Both ACH (automated clearing house) transactions and wire transfers are forms of electronic fund transfers (EFTs). Wire transfers typically involve larger sums of money and are transferred between banks. ACH transfers are scheduled transactions, like online bill payments, that typically involve smaller amounts of money.
ACH (automated clearing house)
ACH fraud is the theft of funds through the Automated Clearing House financial transaction network. The ACH network acts as the central clearing facility for all Electronic Fund Transfer (EFT) transactions in the United States, representing a crucial link in the national banking system. Payments linger in the ACH network awaiting clearance for their final banking destination.
Here are a few examples of ACH fraud:
- The criminal accesses a commercial customer's credentials, generates an ACH file in the originator's name, and quickly withdraws funds before the victim discovers the fraud.
- The criminal accesses a retail customer's credentials and sets himself up as an automatic bill pay recipient.
- In an insider threat scenario, an employee of the target company or a bank modifies ACH files to steal money.
- In a variation on check kiting -- a scam in which funds are juggled back and forth between bank accounts at separate banks -- a criminal takes advantage of the time lag in transactions.
- In a spear phishing scam, an employee with authorization for ACH transactions receives an email that leads him to an infected site, which installs a keylogger to access authentication information. The thief can then impersonate the company's authorized representative and withdraw funds.
ACH fraud prevention tips:
- Reconciliation of all banking transactions on a daily basis.
- Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
- If possible, and in particular for customers that do high value or large numbers of online transactions, carry out all online banking activities from a stand-alone, hardened and completely locked down computer system from which e-mail and Web browsing are not possible.
- Be suspicious of e-mails purporting to be from a financial institution, government department or other agency requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes and similar information. Opening file attachments or clicking on web links in suspicious emails could expose the system to malicious code that could hijack their computer.
- Install a dedicated, actively managed firewall, especially if they have a broadband or dedicated connection to the Internet, such as DSL or cable. A firewall limits the potential for unauthorized access to a network and computers.
- Create a strong password with at least 10 characters that includes a combination of mixed case letters, numbers and special characters.
- Prohibit the use of "shared" usernames and passwords for online banking systems.
- Use a different password for each website that is accessed.
- Change the password a few times each year.
- Never share username and password information for Online Services with third-party providers.
- Limit administrative rights on users' workstations to help prevent the inadvertent downloading of malware or other viruses.
- Install commercial anti-virus and desktop firewall software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
- Ensure virus protection and security software are updated regularly.
- Ensure computers are patched regularly particularly operating system and key application with security patches. It may be possible to sign up for automatic updates for the operating system and many applications.
- Clear the browser cache before starting an Online Banking session in order to eliminate copies of web pages that have been stored on the hard drive. How the cache is cleared will depend on the browser and version. This function is generally found in the browser's preferences menu.
- Verify use of a secure session (https not http) in the browser for all online banking.
- Avoid using an automatic login features that save usernames and passwords for online banking.
- Never leave a computer unattended while using any online banking or investing service.
- Never access bank, brokerage or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account number and sign on information leaving the customer vulnerable to possible fraud.
- Stay in touch with other businesses to share information regarding suspected fraud activity.
- Immediately escalate any suspicious transactions to the financial institution particularly, ACH or wire transfers. There is a limited recovery window for these transactions and immediate escalation may prevent further loss by the customer.
Here is an example of wire fraud:
- The organization’s legitimate email domain is @company.com.
- The attacker registers domain names deceptively similar to the organization’s (for instance, @conpany.com, @cornpany.com, @cmpany.com).
- The attacker learns the names of the Designated Executive and Designated Employee through social engineering or online research.
- The attacker sends an email purporting to be from the Designated Executive, using a deceptively similar email domain.
- The Designated Employee receives this email and sees that it is from “Designated Executive” <Designated.Executive@conpany.com> directing the Designated Employee to have $1 million wired to account number 123456789.
- The Designated Employee, following procedure, checks to see that the email came from “Designated Executive.”
- But the Designated Employee fails to notice the misspelling in the email domain @conpany.com, mistaking it for a legitimate company email address.
- The Designated Employee logs into the online banking portal account and requests an outbound wire transfer for $1 million to account number 123456789.
- The bank, following procedure, checks to confirm that the request for the wire transfer did come from the Designated Employee’s account on the online banking portal.
- The bank wires $1 million to account number 123456789.
- Meanwhile, the actual Designated Executive has no knowledge of this wire transfer.
Wire fraud prevention tips:
- Never wire money to people you don't know, regardless of how convincing or enticing their story may be. Scammers often win their victims' confidence with some "bait," such as a work-at-home offer, a great deal on a product for sale, or news that you have won some kind of lottery. Be especially careful with transactions over the Internet, where the other person's true identity can remain anonymous. A stranger asking you to wire money is a huge red flag that it is a scam. Don't fall for it.
But even if you get a request to send a wire transfer and it's supposedly from someone you do know, confirm that's the case some other way, such as through a separate phone call.
- If you're being pressed to make a decision or send money fast, it's probably a sign of a scam.
- Walk away from any offer from a stranger who asks you to deposit a check into your bank account and instructs you to wire any of that money to someone else, perhaps in another country. Let's say you receive a check, cashier's check or money order for an item you are selling or to cover so-called processing fees, shipping costs or other expenses. But then you notice that the check is for more money - perhaps far more - than what you were expecting. The other party instructs you to deposit the check and wire a portion back to an associate in another country. Later you find out that the check was fake and you are out all of the money you wired. In this type of scam, victims may end up owing thousands of dollars to the financial institution that wired the money.
Likewise, if you are selling something online, be wary of a request by a "buyer" to wire you the money because that may be a ruse to get your bank account information. Or, this person may plan to send you the money illegally using someone else's bank account number, and ultimately you'd be without your merchandise as well any payment. Always remember that wiring money is like sending cash, and because you voluntarily sent the money, you have fewer protections in terms of getting it back.
- Never give out your bank account or credit card numbers in response to an advertisement or an unsolicited call, text message or e-mail. That information could enable someone to steal money out of your account by a wire transfer, before you have time to realize that the interaction was fabricated by a swindler.