Payment Fraud: ACH Is Not Immune and Email Is Not Safe
An Association of Financial Professionals (AFP) survey on payment fraud shows 80 percent of organizations experienced attempted or actual payment fraud in 202. Payment fraud remains at that high level, having jumped up in 2015 to 73 percent of organizations and subsequently rising further.
What are the targets? Checks are targeted at 75 percent of organizations, followed by wire transfer (40 percent of organizations), commercial credit card (34 percent), ACH Debit (33 percent), and ACH Credit (22 percent). As the AFP report states, “ACH payment methods appear to be of interest to fraudsters.”
Business email compromise or “BEC” has boomed, the study says. It is the first year that BEC has taken the lead spot among the sources of payment fraud. Fraudsters are becoming more sophisticated in their BEC technique.
The National Automated Clearing House Association’s (NACHA) Michael Heard, SVP ACH Network Administration, points out that checks “not only have the highest level of reported fraud, but also an increasing rate of fraud during a period when check use has dropped substantially.” At the same time, he says, “The report also shows that fraud rates remained nearly flat for ACH during a period when the use of ACH is increasing robustly.”
That’s the good news for ACH payments. The bad news is that a flat rate is not the same as a flat total number and even if it was, if you were in that number, you still got attacked and maybe stung.
Same day ACH, together with an increase in the use of ACH for business payments over the last several years, has made ACH a more attractive target. Remember why Willie Sutton robbed banks: “That’s where the money is.”
Frank McKenna is co-founder of PointPredictive and writer of the blog FrankonFraud.com. He says, “Hackers and fraudsters have learned that infiltrating and taking over corporate and business accounts is extremely lucrative. Business and corporate deposit accounts can result in multi-million-dollar fraud schemes while personal accounts may only net the fraudsters a few thousand dollars.”
Financial Operations Networks (FON) conducted a survey looking at ACH in the context of vendor information management. One of the findings is that 71 percent of organizations collect vendor bank account information via email. What is significant about that? It is not a secure way to collect sensitive financial information. “Business email compromise has become a favorite tool of fraud perpetrators,” says FON CEO Phil Binkow.
There are two problems with using email. One is that a fraudster could intercept the vendor’s email and alter the account information, leading to a misdirection of payments. The other is that a fraudster could capture the vendor’s account information, whether in transit or through a data breach of your server, then rob the vendor’s account. (As vendors become more aware of the risks, expect them to balk at sending ACH information this way.)
These possibilities point to the critical importance of controls such as account validation processes and the use of ACH debit blocks. But they also point to the need to transmit account information securely, not through email.
So, while companies are focused on operating in the new safe ways from a health standpoint, payment fraud continues to be a threat. Companies must not drop their guard but must sustain the processes and procedural controls to address fraud.
