How to Help Your Clients Combat ACH Fraud

Client Relationships Padlock securing two chains over white background

The Automated Clearing House (ACH) Network is an electronic funds transfer process between bank accounts. ACH is most commonly used for direct deposit of payroll and Social Security payments, although an increasing number of companies make accounts payable and tax payments via ACH. Electronic transactions are governed by the National Automated Clearing House Association (NACHA).

How Does ACH Fraud Take Place? All that is needed to commit ACH fraud is the account number and the bank routing number taken directly from an unsuspecting victim’s check. The most common form of ACH fraud occurs when a cyber thief using banking custom­ers’ account data initiates payments over the phone for products or to pay off credit card debt. Another often-used ACH fraud scheme is to gain access to the banking system by posing as a retailer to establish a relationship with a credit card processor or a financial institution.

Banks set up retail merchant accounts that include the hardware and software to process credit cards and convert paper checks into electronic ACH debits. Be­cause paperless transactions pose substantial financial risk, most banks are careful to thoroughly screen any company that wants to send ACH debits. However, fraudsters still occasionally get through the screening process and victimize others. Banks have liability for al­lowing these network lapses.

Once cyber thieves are able to establish a credit card or check conversion account, they create bogus checks using inexpensive check writing software and run the phony checks through an automated check-to-ACH converter. The company submits the ACH debits to its bank, the bank sends the file through the Federal Reserve System, and the ACH debits post against the designated accounts. Forgers have learned that most Positive Pay systems do not monitor ACH debits.

While a consumer has 60 days to return an unauthor­ized ACH debit, commercial organizations have only two days. For this reason, commercial organizations must change their internal procedures to make it easier to rec­oncile ACH debits on a very timely basis.

Keystroke Logger Virus and ACH Fraud. Recently, a Midwestern company’s computer system became infected with a virus that tracked keystrokes. The hacker was able to decipher the log-on keystrokes to the company’s bank, logged on and sent $160,000 in ACH credits to various bank accounts the thief controlled. The money was sent overseas the following day. The company was shocked when its bank denied liability for the loss because the log-on was authentic. A bank is not responsible for the integrity of a customer’s computer.

How to Avoid ACH Fraud

Shielding commercial and retail accounts from unauthorized ACH charges is a simple three-step process:

  1. Ask your bank to place ACH debit blocks on accounts that should not have ACH withdrawals. For example, a trust account or refund account should not have with­drawals via ACH. Such accounts should have ACH blocks. An ACH block rejects all ACH debits.
  2. Bank accounts should be structured so that authorized ACH debits occur in only a few designated accounts. Ask your bank to place an ACH filter on those accounts. An ACH filter allows debits only from companies that have been preauthorized, or in preauthorized dollar amounts. If your bank does not offer an ACH filter, open up a new account exclu­sively for authorized ACH debits, and restrict who has knowledge of that account number.
  3. Monitor all unblocked accounts daily to catch unau­thorized activity. Companies have two business days to reject an unauthorized debit and recover their money. If an unauthorized debit is not questioned for more than two days, it will be much more difficult to recover lost funds. Because all fraudulent ACH transactions originate in real bank accounts, unwinding them is quite straightforward if caught in a timely fashion.

External Threats. Guard against hackers by using a fire­wall device, anti-spyware and anti-virus software. When evaluating products, read the technical reviews in PC Magazine and CNETNetworks. It is important to reference both periodicals because they often critique differently.

Small companies might consider the Cisco Pix 501, with a retail price of approximately $250, or Barra­cuda firewalls, and Webroot.com anti-spyware for home or office. For virus protection, Norton and McAfee are highly rated programs, but tend to be resource hogs and can slow down an older computer. A viable alternative is Kaspersky, which is highly rated but is not a resource hog. Anti-spyware and anti-virus software definitions should be updated for new threats on a weekly basis.

Internal Threats. According to the Association of Certified Fraud Examiners, more than 85 percent of intellectual property theft is committed by insiders. For this reason, it is important that you know your employees. Moreover, it is important to complete background checks on information technology, finance, mailroom and temporary employees, as well as the cleaning crew. Facebook.com, MySpace.com,Zabasearch.com, and Zoominfo.com are great online resources for background information about potential employees. Other internal fraud prevention ideas include the following:

  • Put into writing an internet usage policy, and fol­low up by monitoring employees’ network traffic. Legally, employees must be told that their computer activities are being monitored.
  • Disable an employee’s remote access to the computer system during vacation so that internal scams cannot be perpetuated.
  • Disable a terminated employee’s computer access and voicemail immediately.
  • Sanitize internal data. Delete the first five or six digits of any SSNs in the system.
  • Allow customer and company data to be viewed but not copied.
  • Configure the computer system activity log to capture all transactions, including those allowed by permission, not just failed log-on attempts.
  • Change the firewall and all system passwords from the factory defaults.
  • Seal over plug-in slots for USB jump drives to prevent data from being copied and removed.

Finally, restrict the use of free wireless access sites which are located in airports, cafes, and libraries. These free wireless access sites often have overlapping sniffer networks set up nearby specifically to capture unsuspecting users’ passwords.

Editor’s Note: Eva Velasquez of the Identity Theft Resource Center recently wrote, “Dangers of Connecting to Public WiFi Network.” Read the article for more information on Frank’s last comment.