Why ACH Fraud Is a Growing Concern

ACH fraud encompasses a range of schemes — from unauthorized debits pulled from a business account to fraudulent credit redirections and business email compromise (BEC) attacks that manipulate payment instructions. As ACH volumes grow, so does the attention of bad actors who see the network as a lucrative target.

Unlike credit card fraud, where chargebacks are relatively straightforward, ACH fraud can be more difficult to reverse and recover from, particularly for business accounts where consumer protections are more limited. Prevention is far less costly than recovery.

8 Best Practices to Protect Your Business

1. Use ACH Debit Blocks and Filters

Most banks offer ACH debit blocks (which block all ACH debits to an account) or ACH debit filters (which only allow pre-approved originators to debit the account). If your business account doesn't need to receive third-party ACH debits, a full block is the simplest protection. For accounts that do receive debits, filters restrict access to known, trusted originators only.

2. Reconcile Accounts Daily

The window to return an unauthorized ACH debit is limited — typically two business days for business accounts. Daily reconciliation is not just good accounting practice; it's a fraud detection requirement. The sooner you spot an unauthorized transaction, the better your chances of recovery.

3. Secure Banking Credentials Rigorously

Many ACH fraud incidents begin with compromised online banking credentials. Require strong, unique passwords for all banking portals, enforce multi-factor authentication (MFA) on every banking login, and restrict banking access to dedicated, hardened devices where feasible.

4. Implement Dual Controls for Payment Initiation

No single employee should be able to both create and approve an ACH payment file. Dual control — where one person creates the payment and a separate person approves it — is a foundational internal control that dramatically reduces the risk of both external fraud and insider threats.

5. Verify Payment Instruction Changes Out-of-Band

Business Email Compromise (BEC) attacks frequently involve fraudsters impersonating vendors or employees and requesting changes to ACH payment details. Always verify bank account change requests through a separate, pre-established communication channel — a phone call to a known number, not a reply to the email making the request.

6. Monitor for Unusual Transaction Patterns

Work with your financial institution to set up transaction monitoring alerts. Flag transactions above certain thresholds, payments to new beneficiaries, and activity outside normal business hours. Many banks offer configurable alert systems — use them.

7. Review Third-Party Access Regularly

If you use payroll processors, accounting platforms, or payment service providers that have access to your ACH origination, audit those relationships periodically. Remove access for vendors you no longer use, and confirm that each integration uses appropriate security protocols.

8. Train Staff on Social Engineering and Fraud Awareness

Technology controls are only part of the solution. Employees who handle payments are frequent targets for phishing, pretexting, and social engineering. Regular training on recognizing and responding to fraud attempts is one of the highest-return investments a business can make in payment security.

What to Do If ACH Fraud Occurs

  1. Contact your bank immediately — time is critical for ACH returns.
  2. Document everything: transaction details, how the fraud occurred, communications involved.
  3. File a report with the FBI's Internet Crime Complaint Center (IC3) if BEC or cybercrime is involved.
  4. Review and strengthen controls to prevent recurrence.

No security program eliminates risk entirely, but businesses that implement layered controls make themselves far harder targets and are better positioned to detect and respond when incidents do occur.