Finance for Growing Companies | Cash Flow Desk
Dangers of eCheck Payments: Fraud Risks, Scams, and How to Protect Your Business
Finance for Founders

Dangers of eCheck Payments: Fraud Risks, Scams, and How to Protect Your Business

The Cash Flow Desk Team
The Cash Flow Desk Team

March 6, 2026

Every eCheck you send or receive hands over your bank account and routing number to the other party. Those two numbers are all a criminal needs to initiate unauthorized withdrawals from your account, and unlike credit card fraud, there is no intermediary standing between the attacker and your cash. The FBI's Internet Crime Complaint Center reported $2.8 billion in business email compromise losses in 2024 alone, and eCheck transactions are a primary attack surface.

This guide covers how eCheck fraud actually works, which scams target businesses most often, why the liability rules stack against you, and what prevention controls are worth putting in place today.

Why eCheck payments create unique dangers for businesses

eChecks are digital payment instructions that move money through the ACH network between bank accounts. They work well for routine payments because processing costs run lower than credit cards, but that cost advantage comes with tradeoffs that surface when something goes wrong. Consumer accounts get 60-day fraud reporting protection under Regulation E. Business accounts fall under UCC Article 4A, which shifts the burden to the company.

When a bank can show it followed reasonable security procedures, the business absorbs 100% of fraud losses. There is no chargeback process, no dispute resolution intermediary, and no shared liability with the financial institution. Your reporting window shrinks from 60 days to 24 hours, so a fraudulent transaction you miss on Monday could become unrecoverable by Tuesday.

How eCheck fraud happens

eCheck fraud exploits specific weaknesses in how these payments process: exposed credentials, settlement delays, and a lack of real-time verification.

Exposed banking credentials

Credit card payments use tokenization and intermediary networks that shield your actual account information. eCheck payments expose your account and routing numbers directly, and those numbers don't change. Once a criminal obtains them through a single compromised transaction or phishing campaign, they can attempt unauthorized ACH debits repeatedly. The same exposure drives ACH fraud more broadly.

Settlement delays that benefit attackers

eCheck payments take one to three business days to settle through the ACH network, and that processing window creates a gap where fraud can hide. A criminal sends an eCheck that appears to clear, collects goods or services, then reverses the payment before final settlement. By the time your bank flags the transaction, the attacker has already received value and disappeared.

No real-time verification

Credit card networks verify transactions in seconds, but eCheck payments have no mechanism for real-time validation. Your bank cannot confirm that the payer's account has sufficient funds or that the transaction is authorized until processing completes, so you are extending trust on every transaction with no way to verify it upfront.

Common eCheck scams targeting businesses

Four scam patterns account for the majority of eCheck fraud against businesses. Each exploits a different weakness in how companies process payments and communicate with vendors.

Overpayment fraud

A new customer sends an eCheck for significantly more than the invoice amount, then contacts your team requesting a refund of the difference by wire transfer. The original eCheck bounces or gets reversed within the 60-day consumer window, but your wire refund is gone permanently. The overpayment looks like an honest mistake and the refund request feels routine, which is why AP teams fall for it.

Fake vendor invoices

Criminals impersonate legitimate vendors by replicating invoice templates, email signatures, and payment instructions, making this one of the most common forms of vendor fraud. The fraudulent invoice arrives during a busy period with urgency triggers like overdue notices, service interruption threats, or references to contracts your team recognizes. Without a verification step that pulls contact information from your original vendor file, these invoices get paid before anyone questions them.

Business email compromise

Business email compromise (BEC) is the most damaging form of eCheck fraud. Attackers infiltrate or spoof vendor email accounts, insert themselves into existing payment threads, and send updated banking details that look like a routine change. Your team processes the next payment to a criminal's account without realizing the instructions were altered.

BEC attacks caused over $55 billion in cumulative losses globally between October 2013 and December 2023, and 63% of organizations experienced BEC attacks in 2024. Prevention requires strong disbursement and reimbursement controls with mandatory out-of-band verification for any banking detail changes.

Account takeover attacks

Attackers contact employees by phone, text, or email while posing as bank representatives, referencing real account details to build credibility. They request login credentials or multi-factor authentication (MFA) codes under the pretense of resolving suspicious activity. Once inside the account, they initiate unauthorized transfers and change security settings to lock out legitimate users. These attacks succeed because the initial contact feels protective, which creates trust instead of suspicion.

Why eCheck dangers hit mid-size businesses hardest

Companies with 50 to 500 employees face disproportionate risk from eCheck fraud because they process enough transaction volume to attract sophisticated attackers but often lack the dedicated fraud teams and controls that larger organizations maintain. The financial impact shows up across several dimensions:

  • Recovery rates are low: Only 22% of organizations recovered 75% or more of funds lost to payment fraud, down from 41% in 2023.
  • A single attack can consume your budget: For a company with 50 to 150 employees, one successful BEC attack causing a six-figure loss represents a material hit to annual operating budget.
  • Payment volume creates exposure: Organizations processing payments across 100 or more vendor accounts have more entry points for attackers to exploit, and each ACH or EFT transaction represents a potential target.

Mid-size companies need the same fraud controls that enterprises use, even without the same headcount to manage them.

How to prevent eCheck fraud

Effective prevention uses layered controls so that no single failure results in a loss, with each layer catching what the others miss.

Set up ACH debit blocks and positive pay

ACH debit block services stop unauthorized parties from pulling money out of your account. Your bank maintains a list of approved companies, and any debit attempt from an unlisted source gets rejected automatically. Many banks offer this at no additional cost.

Full positive pay goes further by matching every incoming transaction against a file your team uploads. Anything that doesn't match gets flagged for manual review before processing, and the monthly cost is minimal compared to the six-figure losses these controls prevent.

Require multi-factor authentication on all banking access

MFA stops most account takeover attempts by requiring a second verification step beyond passwords. Make it mandatory for every person with banking access, enforce a password manager to eliminate weak or reused credentials, and remove access immediately when employees leave the company.

Criminals now manipulate employees into revealing authentication codes during phishing calls. The attacker calls posing as your bank's fraud department, references a recent transaction to build trust, then asks the employee to read back the code "to verify their identity." Train your team that legitimate banks never request MFA codes via phone, email, or text.

Verify every vendor banking change through a separate channel

Call the vendor using a phone number from your original contract or vendor master file, not contact information from the change request email. For payment destinations above a defined threshold, require confirmation from two different people at the vendor organization.

Build these steps into a documented process. For new vendors, verify banking details through the vendor's official website or original signed agreement. When a vendor requests banking detail changes, require written authorization on company letterhead and enforce a 24 to 48 hour waiting period before processing. These verification procedures also reduce exposure to bookkeeping errors that accumulate when fraudulent payments go undetected.

Reconcile accounts daily and monitor for anomalies

Daily reconciliation is the backstop that catches everything else, and the 24-hour reporting window in most commercial banking agreements makes it non-negotiable for businesses accepting eCheck payments. Set up real-time transaction alerts and assign specific staff to review account activity each morning. These patterns warrant immediate escalation:

  • Unauthorized ACH debits from unfamiliar company names: These are the most common sign of credential theft.
  • Changes to account settings or authorized users that no one on your team initiated: Attackers often modify security settings before initiating transfers.
  • Transactions that don't match approved vendor lists or expected payment amounts: Even small discrepancies can indicate testing by fraudsters.
  • Duplicate payments to the same vendor within a short window: This pattern often signals a compromised payment process.

Modern expense management platforms automate this monitoring by flagging suspicious patterns and routing alerts to the right person without manual review of every transaction.

What to do if your business falls victim to eCheck fraud

Speed determines how much you recover. In the first 24 hours, contact your bank's fraud department with full transaction details (dates, amounts, account numbers) and evidence of unauthorized access. Request an ACH return using NACHA return code R29 (Corporate Customer Advises Not Authorized) and get written confirmation with a case reference number. File federal complaints with the FBI's Internet Crime Complaint Center at ic3.gov and at ReportFraud.ftc.gov within 48 to 72 hours.

Review your cyber liability and commercial crime insurance policies for coverage and document every loss, investigation cost, and recovery attempt. These records support both insurance claims and potential tax deductions for unreimbursed fraud losses.

Frequently asked questions about eCheck dangers

Are eCheck payments safer than credit cards for businesses?

eCheck payments carry more risk for businesses than credit cards in most scenarios. Credit cards provide chargeback protection and dispute resolution infrastructure that eChecks lack entirely. With eCheck payments, businesses absorb 100% of fraud losses under UCC Article 4A and face a 24-hour reporting window compared to the 60-day window credit card holders receive. The lower processing cost of eChecks only makes sense when paired with layered fraud controls.

Can a fraudulent eCheck payment be reversed?

Reversal is possible but success depends on timing and fund availability. Businesses must report unauthorized transactions within 24 hours to maximize recovery chances. Criminals typically move stolen funds through multiple accounts within hours of receiving them, which is why 78% of organizations recovered less than 75% of fraud losses. Contact your bank immediately and request an ACH return using NACHA code R29.

How long does it take to detect eCheck fraud?

Detection speed depends entirely on how often you reconcile your accounts. Daily reconciliation catches unauthorized transactions within the 24-hour reporting window. Monthly reviews delay discovery by 30 or more days, which virtually eliminates any chance of recovery and may void your ability to file a claim with your bank. Automated transaction alerts can flag suspicious activity in real time.

Should small businesses accept eCheck payments?

eCheck payments can work for small businesses when the right controls are in place. They make the most sense for vendor payments you initiate with full control over the process, especially when paired with ACH debit blocks, MFA, daily reconciliation, and dual authorization for payments above defined thresholds. For incoming customer payments, weigh the lower processing fees against the stronger fraud protections that credit card networks provide.