ACH Fraud Awareness: How to Protect Your Business

At Osgood Bank, we aim to keep you informed on all things related to ACH transactions—from how ACH works and its benefits, to fraud prevention and how businesses can integrate ACH into their financial processes.

For those who may be unfamiliar, ACH (Automated Clearing House) is a secure network that facilitates electronic payments and money transfers between banks. Businesses commonly use ACH for payroll, vendor payments, and other recurring transactions, making it a fast, reliable, and cost-effective way to handle financial transactions.

In this article, we’ll focus on ACH fraud awareness to help you safeguard your business and keep your financial transactions secure.

The Scenario: A Common ACH Fraud Scheme

Let’s walk through an example: You’re an originator, sending out payments and payroll via direct deposit. One day, you receive an email asking you to update ABC Company’s ACH details. The email looks legitimate, and you proceed to update the account number and routing information. Unfortunately, the email wasn’t from ABC Company at all—it was a phishing scam designed to steal your funds.

This type of fraud is just one example of the many ACH fraud schemes out there. That’s why it's so important to carefully verify all communications containing ACH information, especially when requests for changes are involved.

ACH Fraud on Business Accounts

Did you know that businesses have as little as 24 hours to report ACH fraud to their bank? This is in contrast to personal account holders, who have up to 60 days. The difference stems from the fact that businesses are not covered under Regulation E. Instead, ACH fraud protection for businesses falls under the Uniform Commercial Code (UCC). After the 24-hour window, businesses are held liable for any unauthorized transactions.

To reduce the risk of fraud, it’s critical that businesses reconcile accounts promptly, review online activity regularly, and verify all ACH information. Catching fraud early can prevent significant financial losses.

How to Ensure ACH Fraud Protection

There are several ways to prevent ACH fraud, including:

• ACH blocks: These require manual review and approval for each transaction, adding an extra layer of security.
• Multi-factor authentication (MFA): Implementing MFA for ACH transactions can make it harder for fraudsters to gain access.
• Call backs: When ACH information changes, always verify the details by calling a trusted number on file.

Taking these steps can help protect your business from fraudulent ACH transactions.

Common Ways Hackers Commit ACH Fraud

Fraudsters have become increasingly sophisticated in their methods, and there are several ways they may attempt to commit ACH fraud:

• ACH Kiting: Fraudsters move funds between accounts and financial institutions, typically within a company, often around the end of the year.
• ACH Lapping: Fraudsters divert payments and mark them as received, then use subsequent payments from other accounts to cover up the fraud.
• Insider Threats: Employees with access to company accounts use legitimate credentials to steal funds or pass them to external fraudsters.
• Phishing: Fraudsters trick employees or authorized individuals into providing their login credentials or changing ACH information to redirect funds.

Unfortunately, ACH fraud can be alarmingly easy to commit. Fraudsters need only two pieces of information: a checking account and a bank routing number.

How Osgood Bank is Partnering with You to Combat ACH Fraud

At Osgood Bank, we’ve been working hard to enhance security measures for ACH submissions. Here’s how we’re helping you stay protected:

• Daily Limits and Agreements: We establish clear limits and agreements for ACH transactions.
• Secure Login Requirements: Submitting ACH batches requires a secure login along with a PIN and soft token for extra security.
• Callback Verification: For transactions over $25,000, we perform a callback with an authorized originator contact to verify details.
• Annual Visits and Routine Audits: We conduct annual visits and audits to ensure compliance with security procedures.

When working with our originators, we require that each user has their own login credentials, including a separate PIN and soft token. A signed authorization form, including a voided check or a letter from the financial institution, is required for every business or individual receiving an ACH transaction. This process helps prevent transactions being sent to incorrect accounts and protects against disputes.

Additionally, we recommend that businesses implement a secondary method of validating ACH information changes, such as a call back or text verification. Monitoring your accounts daily and keeping your systems updated with the latest security features are also crucial steps in preventing fraud.

How to Stay Up to Date

To stay informed about payment trends, ACH rules, and regulations, be sure to visit NACHA's website for the latest news. You can also subscribe to Osgood Bank’s "Good News" newsletter at for updates on ACH and other important financial topics.