Fraud involving the Automated Clearing House (ACH—hence the term ACH fraud) Network, which is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals, is becoming an increasingly popular way for hackers to siphon money out of the bank accounts of unsuspecting victims.
Fraudsters only need two pieces of information to pull off ACH fraud; a checking account number and a bank routing number. They typically obtain the information with a targeted phishing email that tricks the victim into running malicious software which then allows criminals to install keylogging software and steal bank account passwords.
How pervasive is this crime? According to a report late last year from the FBI, there has been approximately $100 million in attempted losses due to ACH fraud as of October 2009. The FBI reports it is seeing several new victim complaints and cases opened every week.
What is involved in ACH fraud? How is this crime perpetrated and how can businesses and individuals protect their information? CSO spoke with Deb Geister, director of fraud prevention and compliance solutions at LexisNexis, for more information about this growing problem.
CSO: What exactly is ACH fraud and how does ACH fraud happen? ACH, of course, stands for Automated Clearing House network. An ACH transaction is an electronic funds transfer between bank accounts using a batch processing system. Simply defined, ACH fraud is any unauthorized funds transfer that occurs in a bank account. ACH fraud, unfortunately, is very easy to execute. All the fraudster needs is an account number and a bank routing number to execute the fraud. In the simplest form, the fraudster uses your bank account and routing numbers to initiate payments for purchases or to pay debt by giving these numbers to the desired vendor.
This type of fraud can occur over the phone or through web transactions. More complex ACH fraud, perpetrated by rings, begins with a computer Trojan that fraudsters seek to place on a computer, usually through some type of "phishing" attack launched through email or through an infected website. Once the Trojan is in place, the fraudsters then log keystrokes, looking for logins for bank accounts. They use this information to create their own login and transfer funds out of the accounts or apply payments through the accounts. Many larger schemes use "mules," which are hired accomplices, usually through work-at-home schemes to either knowingly or unknowingly move funds on their behalf, to move the funds to their overseas accounts.
Is ACH fraud a growing trend in crime?
ACH fraud has been a growing trend, most likely because it is fairly easy to accomplish and can go undetected. Both the FBI and the FDIC warned of the increase of these types of frauds late in 2009. Many fraud rings have focused on ACH frauds that are targeted at the US. These fraudsters have discovered that they can now do with ACH transactions what they used to do with checks. Only with electronic transfers it is infinitely easier.
Who is at risk?
Last November, the FBI issued a press release that estimated a recent surge totaling over $100 million in ACH fraud. The press release issued by the Internet Crime Complaint Center (IC3) stated: "FBI analysis has found in most cases, the victims' accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions. The bank account holders are often small- to medium-sized businesses across the United States, in addition to court systems, school districts, and other public institutions." Beyond the FBI warning, any bank account can be at risk from this type of fraud.
Can you provide an example of a common scam used by criminals to achieve ACH fraud?
There are many types of scams seen in ACH fraud but the most common seem to revolve around email or other types of phishing schemes. One such scheme targeted at businesses appears to be an email from the IRS with the subject line "Notice of Underreported Income." Once the recipient opens the email, a Trojan is placed on their system. In this case it is the Zeus Trojan. This type of malware is exceptionally good at stealing sensitive data, and it is especially interested in online banking credentials. Once it has obtained the desired credentials, ACH transfers are initiated, typically multiple to "mules" that have been recruited through work-at-home schemes. These mules typically are paid to take payments and move them along to the fraudsters while keeping a percentage of the transfer. Many of these losses can mount quickly to six figures.
What are some best practices organizations can use to avoid ACH fraud?
Detection is really the key with ACH fraud, especially around business accounts. Consumers need to alert their institution within 60 days in order to recover funds. Businesses, however, only have as little as one business day. Therefore, monitoring becomes critical. Daily review of the credits and debits of the business is essential in detecting fraudulent activity. In addition, there are some services that businesses should look at from their banks such as ACH Blocks or ACH Filters and positive pay type services.
[Also see Fraudsters bank on business accounts: How to protect your funds online by Craig Priess of Guardian Analytics]
ACH products typically take two forms:
- ACH Debit Block: This service automatically returns all ACH debits and/or credits that are directed to a particular bank account. No customer intervention is necessary once the service is set up.
- ACH Debit "Filter": Automatically returns all ACH items for a designated account, except those that are pre-authorized. Authorized ACH Originators are identified by providing the bank with specific identifier information, e.g. originating company ID, individual ID number, etc. Some banks offer the flexibility of allowing customers to further fine-tune their payment criteria based on maximum dollar amounts, exact dollar amounts, and maximum number of occurrences.
There is also a service similar to "Positive Pay" that allows review of ACH debits before they are posted, with the customer making the decision to accept or return the items individually. The determination of which service to use is a function of what type of activity an account is used for and what specific debit block services are available from the bank holding the account. For example, it might be reasonable to block debits completely for a depository account, where a debit filter might be needed for a disbursement account. Another method of fraud prevention is reverse positive pay, which allows business owners to review the incoming ACH debits and decide whether to accept or reject them. This decision, however, must be made the following day or the debits will be rejected.
Failing to monitor the ACH activity on a business account can be costly. There are many court cases that are pending regarding banks suing their customers and corporate customers suing banks to recapture their lost funds. Under current law, business recovery is much more difficult than it is for consumers. The current court cases — such as Hillary Machinery vs. PlainsCapital Bank — the landmark case of a bank suing its own customer, Experi-Metal Inc. vs. Comerica Bank — a case of a customer suing its bank over fraud losses and PATCO vs. Ocean Bank — one of the more recent cases to emerge nationwide —impacting banks and businesses of all sizes illustrate the increase in the rise of ACH fraud.