ACH (Automated Clearing House) is a popular payment option due to its relatively low risk and affordability. However, lower risk doesn't mean no risk—and many businesses are finding the rise in ACH payment usage is increasing their liability. Reducing ACH fraud risk starts with understanding what ACH fraud is and how it happens.
ACH usage is on the rise. However, the increase in usage has also increased the risk of ACH fraud. The share of businesses reporting ACH credit fraud has increased by 6 percent since 2021 and more than half of organizations with revenue less than $1B were unable to recover funds lost from payments fraud attacks. With 30 billion in payments processed annually by the ACH network, that represents a huge risk for businesses.
What is ACH fraud?
ACH fraud is the manipulation of or unauthorized initiation of electronic fund transfers through the Automated Clearing House. The ACH network is widely used to process a wide variety of electronic payments, including direct deposits, bill payments, and transfers between two accounts owned by the same person or company.
ACH fraud typically occurs when bad actors gain access to a company or person's bank account information and initiate a fraudulent transfer. Another common ACH fraud occurs when customers make a legitimate purchase, then claim the ACH payment was fraudulent, and request a return.
Several factors contribute to the risk of ACH fraud. ACH payments typically take several days to process, which makes it difficult to verify account balances beforehand. For example, a customer might initiate an ACH payment when they do have money in an account, and then move the funds. By the time the ACH payment is processed, there’s no money in the account.
The ability to initiate returns is another risk factor. Unlike real-time payments, which cannot be reversed, users can request an ACH return up to 60 days after the payment is processed. When those returns are requested in bad faith, it can result in fraud.
How does ACH fraud happen?
Understanding how ACH fraud occurs is the first step in limiting risk. Like other types of fraud, ACH payment fraud can occur in several ways.
Fraudulent ACH returns
One of the more common types of ACH fraud occurs due to the ability to request a return for an ACH payment. There are two main types of ACH returns—bank-initiated returns and customer-initiated returns.
Bank returns can occur for a benign reason; for example, the user isn't aware they have insufficient funds in the account. But fraudsters can also exploit NSF (non-sufficient fund) returns for profit. For example, the fraudster transfers money to an investment account, which fronts the money to improve user experience while the ACH process finalizes. The fraudster then purchases crypto, which can't be recovered. By the time the ACH payment processes and returns an insufficient fund return code, the money is gone.
With customer-initiated returns, fraudsters may commit fraud by making a legitimate purchase and then claiming they never authorized the transaction. The money is returned to their account, while they still keep the product they purchased. Or, a user’s account information may be utilized by a fraudster to authorize a payment. When the user realizes the transaction occurred, they can dispute the transaction with their bank and receive the funds back. The risk of these returns can be predicted and limited using Plaid's ACH risk product. We'll discuss limiting ACH fraud risk in the next section.
Phishing attacks
Phishing attacks occur when a bad actor sends an email or text message that tricks people or organizations into revealing sensitive bank information that is then used to initiate unauthorized ACH payments.
For example, a fraudster might send a message that appears to come from the user or organization's bank. The messages often include urgent messages or warnings about suspicious account activity. When the user clicks the link in the email, they are redirected to a legitimate-looking site and prompted to log in. The attackers capture this information and use it to gain access to the real account and initiate fraudulent ACH payments or commit other types of payment fraud.
Ghost funding
Ghostfunding fraud occurs when users are given immediate access to funds that have not been fully settled through ACH, which fraudsters use to profit. For example, say a user creates an account with an investment app. They initiate an ACH transfer from their bank to the investment app. To improve user experience, the app credits the user's investment account while the ACH payment is processed (which can take several business days).
The user then purchases crypto or transfers the money to another account. Several days later, the ACH payment is returned for insufficient funds. The user has already spent the money they were fronted, and the investment app is unable to recover the funds.
Insider threats
Sometimes, the fraudsters are within your own company. Employees or contractors with access to sensitive information can potentially perpetuate ACH fraud. For example, they may approve invoices they know are fake and pocket the money. In some cases, employees may process the same payment twice, alter the payment amount before processing, or redirect payments to accounts they control.
Account takeover fraud
Those less common, account takeover fraud is still a risk for ACH payments. Using social engineering, for example, a fraudster may be able to gain access to an account. Once they control the account, they can make fraudulent transactions by transferring the funds to an account they control or even using the account to perpetrate other types of fraud, such as ghost funding.
Plaid's 2023 Fintech Effect Survey
Navigate the latest consumer trends, create lifetime customers, and grow your business
Who bears the loss for ACH fraud?
Who bears the loss for ACH fraud varies depending on the circumstances, how the fraud is perpetrated, and the parties involved. In many cases, your company may be left holding the proverbial bag for ACH fraud committed against you.
Fraudulent ACH returns: When a user purchases an item, and then fraudulently makes a return while keeping the item, the selling company takes the loss.
Phishing attacks: Depending on what action is taken as a result of the attack, the company or person who fell victim to the attack may be liable for losses (for example, if a person authorized a payment to a fraudster).
Ghostfunding: In a situation where a user funds an account and then disappears with the fronted money, the app or company that fronted the money to the account is generally left with the loss.
Insider threats: Liability for fraud committed by someone inside a company may vary. The immediate liability falls to the organization that was defrauded, however, the funds may be recovered from the fraudster through legal channels.
Account takeover fraud: Generally, the person whose account was accessed is liable for the losses, but recovery may be possible in some cases. In some cases, the financial organization may take the loss for the user.
Legal steps may need to be taken to resolve disputes and attempt to recover funds after fraud has occurred. Who perpetrated the fraud and the amount of time it takes to discover the fraud may impact the chances of recovery.
How to prevent ACH payment fraud
Preventing ACH payment fraud requires a multi-pronged approach. Implementing robust training, risk detection, and security measures throughout the payment process is essential to safeguarding financial transactions and sensitive data. Here are five ways to limit ACH fraud risk.
1. Educate customers and employees about phishing scams
Phishing scams work by tricking individuals into clicking on malicious links or entering their login information into fake websites. Fraudsters then use this information to gain access to accounts and process fraudulent ACH transfers.
Training employees and users is crucial to preventing phishing attacks. Conduct awareness sessions that explain how common phishing scams work and the warning signs of phishing scams, such as overly urgent-sounding emails. Encourage employees and users to be skeptical of emails they receive and to verify sending addresses and URLs before clicking or sharing personal data.
2. Use modern identity verification solutions
Digital tools play a crucial role in limiting ACH fraud by enhancing the identity verification process. Plaid IDV quickly verifies identity information by comparing it to regulated data sources. It also checks global ID documents to ensure they are valid and uses selfie verification to ensure a real person is submitting the information and their face matches the image on the ID presented.
This helps limit the risk of third-party fraud, where fraudsters use someone else's identity to send fraudulent ACH transactions. Using digital identity verification can also increase conversions, as the process is user-friendly.
3. Predict ACH return risk
Similar to credit cards that use data to flag suspicious purchases, ACH risk-scoring solutions look at a range of factors to determine whether an ACH transaction is high or low risk. Plaid Signal looks at a variety of data points to optimize payment flows while limiting ACH fraud and return risk.
Signal creates two transaction risk assessment scores—one for customer-initiated returns and another for bank-initiated returns. This allows companies to predict the likelihood of the ACH payment being returned and take steps to limit risk.
For example, if an account funding payment is flagged as being likely to have a bank-initiated return, a company might choose to only front a small portion of the deposit to prevent ghost funding. If the customer-initiated return risk is high, the payment may be blocked or require additional information, such as re-verifying user identity information or triggering knowledge-based authentication (KBA) if applicable, before processing. Alongside two scores, Signal provides nearly 80 attributes that detail the risk factors impacting the scores, enabling companies to take more targeted actions as demonstrated above
By predicting risk before payment is completed, organizations can prevent putting funds from every payment on hold to reduce the risk of fraud. Using Signal, fintech company Uphold was able to reduce ACH return losses by 73% while improving customer satisfaction and preventing long hold times for ACH payments.
Uphold's return losses have decreased by 73%
The number of customer complaints dropped by 77%
83% of transactions don't need a 65-day withdrawal hold
4. Verify bank balances
There is no instant balance check inherently built into the ACH payment process, which can result in returns for insufficient funds and increase the risk of ghost funding. Plaid can help mitigate this risk by verifying bank account balances and ensuring sufficient funds. For example, if a payment has a high risk of bank-initiated returns, the customer can undergo an instant balance check via Plaid to verify there are enough funds before proceeding.
Processing times for ACH debit requests vary, but typically they are processed in 1-2 business days. Therefore, the account balance obtained before submitting the ACH debit request may have changed by the time of processing, which can result in false positives or negatives. This is why it’s important to use more robust anti-fraud and risk solutions like Plaid Signal, and not rely on balance checks alone.
5. Leverage anti-fraud networks
Fraud rarely occurs in a vacuum. Most fraudsters have attempted, and sometimes succeeded, at committing fraud multiple times. Beacon, Plaid's anti-fraud network, leverages the power of shared data by allowing companies to share identities that have been associated with third-party and synthetic fraud in the past. Using Beacon, companies can report fraud and query against third-party and synthetic fraud reports made to Beacon by other companies to reduce the use of fraudulent accounts and identities in the ecosystem.
Prevent ACH fraud and protect the user experience
Preventing ACH fraud is crucial to protect the financial stability of an organization. However, it's equally important to protect conversions by preserving the user experience. In the face of fraud, many organizations enact stringent security protocols that create a frustrating experience for users, many of whom may choose to find other solutions for their financial needs.
Using data and solutions from Plaid, organizations can create a multi-layered approach that limits the risk of fraud and returns due to other risks while maintaining a user-friendly, dynamic interface. By prioritizing both fraud prevention and user experience, organizations can protect their bottom line and sensitive data without compromising customer satisfaction, creating a win-win scenario.
Learn more about Plaid’s fraud prevention solutions.