Automated Clearing House (ACH) transactions are often considered safer and harder to compromise than paper checks and wire transfers, but that reputation might not last.
In 2018, 33% of organizations were victims of ACH debit fraud and 20% were victims of ACH credit fraud, each up several percentage points from 2017, according to the survey on fraud and payment control from the Association of Financial Professionals, published on Tuesday. Additionally, ACH was the only payment method that saw a year-over-year increase in the percentage of businesses that experienced instances of fraud.
“This new development indicates that fraudsters are now trying to use ACH transactions as vehicles for their scams as they move away from checks and transfers,” according to the AFP report. ACH transactions, of course, are increasingly popular and are cheaper than bank transfers.
How do fraudsters commit ACH fraud? In many cases, “it is usually not the payment method itself that is compromised, but the processes leading to the initiation of the payment”, explained AFP.
For example, fraudsters can compromise a company’s internal systems through phishing attacks or recruit the help of insiders from target organizations to help facilitate the initiation of ACH transactions.
Overall, account takeover payment fraud – in which a scammer illegally gains access to a bank or e-commerce account online – is on the rise, which could also partly explain the increase in ACH fraud. , said AFP.
“By accessing internal systems, fraudsters can successfully generate ACH files,” according to AFP. Most accounting systems simply require a routing number and an account number to initiate a payment.
Business Email Compromise (BEC) schemes that target people responsible for payments through social engineering and other methods were the method by which 33% of respondents said fraudsters accessed ACH credits (a direct payment funds in an account) in 2018, compared to 12% previously. in 2017.
What measures are companies taking to combat these frauds? Daily account reconciliation to identify and return unauthorized ACH debits (a direct payment that draws funds from an account) is most commonly used, by 65% of respondents. Approximately 63% block all ACH debits except on a single account configured with an ACH debit/ACH positive payment filter, and 37% block ACH debits on all accounts.
To reduce ACH fraud, of course, organizations must also reduce successful BEC attempts. More than three-quarters (76%) of all survey respondents said their companies were adopting stricter internal controls that prohibit the initiation of payments based on email or “other less secure messaging systems “.
Since ACH payments are under attack, it would make sense for businesses to put additional protections in place around same-day ACH transactions, as they happen much faster than normal ACH payments. But 56% of organizations surveyed said they were not actively taking steps to mitigate additional ACH-related risks on the day. A quarter (25%) of respondents said they had received no advice on this from their bank.
Same-day ACH payments are booming, with 178 million same-day transactions last year, a 137% increase from 2017, according to NACHA.
The good news on the fraud front came from a drop in corporate/commercial credit/debit card fraud in 2018.
Three in ten (29%) treasury and finance professionals said their organization had experienced card fraud in the past year, continuing a three-year decline. Travel and entertainment cards and purchasing cards were the most prone to fraud, and the most common causes were fraudulent credit card charges made by a third-party vendor and employee theft.
AFP attributed the decline in part to the U.S. shift from magnetic stripe cards to smart cards, which are harder to counterfeit, as well as banks’ use of algorithms and machine learning to track anomalies in card spending patterns.
Overall, more than three-quarters (82%) of businesses surveyed had been the target of payment fraud in the past year, according to AFP. However, the losses were limited. More than half (57%) of finance professionals said their organization had suffered no direct financial loss as a result of fraudulent activity, and 19% reported a financial loss of less than $25,000.
More than 600 treasury and finance professionals responded to the survey, which was conducted in January.