4 Tips to Prevent ACH Credit Fraud
By Jeremiah Bennett.
Forced to work from home during COVID-19, Accounts Payable departments have accelerated their plans to move away from paper checks and pay more suppliers through ACH. This, in turn, has accelerated another trend: fraud. Through social engineering, fraudulent attacks on ACH credits are more commonly referred to as business email compromises or BECs.
According to 2020 AFP survey report on payments and the fight against fraud, for the first time, in 2019, BEC schemes were the most common type of fraudulent attack, with 75% of organizations experiencing an attack and 54% of those reporting financial loss. ACH credits (outbound payments from buyer to supplier) were targeted in 37% of BEC programs.
The problem has only gotten worse in 2020. In the September edition of their COVID-19 Fraud Benchmarking Report, ACFE reports that 90% of respondents saw an increase in the frequency of cyber fraud from July to August. This included BECs.
Three-quarters of respondents said preventing and detecting fraud has become more difficult in the current environment, and more than 90% expect attacks to increase. Organizations are under siege and almost a third have not received any guidance from banking partners on mitigating ACH credit risk.
What can organizations do?
Defeating BECs requires a multi-pronged approach. Ongoing anti-fraud training is important as these emails become more persuasive every day. Fraudsters have become experts in user data and A/B testing, which reduces the elements that alert their victims to illegitimate changes to their accounts. Strong internal controls are also important, as well as network security, which prevents parties from accessing internal systems.
Here are four ways to reduce your risk of ACH credit fraud.
1. Handle with care
Countering ACH credit fraud consists of securely managing supplier bank details, which supplier accounts must have on hand to transmit their payment file to the bank. This data is often stored in the ERP system, or sometimes on an Excel spreadsheet, where the AP personnel were recorded during supplier onboarding. Sometimes they are stored when a supplier updates their information. Fraudulent change requests are one of the most common avenues of attack.
Let’s say you have a new person in Accounts Payable who is not yet fully trained. This person receives an email from a vendor asking them to update their bank account information.
Your new employee, eager to please, responds to the request, entering a new routing number and bank account, unaware that a million dollar payment to this vendor is being made the next day. Nobody realizes what happened until two weeks later when the real supplier calls, asking for payment.
At that point, it’s too late to collect ACH payments. You can call the FBI and the bank. They may try to help you, but if the thieves are sophisticated enough, they’ve already transferred the money to offshore accounts, and it’s completely gone.
2. Secure Information
You should never use unsecured email for banking information updates, although a surprising number of companies still do. It’s all too easy for a hacker to intercept one of these emails and use the information it contains for their own purposes. If they obtain contact or bank account information, they can impersonate legitimate vendors and circumvent internal controls. Some companies even keep information in spreadsheets or their ERPs, but systems like these are not designed to store data securely.
Some companies allow suppliers to update their own information in supplier portals. This might work, provided companies manage access to the secure portal and check for any updates. However, if providers can log in and update information, hackers are likely to be able to access the same information with very little resistance.
The most sophisticated approach I’ve seen so far includes a trained procurement team, which checks and validates all changes made.
There are a few drawbacks to this approach. It’s a big IT investment with a lot of labor demands. Even then, it is still prone to internal fraud. In the end, even the best systems will always have their risks. The goal is to minimize them.
3. Look at the fees
Companies often try to shift the burden of risk and time to others, with some success. For example, they may choose to pay their suppliers by card, which puts the risk on credit card networks. In the event of card fraud, it is more likely that payments can be reversed or refunded.
Virtual cards offer even more security as they provide unique numbers, which can only be used by a specified provider for a specified amount. The big downside is that not all providers accept cards – there are fees to consider.
One organization I know pays many of its vendors with PayPal. Their suppliers, mostly small businesses, are located all over the world. AP does not have the time or staff to verify payment information, validate bank accounts, and manage ongoing updates. As an intermediary, PayPal manages all of this and ensures that the funds go to the right place. But, again, providers pay high fees, in the order of three percent.
4. Move the risk
There really is no perfect system in place, which is why we are seeing an increase in ACH credit fraud alongside an increase in ACH payments. But there is an ideal way to transfer the risk to companies designed to bear the verification and validation burdens. Today’s payment automation vendors manage vendor information, so individual businesses no longer have to spend valuable time on it. This means handing over the reins to IT and procurement to lock down the database and institute controls. The difference is that working with a vendor removes the time investment and responsibility.
Consider payment automation vendors as a way to outsource risk. Their sole purpose is to ensure secure and timely payments to your vendors without incurring costly overhead. They have perfected the systems and processes of hundreds of thousands of AP departments across the United States, and in ways companies would struggle to replicate.
Businesses were most concerned about check fraud. Although they still have to pay attention to this aspect, it is a rudimentary form of fraud that is easy to understand and plan for. As companies turn to electronic means of payment, they are increasingly confronted with sophisticated cyberattacks, which target much larger sums and are more difficult to defend against. With these attacks on the rise, companies may find that outsourcing professionals is the best defense.
Jeremiah Bennett is the Chief Information Security Officer for corpaya FLEETCOR company that helps businesses of all sizes simplify how they pay suppliers, facilitate cash payments and reduce risk.