ACH Origination fraud is not new. The widespread use of the internet and web-based ACH origination systems has created this vulnerability. It is of utmost importance to stay vigilant when it comes to fraud. Putting effective fraud prevention measures in place and proper employee education is crucial for any size business to combat fraud! Border Bank is your partner in keeping your money safe and secure. 

In the final part of this three-part ACH blog series, we discuss ACH fraud risks, risk mitigations, and the ACH Rules Security Requirements. Read on to learn about common fraud schemes and how you can protect your business from potential loss. 

What is ACH Origination Fraud? 

ACH Origination fraud occurs when an originator or third party generates invalid transactions using the name of the true originator (your company). Origination fraud could be committed by someone unfamiliar to you, or by an employee within the organization who is submitting unapproved ACH transactions. 

What are the fraud risks? 

Corporate Account Takeover is a type of business identity theft where cybercriminals gain control of a business’ bank account by stealing employee passwords and other valid credentials. Cybercriminals can then initiate fraudulent ACH transactions to accounts controlled by the thieves.

Business Email Compromise is a cyberattack involving hacking, spoofing, or impersonation of a business email address. Victims receive an email from what appears to be a trusted source. These emails typically contain a phishing link, malicious attachment, or request to transfer money into a cybercriminal bank account. If you receive an email with an urgent message prompting your business to respond immediately, consider the following: 

• Is this a person who normally sends these requests?
• Are you usually the person who would receive these requests? 
• Is the dollar amount within the normal range for this type of request? 
• Is the request during a time that is normally utilized for such request?
• Can you use an alternate phone number (not one within the request) to call the person and verify the request? 
• Does the written request have spelling errors? 

In the above examples, if the fraud is not caught before the payments enter the ACH network, the true originator’s account (your account) is debited for the fraudulent transactions. The credits are usually irretrievable by the time the fraud is detected and reported. As an ACH Originator, there is no recourse for entries that are originated in accordance with the ACH Agreement. 

What types of controls are in place to help combat ACH Origination Fraud? 

Border Bank’s ACH Origination utilizes multifactor authentication. While this may stop a hacker from completing an unauthorized ACH transaction, the risk still exists for internal fraud by one of your employees. 

Exposure limits are a required control every ODFI must have in place for each ACH Originator. Border Bank establishes your exposure limit based on your companies needs and risk assessment. ACH files over the established exposure limit will be flagged for review. This protects your account from being drained by unauthorized parties. 

In your ACH Agreement, you will define a file frequency schedule. Files originated outside of the defined frequency will be flagged for review. This allows the bank and your company to be notified of atypical activity. 

Border Bank’s ACH Origination allows for dual control – where one employee user enters the ACH transfer information, and a second employee user approves the transfer. Security measures such as this go a long way in preventing ACH Origination Fraud! 

It is also extremely important for your company to make it a practice of monitoring your accounts online daily. Checking both your general account history and ACH Origination history daily within Online Banking will ensure that you are aware of all transactions, even when they have not yet been processed or posted to your account. To help with this, the bank offers a separate Positive Pay product!

Due to the risk of ACH Origination fraud, it is essential that all computer equipment used by your company to operate Border Bank’s Online Banking is regularly updated and patched for security including: use of and updating of firewalls, virus protection, malware protection, and anti-spam protection. Additionally, your company should ensure that all User IDs, Passwords, Multifactor Authentication Methods, and any other applicable security procedure issued to your employees are protected and kept confidential, and not shared among staff. If an employee no longer needs access to Online Banking and/or ACH, you should notify Border Bank immediately to have the employee’s access removed. All staff should understand the need for proper user security, password controls, and separation of duties. 

ACH Rules Security Requirements

The ACH Rules require that each Originator implement a written security policy that governs processes, procedures, and systems related to the initiation, processing, and storage of Protected Information. 

The Rules define Protected Information as the non-public personal information, including financial information, of a natural person used to create, or contained within, an entry and any related addenda record. The definition of Protected Information not only covers financial information, but also includes sensitive non-financial information (such as non-financial account information contained in addenda records for bill payments) that may be incorporated into an ACH entry or any related addenda record. 

Your written security policy must: 

• Protect the confidentiality and integrity of Protected Information
• Protect against anticipated threats or hazards to the security or integrity of Protected Information
• Protect against unauthorized use of Protected Information that could result in substantial harm to a natural person

Additional tips to protect your business from fraud

• Implement multifactor authentication whenever possible
• Implement segregation of duties and dual control whenever possible
• Never give anyone else your multifactor codes or usernames and passwords 
• Enable security alerts through Online Banking
• Review and limit employee access to Online Banking and Cash Management systems
• Educate and train employees how to recognize scam/fraud activity
• Do not call back phone numbers in emails or text messages, instead use your trusted contact information to verbally authenticate requested changes