Finance for Growing Companies | Cash Flow Desk
7 eCheck Dangers that Expose Companies to Fraud and Cash Flow Loss
Master Finance Ops

7 eCheck Dangers that Expose Companies to Fraud and Cash Flow Loss

Brian from Cash Flow Desk
Brian from Cash Flow Desk

May 18, 2026

The AFP's fraud survey found that 79% of organizations were targets of attempted or actual payment fraud. For finance teams using eChecks, the exposure runs deeper than most expect: a single spoofed vendor email, one unauthorized ACH debit, or a missed return window can cost more than a full year's savings from lower payment fees.

The single highest-impact danger is business email compromise, which the FBI IC3 linked to over $2.7 billion in reported losses in 2024 alone.

In this guide, we explore seven eCheck dangers affecting companies in the 50 to 500 employee range, from BEC and unauthorized debits to compliance penalties and account takeover fraud. For each danger, we cover how it occurs, how to prevent it, and what to do afterward.

In brief:

  • BEC was the #1 payment fraud vector in 2024, cited by 63% of AFP survey respondents; a spoofed vendor email is all it takes to redirect an eCheck payment.
  • Consumer ACH debits can be returned as unauthorized up to 60 calendar days after settlement, with no formal representment process inside the ACH network.
  • Nacha's unauthorized debit return rate threshold is 0.5% at the ODFI level; exceeding it puts ACH origination privileges at risk.
  • A Nacha fraud monitoring rule takes full effect June 22, 2026 (the nominal rule date is June 19, but Nacha has confirmed the practical compliance date is June 22 since June 19 falls on a federal holiday), requiring all non-consumer ACH originators to maintain documented, risk-based fraud detection procedures.
  • Account takeover fraud targeting payroll and payment accounts produced more than $262 million in losses through November 2025, per FBI IC3 data.

eCheck danger #1: Business email compromise can redirect your payments

Business email compromise (BEC) was the #1 avenue for payment fraud in 2024. In the most common version, a fraudster spoofs or compromises a legitimate vendor's email account and contacts the finance team to request an update to bank details.

If the team accepts the change without verifying it through a separate channel, the next eCheck payment goes to an account the attacker controls. BEC shares tactics with vendor fraud schemes that target payment credentials directly, but relies on email impersonation rather than system compromise.

Companies in the 50 to 150-employee range are frequently targeted because attackers view them as combining meaningful payment volumes with lighter security controls than those of enterprises.

The FBI IC3 received 21,442 BEC complaints in 2024, with over $2.7 billion in reported losses. ACH credits were among the most targeted payment types, with incidents rising from 47% to 50% of respondents year over year.

Three controls that stop a payment redirect before it happens

To stop BEC attempts before a payment leaves the account, you need three controls:

  • Dual approval on all bank-detail changes: Any update to a vendor's account or routing number requires a second person to verify the change using original records, not just reviewing the same email chain that came in.
  • Verbal callback policy: Before processing a payment to newly updated bank details, call the vendor at a number from existing files, not the number provided in the request email.
  • Domain and tone training: Teach the team to closely check sender domains and treat any urgent payment change request as a red flag, regardless of who it appears to be from.

A written callback policy posted at the AP workstation costs nothing and stops the most common BEC pattern before any payment goes out. When one still gets through, the window to recover funds is measured in hours.

When the funds have already left the account

If a misdirected payment has already gone out:

  • Contact the bank's fraud line immediately: Banks can sometimes recall or freeze an ACH credit before it fully settles. The window is short, often the same day.
  • File a complaint at ic3.gov: The FBI's IC3 Recovery Asset Team had a 66% success rate in freezing fraudulent transfers in 2024, but that success rate depends entirely on prompt reporting.
  • Preserve the full email chain with headers: This is what investigators, the bank's fraud team, and any insurance claim will need to trace the attack and support recovery.

A written callback policy posted at the AP team's workstation costs nothing and stops the most common BEC pattern before any payment goes out.

eCheck danger #2: Unauthorized ACH debits can drain your account without warning

Unlike a credit card transaction, an ACH debit only needs a routing number and account number to pull funds from an account. Those two details appear on every paper check a company writes and can also surface through data breaches, phishing emails, or stolen check images. A third party with that information can initiate a debit without any authorization.

Because ACH runs in batches rather than in real time, an unauthorized debit can post before the finance team notices it was initiated. Corporate accounts may have as little as 24 hours or as much as the next business day to report the transaction before liability shifts to the account holder, depending on the bank agreement.

Knowing that window and checking daily are core defenses against ACH fraud.

Blocking unauthorized pulls at the account level

You need three controls to eliminate most unauthorized debit exposure before a debit ever reaches the account:

  • ACH debit block: Request this from the bank to block all ACH debits on accounts that should never accept third-party pulls. Many banks offer it at no charge, and it's the cleanest protection for outbound-only accounts.
  • ACH positive pay with return as default: This routes any unrecognized ACH debit item for manual review rather than allowing it to settle automatically. Unrecognized items get returned, not approved.
  • Daily account review: Log into the bank portal every business day and scan posted and pending ACH items. A five-minute daily check catches unauthorized debits within the reporting window.

An ACH debit block on outbound-only accounts and positive pay on the rest remove most unauthorized debit exposure before anything settles. When an entry does post, the reporting clock starts immediately.

Reporting and recovering after an unauthorized posting

If an unauthorized debit has already been posted:

  • Report to the bank the same day: Ask about the dispute timeline for the account type. The sooner the report goes in, the better the recovery position will be.
  • Request the originator's authorization through the bank: The bank can contact the originating institution to ask for proof of authorization. If none exists, the entry is returnable under Nacha rules.
  • Document everything for insurance and recovery: Record the amount, date, originator name, and all communications. If the bank dispute doesn't resolve it, this documentation supports a cyber-insurance or fidelity bond claim.

Run an ACH debit block on every account used exclusively for outbound payments. It takes one call to the bank and eliminates an entire class of unauthorized debit risk.

eCheck danger #3: Bounced eChecks can cascade into a cash crisis

When a customer pays by eCheck, and their account lacks sufficient funds, the payment doesn't fail immediately. It enters ACH processing, funds may appear temporarily, and a few business days later, the payer's bank sends a return code and pulls the money back.

If the team has already committed that cash to payroll or vendor payments, one bounced eCheck can create a shortfall on the other side of the ledger.

The timing risk is worst at companies processing eChecks weekly. Pending deposits look like settled funds in many bank portals, and finance managers sometimes include them in available cash calculations before the return window closes. A few bounced payments within the same cycle can create a liquidity gap that surfaces only when outbound payments begin to fail.

Cutting bounce exposure before incoming funds are committed

Here are three best practices that reduce bounce exposure before incoming funds are committed:

  • Account validation before the first payment: Use ACH micro-deposits or a bank validation service to confirm an account is open and active before processing the first eCheck from a new customer.
  • Settlement lag in cash planning: Keep incoming eCheck deposits out of the available cash figure until the return window has passed and funds are confirmed settled, not just pending.
  • Float reserve tied to weekly volume: Maintain a buffer in the operating account equal to two to three weeks of expected eCheck receipts to absorb returns without disrupting outbound payments.

Account validation and a float reserve absorb most of what a single bounce would otherwise disrupt. Some still get through, particularly from customers with a temporary shortfall rather than a pattern of nonpayment.

Working through a bounced eCheck

If an eCheck bounces:

  • Retry using "RETRY PYMT" in the description field: Nacha allows two retry attempts for NSF returns. The re-initiated entry must be submitted in a separate batch with "RETRY PYMT" in the Company Entry Description field.
  • Collect NSF fees by ACH if the origination agreement allows it: Return Fee Entries must be initiated within 45 days of the original return's settlement date.
  • Call the customer directly: A phone call often resolves a bounced eCheck faster than automated retries and protects the relationship, especially for customers who had a temporary cash problem rather than a pattern of nonpayment.

Keep a simple log of eCheck returns by customer. Two returns from the same customer within 90 days is a reliable signal to move them to a different payment method.

eCheck danger #4: The 60-day dispute window can reverse eCheck funds you've already spent

For consumer ACH debit transactions, a bank can return a payment as unauthorized up to 60 calendar days after settlement. The consumer submits a Written Statement of Unauthorized Debit, and the return is automatically processed through the ACH network.

Unlike a credit card chargeback, ACH doesn't provide a formal representment channel inside the network to submit evidence and contest the reversal.

Most finance managers at growing companies don't realize the 60-day window exists until they're on the receiving end of a reversal for a payment they considered closed months ago. For business-to-business transactions on corporate accounts, the window is shorter at just two banking days under return code R29.

Authorization records and return rate monitoring as your first line

Here’s how clear authorization records and return rate monitoring are what protect against reversal exposure:

  • Written authorization with all required fields: Every ACH debit authorization needs the transaction amount, date, frequency, account details, revocation terms, and authorization language. Missing any element makes the authorization easier to dispute.
  • Two-year retention minimum: Nacha requires that authorization records be kept for at least two years after the authorization is terminated or revoked. Store them in a system where a specific record can be retrieved quickly.
  • Monitor the unauthorized return rate: Keep the rate below Nacha's 0.5% threshold for consumer debits. Repeated returns from the same customers signal authorization gaps that need to be tightened.

Authorization records won't prevent a reversal from arriving, but they determine whether recovery is possible once one does.

Contesting and recovering a reversal after the fact

If a dispute window reversal hits the account:

  • Produce the original authorization immediately: A valid, signed authorization with all required elements gives the bank grounds to challenge an improper return through the dishonored return process.
  • Document all customer communications: Contracts, emails, or recorded agreements confirming the transaction was authorized create a paper trail for collections or legal proceedings.
  • Pursue recovery outside ACH: Once an unauthorized return has cleared, recovery proceeds through the collections process or small-claims court. ACH doesn't provide a direct path for contesting consumer reversals.

For new consumer customers, consider using a third-party authorization service that creates a timestamped, signature-backed record. It's harder to dispute and provides a stronger position if a return comes in months later.

eCheck danger #5: Processing delays create cash flow blind spots

The ACH network processes payments in batches, not in real time, so timing gaps are built into every eCheck transaction. Unlike wire transfers, which typically settle the same business day, an eCheck submitted late Thursday may not settle until Tuesday, after the weekend.

If the bank portal shows pending deposits alongside confirmed balances without a clear distinction, the available cash figure may be materially higher on screen than what is actually settled.

For companies processing 10 to 20 eChecks weekly, a meaningful number can be in transit at any given time. The risk isn't just that funds are temporarily unavailable. It's that outbound payments scheduled against those deposits may process before the inbound funds settle, triggering overdraft fees or failed vendor payments.

Separating settled cash from what's still in transit

Three practices keep processing delays from turning into cash surprises:

  • Separate pending from settled in the tracking system: Maintain two figures; confirmed settled deposits and in-transit items. Never include in-transit amounts in available cash for outbound payment decisions.
  • Use Same-Day ACH for time-sensitive items: Same-Day ACH cuts the settlement window from two to three days down to the same business day, for a small additional fee per transaction.
  • Maintain a float buffer: A cash buffer equal to one to two weeks of expected eCheck receipts absorbs timing gaps without requiring real-time status tracking on each payment.

Tracking confirmed settled deposits separately from in-transit items handles most timing risk without requiring status checks on each payment throughout the day. Some gaps still open, usually during high-volume weeks or around holiday weekends.

Bridging a shortfall caused by delayed settlement

When processing delays create a cash shortfall:

  • Draw on the business line of credit for the gap: A line of credit is designed for short, predictable timing mismatches that resolve within days. Interest accrues only for those days, which is typically far less than an overdraft fee.
  • Delay discretionary outbound payments until deposits confirm: Non-time-sensitive vendor payments can usually be held for two to three business days without penalty.
  • Ask the bank about earlier cutoff windows: If delays are recurring, ask whether high-value transactions can move to an earlier Same-Day ACH submission window to reduce the overnight gap.

Reconcile pending versus settled deposits every business day. A daily five-minute check can remove the most common source of timing-related payment failures before they escalate.

eCheck danger #6: Compliance violations can trigger Nacha fines and loss of ACH access

Nacha Operating Rules bind every originating company through the bank agreement, and using a payment processor doesn't transfer that obligation. Many companies in the 50- to 150-employee range assume the processor handles compliance because it handles ACH transmission.

It handles the technical side; it doesn't make the business compliant. Nacha's 2026 compliance rule requires all non-consumer ACH originators to maintain documented, risk-based fraud detection procedures. Phase 1 covers high-volume senders as of March 20, 2026; Phase 2 extends the requirement to all organizations by June 22, 2026.

We most often see two compliance gaps at companies in this stage: unencrypted stored account numbers and incomplete authorization documentation. The accounts payable software and payroll system are the first places to check for plaintext credential exposure.

The three areas most companies overlook first

These three areas cover the most common compliance gaps:

  • Audit every system that stores bank account data: Check all AP software, payroll platforms, and spreadsheets where routing and account numbers live. Plaintext storage violates Nacha's data security requirements.
  • Verify that authorization records are complete: Every ACH debit authorization must use the correct SEC code, include account details and authorization language, and contain a written revocation procedure. Missing any element makes it invalid under Nacha rules.
  • Confirm ACH requirements with the originating bank: The specific obligations depend on transaction types and volume. The bank's ACH compliance team can provide a definitive list, and getting that guidance in writing establishes a good-faith compliance record.

An annual review like this catches most compliance gaps before they draw attention. When one surfaces mid-cycle, the response needs to be documented and fast.

Addressing a compliance gap proactively

If a compliance gap is found:

  • Document a remediation plan immediately: Nacha enforcement considers whether the gap was identified and addressed in good faith. A written timeline with documented actions supports that defense.
  • Prioritize plaintext account number exposure first: Unencrypted ACH credentials create liability beyond Nacha if systems are breached. Fix this before addressing other gaps.
  • Get written confirmation of the timeline from the bank: A paper trail of remediation communication differentiates companies that addressed a gap from those that ignored one.

Build an annual compliance review into the finance calendar covering authorization documentation, data storage standards, and return rate monitoring in a single pass. It takes a few hours once a year and catches gaps before they become enforcement issues.

eCheck danger #7: Account takeover fraud can redirect payments

Account takeover happens when criminals gain unauthorized access to banking, payroll, or financial accounts through phishing, credential theft, or malware. Once inside, they can initiate ACH transfers, redirect payroll deposits to accounts they control, or change vendor payment details before anyone notices.

Through November 2025, the FBI IC3 received more than 5,100 complaints tied to account takeover fraud, with losses exceeding $262 million.

Payroll redirect is the version we see most often among companies in the 50-500 employee range. A criminal gains access to an employee's email, impersonates the employee to HR or finance, and requests a change to direct deposit.

If the team processes direct deposit changes via email alone, without a separate verification step, the next payroll cycle will send funds to an account the employee has never seen. The problem often doesn't surface until payday.

Credential controls that close the door on most takeover attempts

You need multi-factor authentication and out-of-band verification to stop most account takeover attacks before a credential becomes a payment loss:

  • MFA on every financial system: Banking portals, payroll platforms, expense reimbursement software, and any system with payment initiation capability needs multi-factor authentication. A stolen password alone should not be enough to move money.
  • Out-of-band verification for direct deposit changes: Any request to change an employee's deposit account requires a phone call or in-person confirmation at a number from HR's own records, not the one in the request email.
  • Restrict ACH origination permissions to named users: Limit who can create, approve, and release ACH payments. A role-based permission model means a compromised email account can't initiate a payroll file or vendor payment.

A stolen password alone should not be enough to move money, and those three controls enforce that across every financial system the company uses. When a credential breach still gets through, containment is the only priority.

Moving fast when a breach is suspected

If account takeover is suspected:

  • Call the bank's fraud line immediately: Ask to freeze ACH origination on the affected account while the team investigates. Every hour the account remains active is time the attacker has to move funds.
  • Reset credentials across all connected systems: A credential breach typically extends beyond the first account. Reset passwords and revoke active sessions across banking, payroll, accounting, and connected platforms.
  • File a complaint with the FBI IC3: The Recovery Asset Team works fastest when reports come in early. Preserve all access logs, email threads, and system activity records as evidence before filing.

Run a quarterly access audit reviewing who holds payment origination rights in banking and payroll systems. People change roles and leave, and permissions accumulate over time. A quarterly cleanup catches privilege drift before an attacker can use it.

Frequently asked questions about the dangers of eChecks

Are eChecks safer than paper checks?

eChecks reduce certain paper check risks, such as mail theft and check washing, but introduce others, including unauthorized ACH debits, processing delays, and the 60-day consumer return window. The 2024 AFP Payments Fraud survey found that ACH credit targeting rose to 50% of respondents, up from 47% the year before. Whether eChecks are safer depends almost entirely on the controls in place.

How long can an eCheck be reversed after it settles?

Consumer eCheck debits can be returned as unauthorized up to 60 calendar days after the settlement date. For business-to-business transactions on corporate accounts, the window drops to two banking days under return code R29. Neither window provides the originating business with a formal channel to contest the reversal within the ACH network.

Can I dispute an eCheck return?

There's no formal representation process within the ACH network for consumer unauthorized returns. An improperly initiated return can be challenged through the dishonored return process, but recovery in contested cases typically happens outside ACH through collections or small claims court, using the original authorization records as evidence.

What fees can a bounced eCheck trigger?

A bounced eCheck can generate NSF charges on each failed attempt, and Nacha permits originators to collect a return fee from the payer's account by ACH, provided the fee is authorized in the original agreement, and the Return Fee Entry is submitted within 45 days of the return's settlement date.

Do I need to comply with Nacha rules if I use a payment processor?

NACHA compliance obligations rest with the originating business, even when a processor handles ACH transmission. The processor agreement doesn't transfer responsibility for authorization documentation, data security, or fraud monitoring. The 2026 Nacha rule changes extend fraud-detection requirements to all non-consumer ACH originators, regardless of how they access the ACH network.

Brian from Cash Flow Desk
Brian from Cash Flow DeskFinance Operations Writer
View all posts