Top Tips for Preventing ACH Credit Fraud

It’s become more common and harder to detect. Here are some measures that can help cut it down to size.

Forced to work from home during Covid-19, accounts-payable departments have accelerated plans to move away from paper checks and pay more of their suppliers through the automated clearing house. That, in turn, accelerated another trend: fraud. Through social engineering, fraud attacks on ACH credits are most commonly known as Business Email Compromises, or BECs.

According to the 2020 AFP Payments and Fraud Control Survey Report, for the first time, in 2019, BEC schemes were the most common type of fraud attack experienced, with 75% of organizations experiencing an attack and 54% of those reporting financial losses. ACH credits—outgoing payments from buyer to supplier—were targeted in 37% of BEC schemes.

The problem only got worse in 2020. In the September edition of their Fraud in the Wake of COVID-19 Benchmarking Report, the ACFE reports that 90% of respondents have seen an increase in cyber fraud frequency from July through August. This included BECs.

Three-quarters of respondents said that preventing and detecting fraud has become more difficult in the current environment, and more than 90% expect attacks to increase. Organizations are under siege, and nearly one-third have received no guidance from banking partners about mitigating ACH credit risks.

Reducing Risk

What can organizations do?

Defeating BECs requires a multi-pronged approach. Ongoing anti-fraud training is important because these emails are getting more convincing every day. Fraudsters have become experts in user data and A/B testing, which reduces elements that alert their victims to illegitimate changes to their accounts. Strong internal controls are also important along with network security, which prevents parties from gaining access to internal systems.

Here are four ways to reduce your ACH credit fraud risk:

1. Handle with Care

Thwarting ACH credit fraud is all about handling supplier banking data securely, which accounts payable must have on hand to transmit their payment file to the bank. This data is often stored in the enterprise resource planning (ERP) system, or sometimes on an Excel spreadsheet, where AP staff has been recorded during supplier onboarding. Sometimes it’s stored when a supplier updates its information. Fraudulent change requests are one of the most frequent avenues of attack.

Let’s say you’ve got a new person in accounts payable who isn’t fully trained yet. This person gets an email from a supplier, asking to update their bank-account information. Your new hire, eager to please, fulfills the request, inputting a new routing number and bank account, unaware that a million-dollar payment to that supplier is going out the next day. Nobody realizes what’s happened until two weeks later, when the real supplier calls asking for payment.

By then, it’s too late to reel ACH payments back in. You can call the FBI and the bank. They may try to help you, but if the thieves are sophisticated enough, they’ve already moved the money to offshore accounts, and it’s completely gone.

2. Secure Information

You should never use an unsecured email for banking information updates, although a surprising number of companies still do. It’s too easy for a hacker to intercept one of those emails and use the information in it. If they get contact or bank-account information, they can pose as legitimate suppliers and circumvent internal controls. Some businesses even keep information in spreadsheets or their ERP systems, but systems like these aren’t designed to store data securely.

Some companies allow suppliers to update their own information in supplier portals. That might work, provided that companies manage secure portal access and verify all updates. However, if suppliers can log in and update information, it’s likely that hackers can access the same information with very little resistance.

The most sophisticated approach I’ve seen so far includes a trained procurement team that verifies and validates all changes that come through. But there are a couple of drawbacks to this approach. It’s a big IT investment with plenty of labor asks. Even then, it’s still prone to internal fraud. At the end of the day, even the best systems will still have their risks. The goal is to minimize them.

3. Look at Fees

Companies often try to shift the riskand time burden to others, with some success. For example, they may choose to pay their suppliers by card, which puts the risk on credit card networks. In cases of card fraud, it’s more likely that payments can be canceled or refunded.

Virtual cards offer even more security because they provide unique numbers, which can only be used by a specified supplier for a specified amount. The big drawback is that not all suppliers accept cards—there are fees to consider.

An organization I’m familiar with pays many of its suppliers with PayPal. Its suppliers—most of them small businesses—are located around the world. AP doesn’t have the time or staff to verify payment information, validate bank accounts, and deal with ongoing updates. As the intermediary, PayPal handles all that and guarantees that the funds go to the right place. But, here again, suppliers pay a hefty fee—in the neighborhood of 3%.

4. Shift the Risk

There really is no perfect system in place, which is why we’re seeing ACH credit fraud rise in tandem with the rise in ACH payments. But there is a perfect way to shift the risk to companies that are built to withstand the verification and validation burdens.

Sophisticated Attacks

Today’s payment-automation providers manage supplier information, so individual companies no longer have to spend valuable time on it. It’s similar to handing the reins to IT and procurement departments to lock down the database and institute controls. The difference is that working with a provider removes the time investment and liability.

Think of payment-automation providers as a means to outsource risk. Their sole focus is to ensure secure, on-time payments to your suppliers without causing costly overhead. They have perfected the systems and processes for hundreds of thousands of AP departments across the United States, and in ways that businesses would be hard-pressed to replicate.

Businesses used to worry about check fraud above all else. While they still have to pay attention to that threat, it’s become a low-tech form of fraud that’s easy to understand and plan for. As companies shift to electronic payment methods, they’re increasingly experiencing sophisticated cyberattacks, which target much larger sums and are harder to defend against. With such attacks growing, businesses may find that outsourcing to professionals is the best defense.

—Jeremiah Bennet is director of information security at Corpay.