Automated clearinghouse (ACH) transactions are often considered safer and more difficult to compromise than paper checks and wire transfers, but that reputation might not last.
In 2018, 33% of organizations were subject to ACH debit fraud and 20% were subject to ACH credit fraud, each up several percentage points from 2017, according to the Association for Financial Professionals’ Payments Fraud and Control Survey, released on Tuesday. What’s more, ACH was the only payment method that experienced a year-over-year increase in the percentage of companies that experienced instances of fraud.
“This new development indicates that fraudsters are now trying to use ACH transactions as vehicles for their scams as they move away from checks and wires,” according to the AFP report. ACH transactions, of course, are increasingly popular and are cheaper than wire transfers.
How are fraudsters committing ACH fraud? In many instances, “it is usually not the payment method itself that is compromised but the processes leading up to payment initiation,” the AFP explained.
For example, fraudsters can compromise a business’s internal systems through phishing attacks or recruit assistance from insider the target organizations to help facilitate ACH transaction initiation.
Overall payments fraud using account takeovers — in which a scammer illegally gets access to a bank or online e-commerce account — is up, which could also partly explain the increase in ACH frauds, said the AFP.
“By gaining access to internal systems, fraudsters may successfully be able to generate ACH files,” according to the AFP. Most accounting systems just require a routing number and an account number to initiate a payment.
Business email compromise (BEC) schemes that target individuals responsible for payments through social engineering and other methods were the method by which 33% of respondents said fraudsters accessed ACH credits (a direct payment pushing funds into an account) in 2018, up from 12% in 2017.
What measures are companies taking to combat such fraud? Reconciling accounts daily to identify and return unauthorized ACH debits (a direct payment that pulls funds from an account) is the most commonly used, by 65% of respondents. About 63% block all ACH debits except on a single account set up with ACH debit filter/ACH positive pay, and 37% block ACH debits on all accounts.
To cut down on ACH fraud, of course, organizations also have to cut down on successful BEC attempts. Over three-fourths (76%) of all survey respondents said their companies were adopting stronger internal controls that prohibit initiation of payments based on emails or “other, less secure messaging systems.”
Given ACH payments are under attack, it would make sense for companies to put additional protections around same-day ACH transactions, since they happen much faster than normal ACH payments. But 56% of organizations surveyed said they were not actively taking steps to mitigate additional risks from same-day ACH. One-quarter (25%) of respondents said they had not received any advice on the matter from their banks.
Same-day ACH payments are booming, with 178 million same-day transactions taking place last year, an increase of 137% over 2017, according to NACHA.
Good news on the fraud front came from a decline in corporate/commercial credit/debit card fraud in 2018.
Three-in-ten (29%) treasury and finance professionals reported their organizations were subject to card fraud last year, continuing a three-year decline. Travel and entertainment cards and purchasing cards were most prone to fraud, and the most popular causes were fraudulent credit card charges made by a third-party vendor and employee theft.
The AFP attributed the decline in part to the switch in the U.S. from magnetic stripe cards to smart-chip cards, which are more difficult to counterfeit, as well as banks’ use of algorithms and machine learning to track anomalies in card spend patterns.
Overall, more than three-fourths (82%) of companies surveyed were targets of payments fraud last year, according to AFP. However, losses were limited. More than half (57%) of financial professionals reported that their organizations did not incur a direct financial loss as a result of fraudulent activity, and 19% reported a financial loss of less than $25,000.
More than 600 treasury and finance professionals responded to the survey, which was conducted in January.