ACH Fraud Isn't New, But It Remains a Threat. Here's How to Protect Yourself.

It seems like there's a new type of financial fraud to worry about every time you turn around. Yet that doesn't mean longer-standing cybercrimes are in the rearview window. Take automated clearing house (ACH) fraud. The ACH network that allows banks to transfer money to other banks has been around since the 1960s, and the FBI has been warning the public about ACH scams for decades.1,2 But even so, ACH debit fraud has been on the rise in recent years, even as other forms of payment fraud fell.3

While financial institutions do have ACH fraud protections in place, the cost of this crime can make its way to individuals and businesses. Just ask Mike Mitchell, a Winter Park, Florida business owner who told a local news station that he lost $3,700 to ACH fraud after missing the 24-hour window to report suspicious activity to his bank.4

Here's what both consumer and business bank account holders should know about ACH fraud.

What Is ACH Fraud?

ACH fraud is when a criminal uses someone else's bank account and routing numbers to initiate a payment that the account holder did not authorize. Because it can be a fairly simple crime — all you need are the account and routing numbers that sit at the bottom of every check — it can be very appealing to scammers.

While anyone with a bank account can be a victim of ACH fraud, businesses and other large organizations are more often targeted. For example, a 2022 FBI warning to healthcare organizations reported one incident in which a fraudster redirected $3.1 million in patient payments made to the hospital to their own account.5

How Do ACH Scams Work?

To accomplish ACH fraud, a criminal only needs a victim's bank account and routing numbers. This can happen in various ways, from stealing a physical check or debit card to tricking someone into sharing the info.

Frequently, criminals use phishing scams — communications intended to trick recipients into sharing bank account information — to target the accounting department or senior executives at an organization.6 Other cybercrime methods can help scammers steal this information as well, including malware or hacking into a home or business' network or devices.

Once the fraudster has the account information, they can simply initiate a payment from the breached account into their own. This can be a one-off transaction or a more complex scheme.

How To Protect Yourself From ACH Fraud

Some ACH fraud protections are in place by banks themselves. Some banks offer "positive pay" ACH fraud protection, for example, which allows the bank to compare electronic account transactions against previously authorized payments and suspend unmatched items.7

In 2021, Nacha, the organization that enables ACH payments, put new fraud protections in place as well.8 The new policy raises the bar for banks' fraud detection systems.

Account holders can also report unauthorized transactions to their bank. Though, as was the case in the example of the Florida businessman, reporting the fraud within a tight timeframe is critical to ensure the translation can be canceled.

Preventing ACH fraud entirely can be challenging, especially for businesses and consumers who have legitimate reasons for sharing their bank account information with vendors or other entities in the course of business or their lives. To lower the risk of banking scams, account holders can:

• Check all bank accounts regularly for unauthorized transactions or see if your bank offers banking alerts for ACH transactions.
• Don't respond to any unexpected emails, texts, or phone calls asking for bank account information.
• Don't click on any links from unknown senders.
• Create strong passwords for all accounts and devices and update them regularly.
• Use multi-factor authorization for logging into all financial accounts.
• Businesses should train all employees to identify potential phishing emails, spoofing websites that mirror a bank's, texts, or calls.

What To Do If You're a Victim of ACH fraud?

Report all unauthorized transactions to your bank. Consumers have 60 days to report fraudulent transactions, but businesses can have a window as short as 24 hours.9 According to the U.S. Consumer Financial Protection Bureau, the bank generally has 10 business days to investigate. If it discovers an error, it must then correct it within one business day.

ACH fraud victims can also report the incident to the FBI's Internet Crime Complaint Center (IC3).10

As with all financial or identity fraud cases, victims should always change their account login credentials immediately and closely watch all financial statements and credit reporting for signs of additional fraud.

As financial fraudsters evolve their methods, they both test out new, innovative cybercrime methods and circle back to the old standards. ACH fraud may not be new, but all bank account holders should treat it like a fresh threat to avoid falling victim to it.

Consider Signing Up for Credit Monitoring

Does remembering to regularly scan your credit report sound exhausting? Another option: Choose a service that will do the credit monitoring for you.

For example, as a Synovus Plus, Synovus Inspire, or Synovus Private Wealth customer, you can enroll in complimentary Financial Protection Services services through Carefull. Depending on the level of protection you have, Carefull will monitor your credit reports and notify you any time any changes are made. Carefull will also scan the web to make sure your personal information hasn't been compromised by checking websites, blogs, peer-to-peer networks. Carefull also offers full-service identity restoration if you become a victim of identity theft.

Learn more about how you can achieve peace of mind as a Synovus customer with Carefull.