Finance for Growing Companies | Cash Flow Desk
ACH Fraud Explained: How It Happens, Real Examples, and Prevention Strategies
Finance for Founders

ACH Fraud Explained: How It Happens, Real Examples, and Prevention Strategies

Brian from Cash Flow Desk
Brian from Cash Flow Desk

January 20, 2026

ACH fraud is the unauthorized manipulation of electronic transfers through the Automated Clearing House network to steal money from business bank accounts. Unlike credit card fraud where chargebacks offer protection, ACH fraud hits business accounts directly with minimal recovery options and no federal mandate for bank reimbursement. This guide covers how ACH fraud happens, real-world attack methods, and prevention strategies organized by cost and complexity.

What is ACH fraud?

ACH fraud is the unauthorized manipulation of electronic transfers through the Automated Clearing House network to steal money from business bank accounts. Criminals either trick businesses into sending payments to fraudulent accounts or use stolen credentials to pull money directly from accounts without authorization.

Here's what makes ACH fraud uniquely dangerous for businesses: no federal law mandates that banks reimburse businesses for ACH fraud, unlike consumer accounts which enjoy automatic protection under Regulation E. Business accounts fall under the Uniform Commercial Code Article 4A framework, which places substantially greater responsibility on businesses to monitor and report fraud. Companies face a narrow 24-hour window to report unauthorized ACH transactions to their financial institution, with no guarantee of reimbursement even when reported promptly.

Common ACH fraud methods and real examples

We've organized these attack methods based on what we've seen documented most frequently in law enforcement actions and incident reports. Understanding how criminals operate helps you recognize the warning signs before payments execute.

Business email compromise (BEC)

BEC represents the most prevalent and costly form of ACH fraud, accounting for the vast majority of all reported cyber incidents affecting ACH and wire transfers. The 2025 AFP Payments Fraud Survey found that 63% of organizations experienced BEC in 2024, making it the top fraud vector for businesses.

The attack follows a predictable pattern. Criminals intercept legitimate vendor communications and send fraudulent emails with updated bank account information for ACH payments. Funds move quickly through multiple accounts to obscure the trail, and fraud often goes undetected until the real vendor contacts the business about non-payment weeks or months later.

Account takeover and phishing scams

Account takeover happens when criminals gain access to online banking credentials and take control of accounts. Attackers obtain login credentials through phishing or social engineering, then systematically lock businesses out of their own banking systems by initiating password resets and gaining full control.

The phishing component works through fake websites that look identical to bank login portals. These attacks typically start with urgent emails claiming fraudulent activity on accounts, complete with professional branding and convincing copy that creates time pressure. When employees enter credentials, including multi-factor authentication codes, criminals capture everything in real-time. Even MFA isn't foolproof when criminals manipulate account owners into giving away codes and one-time passcodes during these sophisticated attacks.

Unauthorized ACH debits

Criminals use stolen account and routing numbers to pull money directly from business accounts without authorization. This happens when attackers obtain banking information through data breaches, stolen checks, or phishing campaigns.

By the time these transactions show up during daily account review, funds may already be moving through multiple accounts to obscure the trail. ACH debit blocks and positive pay services provide the strongest mitigation against this attack vector.

Warning signs and red flags

We've seen how recognizing fraud indicators before payments execute gives businesses the best chance of preventing losses. Watch for these specific patterns in vendor communications and account activity.

Suspicious vendor requests and pressure tactics

Any unsolicited request to update banking information should raise immediate red flags, especially if it arrives via email without prior phone conversation. Classic fraud indicators include:

  • Requests that bypass normal approval processes: Demands for banking changes without proper verification or requests that skip standard authorization workflow
  • Artificial urgency creating time pressure: Threats of service interruption or legal action unless payment is processed immediately
  • Generic greetings instead of personalization: Communications using "Dear Valued Partner" instead of actual names can indicate mass phishing campaigns
  • Demands for secrecy about payment changes: Any communication suggesting verification shouldn't occur through normal channels is almost certainly fraudulent

These communication patterns become clearer when combined with account activity monitoring.

Account activity anomalies

Daily account reconciliation within the critical 24-hour reporting window is essential for ACH fraud detection. During daily reviews, watch for ACH debits that weren't authorized, particularly debits from unfamiliar company names that may indicate vendor impersonation fraud.

Changes to account settings, contact information, or authorized users that weren't requested indicate potential account takeover attempts. Failed login attempts or alerts about logins from unusual locations suggest credential compromise. Early detection is critical because most organizations recover only a small portion of stolen funds, making prevention through daily vigilance the most effective risk management strategy.

Who is liable for ACH fraud?

Business accounts operate under fundamentally different liability frameworks than consumer accounts. Understanding these liability rules determines your fraud prevention priorities and recovery expectations.

Business liability in ACH fraud

Regulation E only applies to individual consumers, not business accounts. Business accounts fall under the Uniform Commercial Code Article 4A framework, which places substantially greater responsibility on companies to monitor and report fraud.

Unlike consumer accounts where federal law mandates bank reimbursement for unauthorized transactions, no federal law requires banks to reimburse businesses for ACH fraud. This creates unlimited liability exposure that makes prevention the only viable risk management strategy. Financial institutions can deny fraud claims if businesses failed to have reasonable security procedures in place, didn't report unauthorized transactions promptly, or can't demonstrate proper controls were in place.

Bank and financial institution responsibility

Banks might only bear liability under two narrow conditions that must both be met: fraud is reported within the agreement's extremely narrow time window (often as short as 24 hours), and the bank demonstrably failed to have reasonable security measures in place.

Court cases have established that financial institutions can be held liable when they ignore their own fraud detection alerts, but these circumstances are rare. The practical reality is that businesses bear primary responsibility for ACH fraud prevention and detection, which is why implementing strong controls before fraud occurs is essential.

ACH fraud prevention and detection strategies

We've organized prevention strategies into tiers based on cost and complexity, allowing businesses to add essential protections immediately and advanced controls as they grow. With new NACHA regulatory requirements taking effect in 2026 that mandate fraud monitoring for the first time, companies need to prepare for compliance now.

Multi-factor authentication (MFA) implementation

Multi-factor authentication represents one of the most critical defenses against account takeover. Modern banking platforms and AP automation systems require MFA as baseline security, but businesses should verify their specific tools enforce this since some legacy systems make it optional.

However, MFA alone isn't foolproof. Criminals manipulate account owners into giving away MFA codes during sophisticated phishing attacks, which means businesses need MFA plus employee training that specifically covers how attackers bypass this control. Training should focus on recognizing phishing attempts and understanding that legitimate institutions never ask for authentication codes via email or phone.

Segregation of duties for payments

Two separate employees should review and approve ACH payment batches exceeding defined dollar thresholds. The payment initiator can't be the approver, creating a control that makes fraud require collusion between multiple employees. This separation serves as both a fraud deterrent and a catch mechanism for errors.

Approval workflows need documentation in written policies that specify dollar thresholds, required approvers, and escalation procedures. Modern spend management platforms focused on AP automation offer customizable approval workflows that automatically route bills to appropriate approvers based on amount thresholds and business rules.

ACH filters and positive pay systems

ACH filters and positive pay represent two of the most powerful fraud prevention tools available, and many banks offer them at no additional cost. These controls work by establishing what's allowed rather than trying to detect what's suspicious:

  • ACH debit blocks: Stop all ACH debit transactions or specify authorized companies that can debit accounts
  • Positive pay: Match incoming ACH transactions against files businesses upload to their bank
  • Exception review: Flag transactions that don't match expected patterns for manual review before processing

Start with a complete debit block if there are minimal or no legitimate ACH debits, then create exceptions for specific authorized companies as needed. This "default deny" approach provides maximum protection at zero cost. ACH Positive Pay requires more administrative overhead but provides strong protection through automated matching and exception review.

Vendor verification protocols

All vendor banking changes require verification through a separate communication channel. Never rely solely on email. The verification process should follow a consistent pattern:

  • Use trusted contact information: Call the vendor using a phone number from the original contract or vendor master file, not from the change request email
  • Document all verifications: Record date, time, employee conducting verification, and person at vendor who confirmed the change
  • Implement dual verification: Require verification from two different people at the vendor for large payment destinations

Account validation tools provide automated verification without slowing down legitimate payment processing. These tools confirm that account numbers are valid and match the expected account holder name before payments are initiated.

Regular account reconciliation

Daily account reconciliation is essential for early fraud detection, though businesses should verify their specific bank's reporting requirements since windows can be as short as 24 hours for unauthorized transactions. Accounts need daily review rather than weekly or monthly schedules, with real-time alerts turned on.

Specific staff members should have responsibility for daily review, with clear escalation procedures for suspicious activity. All transactions need immediate review, not delayed schedules that push reconciliation to the following week. This connects directly to broader cash flow monitoring practices that help businesses maintain financial visibility and catch problems early.

ACH compliance and regulatory requirements

NACHA rules and obligations

NACHA's Operating Rules govern the ACH Network. If a company sends ACH payments, it's bound by these requirements. Recent rule changes represent the first time companies are required to have fraud monitoring and detection under the Rules, fundamentally changing how businesses must approach ACH security.

Corporate end users sending ACH payments face evolving regulatory requirements for fraud prevention. Companies must have risk-based processes and procedures in place to identify potentially fraudulent transactions. This means a documented plan that outlines the steps to take if an organization receives a request to update payment information or send a fraudulent payment into the ACH Network. The regulatory framework specifically targets Business Email Compromise and other fraud schemes where victims are manipulated into authorizing payments under false pretenses.

Regulatory changes in 2024-2026

March 2024 marked Phase 1 fraud monitoring requirements, introducing mandatory risk-based fraud monitoring processes for the first time. The implementation follows a phased approach that extends requirements to all participants:

  • March 2026: Companies that sent 6 million or more ACH entries in 2023 must comply with fraud monitoring requirements
  • June 2026: All companies sending ACH payments must comply regardless of volume
  • Annual reviews: All companies must review and update fraud monitoring processes at least annually
  • Documentation requirements: Written policies documenting fraud detection, prevention, and recovery procedures become mandatory

To comply with these requirements, companies need several key components in place:

  • Written fraud prevention policies: Documented risk-based processes and procedures that identify how the organization monitors for fraudulent ACH entries
  • Formal documentation: Records of ACH origination activities showing monitoring efforts and results
  • Incident response procedures: Clear steps for handling suspected fraud, including who to contact and what actions to take
  • Regular policy review schedules: Ongoing assessment and updates to address evolving fraud risks and new attack vectors

The shift from voluntary best practices to mandatory requirements means businesses that haven't prioritized ACH fraud prevention need to act immediately. Non-compliance could result in regulatory fines, increased fraud losses, and reputational damage.

What to do if your business falls victim to ACH fraud

When fraud hits, the first 24 hours determine whether there's any chance of recovery. Here's exactly what to do.

Immediate action steps (first 24 hours)

Contact the bank's fraud department immediately when discovering unauthorized ACH transactions. Companies can have a window as short as 24 hours to report unauthorized ACH transactions to their financial institution, making timing absolutely critical. Request a reversal of the fraudulent transaction as soon as fraud is reported.

Everything needs documentation: the exact time fraud was discovered, the time it was reported to the bank's fraud department, transaction details including amounts and dates, and any communication with the fraudulent party. Preserve evidence including access logs showing who had account access, screenshots of fraudulent emails, and any communication records. Maintain complete documentation for the bank's investigation and potential law enforcement involvement.

Contact your bank and file reports

Call the fraud department number on the back of the business debit card or the banker's direct line. Don't wait for business hours since most banks have 24/7 fraud hotlines. Request a reversal immediately and ask about the bank's specific timeline requirements for disputing unauthorized transactions.

File a complaint with the FBI Internet Crime Complaint Center at ic3.gov. Complaints are analyzed and may be referred to federal, state, local, or international law enforcement agencies for investigation. Report the fraud at ReportFraud.ftc.gov, where the FTC collects fraud reports to investigate and bring cases against fraud, scams, and bad business practices.

Recovery and post-fraud response

Recovery rates and realistic expectations

Set realistic expectations about recovery prospects. The 2025 AFP survey found that only 22% of organizations were able to recover 75% or more of funds lost to payments fraud in 2024, while 20% were unable to recover anything at all. Once ACH fraud occurs, recovery is time-sensitive and difficult, so prevention is critical.

By the time fraud is discovered, funds have often already moved through multiple accounts, and criminals typically move money immediately upon receipt. The combination of tight reporting windows and lack of federal protection means recovery success rates remain low even with prompt action.

Legal options and recourse

Consult with legal counsel about pursuing recovery under UCC Article 4A. While the law provides a one-year legal recovery framework, practical recovery success depends on reporting unauthorized ACH transactions within the much more restrictive 24-hour window established by bank commercial account agreements.

Review commercial crime insurance policies to determine whether they cover ACH fraud losses. Many businesses discover coverage gaps only after fraud occurs, so proactive policy review helps identify protection gaps before they become expensive problems.

Preventing future incidents

Use the fraud incident as a catalyst to add stronger controls that may have been delayed. Incident response plans should outline steps immediately following suspected fraud, including notifying the appropriate authorities and contacting the financial institution.

A post-incident review should identify exactly how the fraud occurred and which controls failed. Add the specific controls that would've prevented this incident, train employees on the actual fraud techniques used against the business, and document lessons learned to prevent recurrence. This review process often reveals systematic weaknesses in financial operations that extend beyond ACH fraud prevention.

Frequently asked questions

Can you get your money back after ACH fraud?

Recovery is difficult and often unsuccessful. You have just 24 hours to report unauthorized ACH transactions compared to 60 days for personal accounts, and no federal law requires banks to reimburse businesses for fraud losses.

What's the difference between ACH debit fraud and ACH credit fraud?

ACH debit fraud is when criminals pull money directly from your account using stolen information, while ACH credit fraud involves manipulating you into sending payments to fraudulent accounts. Debit fraud requires payment controls like debit blocks, while credit fraud needs vendor verification and dual authorization.

How do I verify vendor payment changes without slowing operations?

Call the vendor using a phone number from your original contract, not from the change request email. For routine payments to established vendors, automated matching against your vendor master file provides adequate verification without manual steps. Modern spend management platforms like Ramp can flag unusual vendor changes automatically, adding a layer of protection without creating bottlenecks in your payment workflow.

What are the new NACHA requirements for ACH fraud prevention?

Starting March 2026 for larger companies and June 2026 for all companies, you must implement documented fraud monitoring processes, conduct annual reviews, and maintain written policies for detecting and preventing ACH fraud. These are mandatory requirements, not optional best practices.