ACH & Wire Fraud Prevention - For Businesses

   read

Both ACH (automated clearing house) transactions and wire transfers are forms of electronic fund transfers (EFTs). Wire transfers typically involve larger sums of money and are transferred between banks. ACH transfers are scheduled transactions, like online bill payments, that typically involve smaller amounts of money.

ACH (automated clearing house)

ACH fraud is the theft of funds through the Automated Clearing House financial transaction network. The ACH network acts as the central clearing facility for all Electronic Fund Transfer (EFT) transactions in the United States, representing a crucial link in the national banking system. Payments linger in the ACH network awaiting clearance for their final banking destination.

Here are a few examples of ACH fraud:

  1. The criminal accesses a commercial customer's credentials, generates an ACH file in the originator's name, and quickly withdraws funds before the victim discovers the fraud. 
  2. The criminal accesses a retail customer's credentials and sets himself up as an automatic bill pay recipient. 
  3. In an insider threat scenario, an employee of the target company or a bank modifies ACH files to steal money.
  4. In a variation on check kiting -- a scam in which funds are juggled back and forth between bank accounts at separate banks -- a criminal takes advantage of the time lag in transactions.
  5. In a spear phishing scam, an employee with authorization for ACH transactions receives an email that leads him to an infected site, which installs a keylogger to access authentication information. The thief can then impersonate the company's authorized representative and withdraw funds. 
ACH fraud prevention tips:

  1. Reconciliation of all banking transactions on a daily basis.
  2. Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
  3. If possible, and in particular for customers that do high value or large numbers of online transactions, carry out all online banking activities from a stand-alone, hardened and completely locked down computer system from which e-mail and Web browsing are not possible.
  4. Be suspicious of e-mails purporting to be from a financial institution, government department or other agency requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes and similar information. Opening file attachments or clicking on web links in suspicious emails could expose the system to malicious code that could hijack their computer.
  5. Install a dedicated, actively managed firewall, especially if they have a broadband or dedicated connection to the Internet, such as DSL or cable. A firewall limits the potential for unauthorized access to a network and computers.
  6. Create a strong password with at least 10 characters that includes a combination of mixed case letters, numbers and special characters.
  7. Prohibit the use of "shared" usernames and passwords for online banking systems.
  8. Use a different password for each website that is accessed.
  9. Change the password a few times each year.
  10. Never share username and password information for Online Services with third-party providers.
  11. Limit administrative rights on users' workstations to help prevent the inadvertent downloading of malware or other viruses.
  12. Install commercial anti-virus and desktop firewall software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
  13. Ensure virus protection and security software are updated regularly.
  14. Ensure computers are patched regularly particularly operating system and key application with security patches. It may be possible to sign up for automatic updates for the operating system and many applications.
  15. Clear the browser cache before starting an Online Banking session in order to eliminate copies of web pages that have been stored on the hard drive. How the cache is cleared will depend on the browser and version. This function is generally found in the browser's preferences menu.
  16. Verify use of a secure session (https not http) in the browser for all online banking.
  17. Avoid using an automatic login features that save usernames and passwords for online banking.
  18. Never leave a computer unattended while using any online banking or investing service.
  19. Never access bank, brokerage or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account number and sign on information leaving the customer vulnerable to possible fraud.
  20. Stay in touch with other businesses to share information regarding suspected fraud activity.
  21. Immediately escalate any suspicious transactions to the financial institution particularly, ACH or wire transfers. There is a limited recovery window for these transactions and immediate escalation may prevent further loss by the customer.
Here is an example of wire fraud:

  1. The organization’s legitimate email domain is @company.com.
  2. The attacker registers domain names deceptively similar to the organization’s (for instance, @conpany.com, @cornpany.com, @cmpany.com).
  3. The attacker learns the names of the Designated Executive and Designated Employee through social engineering or online research.
  4. The attacker sends an email purporting to be from the Designated Executive, using a deceptively similar email domain.
  5. The Designated Employee receives this email and sees that it is from “Designated Executive” <Designated.Executive@conpany.com> directing the Designated Employee to have $1 million wired to account number 123456789.
  6. The Designated Employee, following procedure, checks to see that the email came from “Designated Executive.”
  7. But the Designated Employee fails to notice the misspelling in the email domain @conpany.com, mistaking it for a legitimate company email address.
  8. The Designated Employee logs into the online banking portal account and requests an outbound wire transfer for $1 million to account number 123456789.
  9. The bank, following procedure, checks to confirm that the request for the wire transfer did come from the Designated Employee’s account on the online banking portal.  
  10. The bank wires $1 million to account number 123456789.
  11. Meanwhile, the actual Designated Executive has no knowledge of this wire transfer.

Stop large international wire transfers

For international wire transfers over $50,000, call you regional FBI office (https://www.fbi.gov/contact-us/field-offices) and local police.  The FBI offers a Financial Fraud Kill Chain (FFKC) process to help recover large international wire transfers stolen from the United States.  The FFKC is intended to be utilized as another potential avenue for U.S. financial institutions to get victim funds returned. 

The FFKC can only be implemented if the fraudulent wire transfer meets the following criteria:

  • the wire transfer is $50,000 or above
  • the wire transfer is international
  • a SWIFT recall notice has been initiated by your financial institution
  • the wire transfer has occurred within the last 72 hours.
If this criteria is met, the following information will be needed:

  • Summary of the incident
  • Name of victim
  • Location of victim (City and state)
  • Originating bank name
  • Originating bank account number
  • Beneficiary name
  • Beneficiary bank
  • Beneficiary account number
  • Beneficiary bank location (if known)
  • Intermediary bank name (if known)
  • SWIFT number
  • Date
  • Amount of transaction
  • Any additional information that may be available, such as “for further credit,” or “in favor of”

Any wire transfers that occur outside of these thresholds should still be reported to law enforcement (http://www.ic3.gov/) but the FFKC cannot be utilized to return the fraudulent funds.