Bad Actors And the Automated Clearing House

While ACH fraud is persistent, so too are efforts to thwart criminals intending to disrupt legitimate payments.

Imposters, account takeovers, and phishing cause a lot of payments headaches, and in this respect the automated clearing house channel is no different. Criminals even adapt familiar check-kiting schemes—which rely on float to reap ill-gotten gains—to take advantage of the  transaction time when moving funds from one account to another with a conventional ACH payment.

ACH fraud may not garner tons of attention. as do some other fraud categories, but that doesn’t mean there isn’t plenty of it. Criminals have shown themselves to be intent on manipulating ACH transactions to their advantage.

In 2023, according to the 2024 AFP Payments Fraud and Control Survey Report, 33% of organizations said ACH fraud was a problem, up from 30% in 2022, based on 521 responses to the Association for Financial Professionals survey.

To put that in context, the same report found 65% of organizations were affected by check fraud in 2023.

“Every payment system has to deal with fraud,” says Michael Herd, executive vice president of ACH network administration at Nacha, the automated clearing house rulemaker. He points to a 2023 Federal Reserve  survey of financial-institution risk officers that showed 22% were experiencing attempted ACH fraud, compared with 52% that sustained check fraud.

‘Sophisticated Tactics’

Still, ACH fraud is an issue. Fraud types involve creating new, fraudulent accounts online, says Yinglian Xie, chief executive and founder of Datavisor Inc., a Mountain View, Calif.-based fraud and risk platform.

“Fraudsters use a variety of sophisticated tactics to commit ACH fraud, exploiting the system in increasingly sneaky and complex ways,” Xie says. “One trend we’ve observed is a notable increase in ACH kiting, where fraudsters employ interconnected and intertwined attack tactics. These perpetrators use multiple strategies simultaneously to execute their fraudulent schemes”

“One rising tactic involves creating new, fraudulent accounts online,” Xie continues. “Fraudsters enroll in online banking and transfer funds from external accounts to these newly opened accounts. They then exploit the time delay in ACH transactions, swiftly withdrawing the funds before any unpaid ACH debits are detected.”

“Additionally, fraudsters leverage compromised accounts to conduct similar fraudulent activities,” she says. “By accessing these accounts, they transfer funds from external sources into the compromised accounts and withdraw the funds before any unpaid ACH debits are identified.”

Other types of ACH fraud involve payroll. The latest Nacha data show second-quarter 2024 direct-deposit transactions at 2.1 billion, though not all may be payroll transactions—one of the largest uses of the ACH network, says Tom Randklev, head of product at London-based CellPoint Digital, a payments-orchestration provider. Phishing and data breaches are other significant factors affecting ACH fraud, Randklev says.

Fraudulent ACH return fraud is yet another concern, says Nathan Hilt, managing director at Protiviti Inc., a Menlo Park, Calif.-based consulting firm. In these instances, consumer debits have an extended return timeframe of 60 calendar days from settlement and can be returned as unauthorized by the consumer, he says.

“In the case of legitimate fraud, the consumer is granted this protection as an added benefit, but we also see bad actors knowingly return the entry as unauthorized,” Hilt says.

There’s also ghost funding, which “typically occurs when the customer is granted immediate access to funds which have not yet settled fully across the ACH network,” Hilt says.

“Typically,” he says, “we see this used with investment accounts where funds are immediately credited. When the funds come back [insufficient funds] there is no ability to recover the funds because the fraudster has either transferred the money to another account or used it to purchase an unrecoverable asset like crypto.”

Staying in Contact

Business email compromise can be yet another gateway to ACH fraud. In 2023, according to the AFP report, 38% of organizations said they experienced this fraud. Generally, these email compromises can appear to be from a known source, making the request look more legitimate, the FBI says in a post about the fraud.

A scammer might spoof an email account or Web site. They could use malware or send a spearphishing email, which appears to be from a trusted sender, to trick victims into revealing confidential information.

Nacha, as the chief rulemaker for the ACH network, is well aware of how criminals could use the system to capitalize on opportunities.

Herndon, Va.-based Nacha says it has new rules to address credit-push fraud. “The rules will require all participants in the ACH Network to conduct base-level monitoring of their ACH payment activity,” Herd says. “This requirement covers the financial institutions receiving the payments, acknowledging that these institutions might be in the best position to identify questionable payments being received to accounts within their institutions.”

Under these new rules, “all participants in the ACH network, except consumers, will conduct a base-level of fraud monitoring on ACH payments, including ACH credits,” Jane Larimer, Nacha president and chief executive, wrote when the rules were announced in March.

Herd says Nacha puts its network to use to help members contact one another, a service called the ACH Contact Registry, to help financial institutions connect with other participants in instances of fraud or questionable payments.

“Interestingly, the ACH Contact Registry is also the industry’s largest source of contact information for personnel responsible for check payments, so it is helpful to institutions in addressing instances of check fraud,” Herd says.

‘Really Difficult’

Even beyond rules already in place, organizations can do a lot to stymie ACH fraud. Xie suggests prioritizing three elements. “First, they must closely monitor customer and ACH transaction behaviors,” she says. “Vigilance in detecting irregularities in transaction patterns, such as out-of-pattern behavior or the addition of new, previously unassociated recipients with significant amounts, is crucial.

“By taking a customer-centric approach and analyzing all customer behaviors and transactions, not just ACH transactions, organizations can enhance their ability to identify potential risks,” she adds.

Another element is to incorporate technology that can illuminate the social relationships between ACH transfer senders and recipients, Xie says. “Implementing intelligent methods to identify connections, such as name and address similarities, and leveraging historical transfer activities and other payment histories, can uncover potential fraud,” she says.

“Lastly, prioritizing a comprehensive identity-verification process is essential. Robust identity-verification protocols help establish a solid foundation for detecting and mitigating fraudulent ACH transactions,” says Xie.

A key component to reducing ACH fraud is educating users, whether they are businesses or consumers. Both sets of users can fall victim to nefarious schemes, such as phishing. “With phishing fraud, you have to rely [on the idea] that your customers are educated,” Siva Narendra, chief executive and founder of Tyfone Inc., a digital banking and payments provider, tells Digital Transactions. “That’s really difficult.”

That’s because, in part, large language models, often used in artificial intelligence, are being used by criminals. “You no longer get this ‘prince of Nigeria’ email, it’s highly sophisticated emails,” Narendra says. The “prince of Nigeria” phishing emails are a type of advance-fee fraud.

Education is part of a multilayered approach and should include employee education, too, says Kimberly Sutherland, LexisNexis Risk Solutions vice president of fraud and identity management strategy.

“Because people are seeing this activity at work, they carry these learned behaviors on how to avoid phishing scams and increase their awareness of the need for authentication,” Sutherland tells Digital Transactions.

Even with measures in place and updated rules to ensure sending and receiving institutions are equipped to counter ACH fraud, criminals are still going to target ACH transfers until these transactions are no longer profitable for them.

“ACH fraud will exist as long as ACH transactions occur,” Sutherland says. Because ACH is a popular payment option, and because it’s very affordable for businesses to use, ACH transfers will increase. That may only change when alternatives that offer the same level of affordability and relatively low risk emerge. Still, criminals are going to following the activity, Sutherland says, adding, “Fraud is something that is going to be around.”