Finance for Growing Companies | Cash Flow Desk
ACH Fraud: How It Happens, Warning Signs, and How to Protect Your Business
Finance for Founders

ACH Fraud: How It Happens, Warning Signs, and How to Protect Your Business

Brian from Cash Flow Desk
Brian from Cash Flow Desk

February 25, 2026

You wire a vendor payment on Tuesday, and by Thursday the real vendor calls asking where their money is. The email you responded to looked identical to every previous invoice thread, down to the signature block and formatting. That payment went to a criminal's account, and your bank has no obligation to give it back.

This guide covers how ACH fraud attacks work, how to spot them, what your liability looks like, and the prevention controls you can put in place today.

What is ACH fraud?

ACH fraud is the unauthorized manipulation of electronic transfers through the Automated Clearing House network to steal money from business bank accounts. Criminals trick companies into sending payments to fraudulent accounts or use stolen credentials to pull funds out directly.

Regulation E requires banks to reimburse unauthorized transactions on consumer accounts, but business accounts fall under UCC Article 4A, which places the monitoring and reporting burden on the company. Businesses face a 24-hour window to report unauthorized transactions, and even prompt reporting doesn't guarantee reimbursement.

Common ACH fraud methods

ACH fraud exploits weaknesses in how companies handle payments and account access.

Business email compromise

Business email compromise (BEC) is the most common and costly form of ACH fraud. The 2025 AFP Payments Fraud Survey found that 63% of organizations experienced BEC in 2024, making it the top fraud vector by a wide margin. Criminals intercept legitimate vendor email threads and send updated banking information that looks routine, then move funds through multiple accounts before anyone notices.

BEC attacks succeed because fraudulent emails arrive inside existing conversation threads, using the same formatting and tone the vendor has always used. Attackers gain access through compromised email accounts rather than spoofed addresses, so standard email filtering won't catch them. Strong disbursement controls and multi-step verification reduce this exposure, as do controls against broader vendor fraud schemes.

Account takeover and phishing

Account takeover happens when criminals gain access to online banking credentials through phishing sites that replicate legitimate bank portals. The attacks start with urgent emails claiming suspicious account activity. When employees enter their credentials, criminals capture everything in real time, including multi-factor authentication codes.

MFA provides incomplete protection when attackers manipulate account holders into revealing one-time passcodes. This tactic is also growing in wire fraud schemes, where criminals use similar phishing techniques to intercept wire transfer approvals.

Unauthorized ACH debits

Criminals use stolen account and routing numbers to pull money directly from business accounts. Data breaches or phishing campaigns typically provide the numbers needed to initiate a debit.

By the time unauthorized transactions surface during review, funds may already be moving through multiple accounts. ACH debit blocks and positive pay services provide the strongest defense, and many banks offer these controls at no additional cost. Companies processing eCheck payments face similar exposure since those transactions also run through the ACH network.

Warning signs of ACH fraud

Catching fraud early often determines whether you recover funds or lose them permanently.

Suspicious vendor requests

Any unsolicited banking information update request should trigger immediate verification. Four patterns appear repeatedly in fraudulent requests:

  • Bypassed approval steps: Demands for banking changes that skip your standard authorization workflow. Legitimate vendors know your process.
  • Artificial urgency: Threats of service interruption or legal action unless payment processes immediately.
  • Generic greetings: Communications using "Dear Valued Partner" instead of actual names, indicating mass phishing.
  • Secrecy requests: Any message suggesting that verification through normal channels isn't necessary.

When any of these patterns appear, verify through a separate channel using contact information from your vendor master file.

Account activity anomalies

Daily account reconciliation is the foundation of ACH fraud detection. Watch for unauthorized ACH debits from unfamiliar company names, which often indicate vendor impersonation. Unrecognized changes to account settings or authorized users point to account takeover in progress. Recovery rates drop sharply after 24 hours, which makes daily review essential for any business processing ACH or EFT payments.

Who is liable for ACH fraud?

Liability rules for ACH fraud heavily favor banks over businesses. Knowing how the framework works puts you in a stronger position if fraud does occur.

Business liability

Regulation E protects individual consumers, but business accounts fall under UCC Article 4A. Banks can deny fraud claims if the business failed to maintain "commercially reasonable" security procedures or missed the reporting window.

What counts as commercially reasonable depends on business size, transaction volume, and the security tools the bank offered. If your bank provides ACH debit blocks and positive pay at no cost and you chose not to activate them, that weakens your position in a dispute. With no federal reimbursement mandate, prevention consistently costs less than a single successful attack.

Bank responsibility

Banks can bear liability under narrow circumstances. The fraud must be reported within the agreement's time window, and the bank must have demonstrably failed to maintain reasonable security measures. Courts have held banks liable when they ignored their own fraud detection alerts, but these outcomes are rare.

ACH fraud prevention strategies

New NACHA rules taking effect in 2026 mandate fraud monitoring for the first time, so many of these controls are also becoming compliance requirements.

Multi-factor authentication

MFA is a critical defense against account takeover, but it won't stop every attack on its own. Criminals now manipulate account holders into revealing codes during phishing calls, so businesses need MFA paired with employee training on how attackers circumvent this control. Legitimate institutions never request authentication codes via email or phone.

Segregation of duties

Two separate employees should review and approve ACH payment batches above defined dollar thresholds. The person who initiates a payment cannot be the person who approves it, creating a control that requires collusion to defeat. Approval workflows need written documentation specifying dollar thresholds and required approvers, and most payment platforms can route transactions to the right approver automatically.

ACH filters and positive pay

ACH filters and positive pay prevent unauthorized debits, and many banks offer them at no extra cost. Anything outside the approved list gets flagged or blocked automatically:

  • ACH debit blocks: Stop all incoming ACH debit transactions or allow only pre-approved companies to debit the account.
  • Positive pay matching: The bank compares incoming ACH transactions against a file your team uploads and flags mismatches for manual review before processing.

Start with a full debit block if your account has few legitimate incoming ACH debits, then create exceptions as needed.

Vendor verification protocols

All vendor banking changes should be verified through a separate communication channel using a phone number from your original contract or master file, not from the change request email. For large payment destinations, verification from two different people at the vendor organization adds another layer of protection.

Daily account reconciliation

Daily reconciliation catches the fraud that other controls miss. The reporting window in most commercial banking agreements makes daily review a practical necessity. Assign specific team members to daily review and set up real-time ACH alerts through your bank's portal so anyone who spots a suspicious transaction knows who to notify.

NACHA compliance requirements for ACH fraud

NACHA's Operating Rules govern the ACH Network, and recent changes now require fraud monitoring for the first time. Four deadlines and requirements apply:

  • March 2026: Companies that sent 6 million or more ACH entries in 2023 must comply with fraud monitoring requirements.
  • June 2026: All companies sending ACH payments must comply regardless of volume, per Phase 2 of NACHA's fraud monitoring rules.
  • Annual reviews: All companies must review and update their fraud monitoring processes at least once per year.
  • Documentation: Written policies covering fraud detection, prevention, incident response, and recovery procedures become mandatory for all participants.

Non-compliance could result in regulatory fines alongside increased fraud exposure.

What to do if your business falls victim to ACH fraud

Contact your bank's fraud department immediately. The reporting window can be as short as 24 hours, so speed determines whether recovery is possible. Follow this sequence:

  1. Call your bank's fraud line. Request an ACH return or reversal. Provide the transaction amount, date, and recipient account details. Ask for written confirmation that the report was filed within the required window.
  2. Freeze affected accounts. Change all banking passwords and disable any tokens or access methods the attacker may have used.
  3. Document everything. Record the exact time fraud was discovered, when it was reported, all transaction details, and the names of everyone involved in the response.
  4. File external reports. Submit a complaint with the FBI's Internet Crime Complaint Center and report the incident to the FTC at ReportFraud.ftc.gov. These reports create a federal record that supports recovery efforts.
  5. Notify affected vendors or partners. If the fraud involved redirected payments, contact the real vendor immediately so they can secure their own accounts.

Recovery after ACH fraud

The 2025 AFP survey found that only 22% of organizations recovered 75% or more of funds lost to payments fraud in 2024, while 20% recovered nothing at all. Criminals typically move money immediately, splitting it across multiple accounts within hours.

Recovery efforts should move on several tracks at once. Consult legal counsel about filing a UCC Article 4A claim within the one-year statutory window, especially if the bank failed to meet its security obligations. Review your commercial crime insurance, cyber liability, and errors and omissions policies for payment fraud coverage, and file claims early since many policies have their own reporting deadlines.

Document which controls failed and implement the prevention measures that would have blocked the attack, such as ACH debit blocks, dual authorization, and mandatory phone verification for vendor payment updates. After any fraud incident, increase monitoring frequency on all accounts for at least 90 days since criminals who breach one account often attempt additional transactions at the same organization.

Frequently asked questions about ACH fraud

Can you recover money after ACH fraud?

Recovery is possible but difficult. Businesses have 24 hours to report unauthorized ACH transactions, compared to the 60-day window consumers receive under Regulation E. No federal law requires banks to reimburse business accounts, so the outcome depends on reporting speed and whether funds have already moved.

What is the difference between ACH debit fraud and ACH credit fraud?

ACH debit fraud occurs when criminals pull money from your account using stolen account and routing numbers. ACH credit fraud involves manipulating your team into sending payments to fraudulent accounts, typically through business email compromise. Debit fraud requires controls like debit blocks and positive pay, while credit fraud requires vendor verification and dual authorization.

How can businesses verify vendor payment changes without slowing operations?

Call the vendor using a phone number from your original contract or master file, not from the change request email. For routine payments to established vendors, automated matching against your master file provides verification without manual steps.

What are the new NACHA requirements for ACH fraud prevention?

Starting March 2026 for larger companies and June 2026 for all companies, businesses must have documented fraud monitoring processes and written prevention policies with annual reviews. These are mandatory under NACHA's Operating Rules.

How quickly do you need to report ACH fraud to your bank?

Commercial banking agreements typically require businesses to report unauthorized ACH transactions within 24 hours, though some have shorter windows. Missing this deadline can result in the bank denying your claim entirely. Check your specific agreement for the exact timeline and make sure daily reconciliation catches unauthorized transactions within that window.