated they had experienced attempted or actual payments fraud of any type in 2012. In 2011, 68% of respondents indicated they’d experienced attempted or actual payments fraud, and in 2010, 71% indicated the same.

“Seeing a decline of ten percentage points in the last two years is a pretty dramatic change, especially when you think of the number of organizations that respond,” says David Beckoff, manager of survey research for the Bethesda, Md.-based AFP. Those responses come from individuals who are on the front lines to observe payments fraud: corporate cash managers, analysts, and other treasury managers, Beckoff says.

While the overall share of affected organizations declined, 27% of them indicated the number of fraud incidents had increased compared to 16% that indicated the number had decreased and 58% that reported no change.

“When you take the net of that, the overall is down, but those who were hit seemed to have been hit harder,” Beckoff says.

That general trend holds true for ACH fraud in particular, though to a smaller degree.

“We saw a small uptick in ACH debit fraud: among those who were affected by fraud, 27% were affected by ACH debit fraud, which is up from 23% last year,” Beckoff says. “ACH credit [fraud] went from 5% to 8%.” 

Checks remain the payment type most susceptible to fraud, Beckoff says, with 87% of affected organizations hit by check fraud. However, he expects fraudsters will keep up with the higher prevalence of electronic payments and increase attacks on those payment types, including ACH.

While the AFP numbers point to an increase in ACH fraud, NACHA in April said the unauthorized debit rate, a measure of fraud as well as returns for other reasons such as administrative errors, declined in 2012 for the 10th straight year to 0.0298% of debit transaction volume from 0.0300% in 2011.

Mike Herd, director of ACH network rules at Herndon, Va.-based NACHA, would not venture to estimate how much of the unauthorized debit rate is fraud versus mistakes such as incorrect amounts, dates or other data in the transaction message. But he says the decline is the result of a concerted effort NACHA began about a decade ago to cut returns.

Referring to the AFP’s results, Herd notes that corporate treasury managers oversee many check payments. Checks present risks to the ACH network since even bad checks can be converted into ACH transactions.

“The data on checks is inherently insecure,” he says. “It’s printed on the document.”

New Fraud Opportunities

At least some of the growth in ACH fraud spotted by the AFP is due to increased usage of the ACH network by consumers, adds Nancy Atkinson, senior analyst at Boston-based Aite Group LLC.

“When ACH was pretty much a business-to-business payment or a business-to-consumer payment method, it had virtually no fraud,” she says.

As consumer ACH usage has grown, so have opportunities for ACH fraud. Fraudsters often collect bank-account information from consumers by sending e-mails requesting account details to resolve fictional account problems.

Fraudsters use this and similar tactics on companies, according to the AFP survey, but only 2% of respondents said attempts at corporate account takeover had resulted in compromised banking credentials or unauthorized transactions.

Fraudsters, however, are continually coming up with new attack methods.

“We’ve seen more and more focus on fraudsters going after employees of companies,” Atkinson says. “As it was described to me at one conference, if you go on LinkedIn, you can pretty much find out who’s the controller or treasurer of almost any company. It’s generally possible to even find out home addresses, especially if they’re senior-level board members.

“One expert in the field even described people throwing a flash drive in the driveway of a senior person,” she continues. “If they pick that up and say, ‘Oh, my kid’s friend must have dropped this,’ and then plug it into the laptop they’ve brought home from work, there’s now a Trojan on that laptop that can pick up any passwords as well as any financial information.”

Another potential attack method could be to overwhelm either a bank’s or a company’s Web site with traffic so that the site slows or even shuts down in a so-called distributed denial-of-service (DDoS) attack. Although such attacks are not, in and of themselves, fraud, they do divert information-technology and security resources and could hide fraud attempts, Atkinson says.

“While all these resources are focused on the denial of service, somebody could also be trying to take funds from an account, and they’ve just distracted people from it,” she says. “At this point, it’s more a concern that it might occur, but it’s also very possible that it actually has occurred and no one knows that it did.”

Overall, Atkinson has noticed coordinated attacks becoming more common. A number of big banks in recent months have been hit with DDoS attacks.

“It seems like organized crime and even nation-states are becoming more and more active in the fraud space,” she says. “We’re seeing that it tends not to be the single person in the back office necessarily. And we do see quite a bit from employees of companies. You can’t just look to external sources of fraud.”

While ACH fraud has increased, financial losses remain contained, according to the AFP survey. It indicates 12% of respondents that experienced at least one ACH fraud attempt actually suffered a financial loss. The typical loss due to any type of payments fraud was $20,300, but the survey does not indicate the size of the typical loss due to ACH fraud in particular.

Organizations with less than $1 billion in revenues were slightly more likely to suffer a financial loss from ACH fraud than organizations with more than $1 billion in revenues.

The increased ACH usage among small and medium-sized businesses may be contributing to that difference, says John Mills, who performs audits on community banks as part of his role as supervising consultant for Springfield, Mo.-based BKD, an accounting and advisory firm.

“Three or four years ago, of the community banks that I perform audits for, maybe one or two—just a small percentage—had experienced any kind of ACH fraud losses,” he says. “At this point, it’s probably in the 20% to 40% range.”

These banks’ employees often are responsible for a wide range of job functions, and therefore may lack the specialized ACH knowledge their counterparts at larger banks have, Mills says. The banks’ clients, which often include school districts, municipalities and small businesses, don’t realize how easily fraudsters can install malware that tracks their keystrokes and obtains their online-banking credentials.

Compounding the problem is that bankers may not want to inconvenience ACH transaction originators by asking them to use out-of-band authentication methods, such as phone- or text-message-based account log-in confirmations.

Such methods are effective, how­-ever.

“I haven’t seen any of the banks that I do audits for that have implemented any form of out-of-band authentication getting hacked,” Mills says.

Mills emphasizes that the IT systems of the banks he audits aren’t infected; the systems of their clients are.

“For a lot of the banks I go to, their originators might be small-to-medium-sized businesses that may not have much of an IT background or budget. Banks in general have a stronger IT infrastructure,” he says. “And in general, hackers are going to try and find the easiest way in.”

‘The Law of Large Numbers’

That approach is probably one of the reasons that, of those organizations hit by at least one attempt at ACH fraud, organizations with more than $1 billion in revenues and more than 100 payment accounts were most likely to suffer financial loss, says Tom Hunt, the AFP’s director of treasury services. Organizations with more than $1 billion in revenues and fewer than 26 payment accounts were least likely to suffer a financial loss in connection with ACH fraud.

“It’s the law of large numbers. When people go out and perpetrate fraud, they might get their hands on 10 accounts, and they’ll try it on 10. If it passes on one, for them, that’s success.”

In addition to banks requiring originators to do out-of-band log-in authentication, originators can prevent financial losses from ACH fraud by setting up separate accounts for different transaction types: for example, blocking ACH debits from accounts designated for wires, says Gareth Lodge, senior analyst in the London office of research and consulting firm Celent LLC.

The AFP’s survey indicated that while 77% of respondents reconcile accounts daily to identify and return unauthorized ACH debits, only 41% have set up a separate single account for ACH debits. Doing so is relatively simple, Lodge says, and can be very effective.

“I suspect that, once the majority of businesses start doing this, we’ll see fraud move away to another payment type. The chances of finding a loophole diminish rapidly,” he says.

Lodge, who used to work at a United Kingdom-based ACH network and has studied ACH systems in about 70 countries, notes that ACH usage is more popular outside the U.S. and also subject to less fraud.

“The only country where ACH fraud has come up as an issue is the U.S.,” he says. “I’m not saying it doesn’t exist in other countries. Having worked on the inside at an ACH, I know that degrees of fraud have taken place in the U.K. system, for example, but we are talking relatively rare.”

An anti-fraud practice that’s growing more popular among large European corporations is the creation of so-called payment factories, Lodge says. These units are dedicated to handling all the payments of a business and all its subsidiaries, he says. The focus on payments makes it easier to establish and enforce anti-fraud best practices.

Customer Participation

U.S. businesses could also reduce their susceptibility to ACH fraud by increasing their usage of daily account reconciliations and so-called positive-pay methodologies, Lodge says. Positive pay checks a business’ requested ACH transactions against existing ACH transaction filters. If the requested transactions don’t match the filters’ criteria, the bank alerts the business and gives it a chance to approve or reject those transactions.

Both these practices involve greater customer participation than traditional ACH filters and blocks, and that participation is important as the ACH grows in popularity and fraudsters grow more sophisticated, says Debbie Peace, chief executive of ACH Alert, a fraud-control services provider based in Ooltewah, Tenn., near Chattanooga.

“Banking is changing,” she says. “The financial institutions as a whole still have not addressed the interactive component with their customers, making them part of the process. They’re still trying to manage it strictly through technology for locking down the online-banking system where these transfers are occurring and trying to monitor themselves in the back room and make those judgment calls.”

Involving customers is the only way financial institutions will be able to scale their anti-fraud measures to match the scale of potential attacks, she says.

“At the same time, if you make your customer part of the process, they also share in some of the responsibility. That’s key. You can’t hold people responsible for something they have no visibility into.”

For financial institutions to effectively encourage customer participation, they will need to consider the frequency of and criteria for alerts.

“Don’t make that customer jump through extra hoops unless the money is going somewhere it hasn’t gone before,” Peace says. “Make the alerts relevant. Make the interactions happen when it’s required and not every single time they try to do something.”

Hunt, who worked in various corporate treasury roles before joining the AFP, suggests companies that rely on ACH transactions regularly discuss fraud control with their banks.

“Talk to your bank officer. We used to meet with our banks quarterly, to talk about the markets, treasury management, new products coming down the line. We’d always want to make sure our accounts were protected … Ask the question: What don’t we know?”