ACH Fraud: 7 Steps to Fighting This New Front in the Fraud Wars– January 20, 2016

Data breaches and cyberattacks continue to receive a lot of media attention, while another technology-enabled crime — Automated Clearing House (ACH) fraud — is going relatively unnoticed. You likely use the ACH network every day to make debit and credit purchases, and your account information may be more vulnerable than you realize.

What It Is

The surging popularity of ACH is understandable. Consumers can use it to make electronic payments directly from their checking or savings accounts to other parties’ accounts, eliminating the need to pay bills with paper checks or physical credit cards. Likewise, companies use ACH for business-to-business transactions and to pay their employees, contractors and vendors.

Businesses of all sizes can become ACH fraud victims, but small to midsize businesses may be most vulnerable. Even when they have substantial financial assets, these companies typically have fewer up-to-date information security measures in place.

How They Do It

To commit ACH fraud, perpetrators need to obtain only an account number and bank routing number. This can be accomplished through phishing (using email to trick recipients into divulging personal data), legitimate, but hacked, websites, malware and account hijacking.

For example, a thief might launch phishing attacks against a bank’s customers. When recipients click on the link in the fake email, they’re taken to a phony bank website and prompted to enter their login information. The thief captures that information and uses it to access online banking accounts, and then initiates ACH payments to his or her own account at a different bank. Finally, the funds are transferred by wire to a third (in most cases, offshore) bank.

Alternatively, account holders might click on a link and unknowingly download malware that collects data they enter into Web forms, including those on banking sites. These individuals subsequently receive personalized emails that appear to be from companies with which they already have a relationship, asking them to reset their security code or personal identification number (PIN). By doing so, consumers install a virus on their computers. The next time they log into their bank’s site, the virus executes commands that initiate fraudulent ACH transactions.

7 Steps of Defense

No single defense will provide complete fraud protection for every individual and business that uses the ACH. But below are 7 simple steps to help reduce the risk.

  1. Install firewalls and antivirus, antispyware and antimalware software on computers and keeping these programs updated. This is perhaps the most important line of defense.
  2. Ensure that every computer, smartphone and network they use requires a complex password that must be changed frequently.
  3. Ignore unsolicited emails with attachments, links contained in the body of the message and popups that request personal information.
  4. Use a separate browser for online banking purposes.
  5. Check bank accounts daily for unauthorized activity.
  6. Access financial websites only by entering the URL, as opposed to using links in an email.
  7. Finally, consumers and employees need to monitor the performance of computers and devices. Slower processing, changing interfaces or repeated rebooting can indicate the presence of malware or a virus.

Technology at a Price

Faster and easier ACH transactions appear to have doomed paper-based payments. But as the millions of victims of electronic fraud can attest, technology comes with certain risks. Remaining vigilant about implementing the security steps listed above and monitoring your accounts is a good start to a safer technology environment.

Cohen & Company is not rendering legal, accounting or other professional advice. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts and circumstances.