Top Trends in ACH Fraud

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Payroll fraud, kiting - these are among the latest threats to Automated Clearing House (ACH) payments, which are gaining extra attention from fraudsters.

There will be 25 billion ACH transactions occurring annually by 2010, estimates NACHA, the electronics payment association. Many of these transactions will be check conversions at merchants, including Wal-Mart, Target and large supermarket chains.

With these numbers growing every year, ACH fraud is also growing, says Michael Thomas, Executive with the Financial Institution Group at Crowe Horwath. Criminals are finding it more enticing "to follow the money," Thomas says.

This article reviews the latest ACH fraud trends - and what institutions should be doing to protect themselves.

How ACH Fraud Happens

Before ACH did check conversion, there was very little fraud, because most transactions were driven by relationship, notes Nancy Atkinson, wholesale banking senior analyst at the Aite Group. "So when a corporation had to get an individual's permission to credit, much less debit their account, the banks knew the corporation, and they knew they could depend on the corporation to stand behind its transactions if a debit or credit came into question by a consumer."

On the business side, the companies using ACH set up accounts that would either only accept ACH credits or issue them. As ACH has expanded past the payroll, social security payment or repetitive bill-pay solution, moving into mainstream transactions that can be used for almost any kind of payment and check replacement truncation - fraud risk has grown. "This includes at point of sale or on the web or over the phone," Atkinson says. "You've lost the controls that used to exist, and those direct relationships that used to exist. Banks used to have controls on how big a transaction a business can make and how much coverage it has to have over the two-day period it takes for that transaction to settle."

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

One way ACH fraud can occur: Companies can get hooked into a legitimate bank ACH network and then send out fictitious changes, like telling checking accounts they've agreed to pay a small amount to a charity. "By the time the customers get a copy of these transactions and they protest the withdrawal, by that point the bank is stuck with all the returns, because the sham operator of the fraud has withdrawn all the money and left," Thomas says.

The good news is that type of ACH fraud had been the most common type of fraud over the years, but NACHA and a number of financial institutions have been doing a much better up front job in determining who they will let become an ACH customer. So this specific type of fraud, while still occurring, has slowed down a lot, Thomas notes.

Other fraud threats, alas, have grown.

ACH Risk #1: Payroll Fraud

The new type of ACH fraud that Thomas and other fraud experts are seeing is a combination of ACH fraud and what he calls "social engineering and computer hacking." This is the threat with which Thomas sees a lot of his customers getting hit.

Traditionally in the ACH process, a bank would set up a business to do its payroll through ACH, say, on the 13th and 28th of the month. The institution would bring over the tape, and the bank would run it on its machine and check that the nature and amount of the check was proper. The bank would call back and verify the amounts with the company before it released the payroll. Everything was a chain-of-command, procedures, and the parties knew it was going to happen on a specific date for a specific amount.

"The fraud we're seeing today is because financial institutions are doing all of this over the Internet," Thomas notes. "Typically, the bank does not have controls over these processes. It assumes that because you were able to access the account, you, (the business) know your password and account information."

What he is now seeing are conmen or criminals who can't break into a bank through its firewalls, so "They're actually going to manufacturing companies, businesses, and social engineering their way to someone's laptop," Thomas says. "They're coming in through a firewall, with a stolen account and password and are pretending to be that customer."

The hacker/conman comes in through the ACH account and cleans it out. "So instead of paying out the payroll, the payroll goes to the conman."

Thomas' advice to institutions on handling payroll ACH fraud: "Go ahead, go back to the old way. Even though it is coming through the Internet, pick up the phone to verify, and this way you're covered. Or by fax, 'We see you're processing the payroll, just wanted to verify the amount,'" he says.

ACH Risk #2: Kiting