Finance for Growing Companies | Cash Flow Desk
What Are the Dangers of eChecks? Risks, Fraud & Protection Guide
Finance for Founders

What Are the Dangers of eChecks? Risks, Fraud & Protection Guide

The Cash Flow Desk Team
The Cash Flow Desk Team

February 19, 2026

eChecks place 100% of fraud liability on your business with a 24-hour reporting window for unauthorized transactions. Under UCC Article 4A, banks can shift the risk of loss to business customers if they implement commercially reasonable security procedures, unlike consumer accounts protected by Regulation E. This guide covers the specific fraud vulnerabilities of eChecks, common scams targeting SMBs, and practical protection strategies.

What are eChecks?

eChecks are digital payment instructions that transfer funds between bank accounts using the ACH network. When you process an eCheck, you're transmitting account numbers, routing numbers, and payment amounts electronically instead of printing, mailing, and depositing a physical check. According to NACHA, approximately 80% of ACH payments settle in one banking day or less, with remaining transactions typically clearing within 1-3 business days.

The cost savings look appealing compared to wire transfers, which typically cost more per transaction, but the fraud risks are substantial. As established under UCC Article 4A, eChecks place 100% of fraud liability on your business when banks implement commercially reasonable security procedures. These efficiency benefits come with critical tradeoffs that matter more as your payment processing volume grows.

Main dangers of eChecks for businesses

Four structural vulnerabilities make eChecks particularly dangerous for businesses with 50 to 500 employees. Unlike credit cards with established fraud protections, eChecks expose you to direct account access, processing delays, and minimal recovery options.

No real-time verification

eChecks process through the ACH network without the immediate authorization checks you get with credit card transactions. Businesses must obtain proper written authorization before processing any ACH debit, which creates an important control point when implemented correctly. The challenge is that businesses have only 24 hours to report unauthorized ACH transactions to their bank, compared to 60 days for consumer accounts under Regulation E.

Missing this window significantly weakens your ability to recover funds or establish liability protection. By the time you discover the fraud, the money may already be gone and your reporting window closed.

Exposed banking information

With just your checking account and routing numbers, criminals can initiate unauthorized ACH debits and drain funds. Many eCheck transactions require sharing your complete bank account details, though tokenized systems exist where your full information stays protected.

You can implement specific controls like deposit-only account locks to prevent some exposure, but the fundamental vulnerability remains. eChecks operate through direct bank account access rather than the intermediary protection layer that credit cards provide.

Processing delays create fraud windows

The 1-3 day settlement window creates opportunities for criminals to exploit timing gaps. You might deliver goods or services, process an eCheck payment, and only discover 48 hours later that the transaction was fraudulent.

Consumers have up to 60 days to dispute unauthorized ACH debits under Regulation E, meaning you could face payment reversals two months after completing work. Business accounts face only a 24-hour reporting requirement with significantly more limited liability protection.

Limited chargeback protection

Credit cards offer established chargeback systems where card networks enforce dispute resolution procedures. eChecks provide no comparable infrastructure. Banks cannot identify fraudulent eCheck transactions before processing, which means you absorb 100% of fraud losses rather than relying on regulatory backstops or bank liability protection that exists for other payment types.

Common eCheck scams

Four scam types account for most eCheck fraud targeting businesses at your stage. These patterns repeat because they work, exploiting the structural vulnerabilities we just covered.

Overpayment fraud

Fraudsters send inflated payments, request refunds for the overpayment via wire transfer, then reverse the original eCheck within the consumer's 60-day window while businesses have only 24 hours to report and preserve liability protection. You see the deposit, process the refund believing the transaction is legitimate, and only later discover the original payment was fraudulent.

By then the wire transfer you sent is long gone and unrecoverable.

Fake vendor invoices

Vendor impersonation represents a major portion of business email compromise attacks. Criminals send legitimate-looking invoices with updated banking information, using time pressure and familiar vendor names to bypass verification procedures. The invoices match your expectations for timing and amounts, making them easy to approve without the extra verification step that would catch the fraud.

Business email compromise

BEC represents the most financially damaging eCheck fraud type. According to the FBI IC3, between October 2013 and December 2023, BEC scams resulted in over $55 billion in cumulative losses globally.

Criminals compromise legitimate email accounts or create spoofed addresses to impersonate executives, vendors, or business partners using increasingly sophisticated tactics. These messages appear like legitimate business correspondence, often arriving at exactly the right moment in your payment cycle to seem normal.

Account takeover attacks

Criminals impersonate bank employees via text, call, or email to obtain login credentials and MFA codes. Once they access your banking website, they reset passwords and initiate unauthorized ACH transfers before you realize your account has been compromised. The speed of these attacks means detection often comes too late to prevent the transfers.

Who is most at risk from eCheck fraud?

Organizations managing more than 100 payment accounts face disproportionate targeting, with BEC attacks affecting 63% of organizations in 2024 according to the AFP Payments Fraud and Control Survey. Only 22% of organizations successfully recover 75% or more of stolen funds according to the same AFP survey. Once the money leaves your account, getting it back becomes exponentially harder regardless of how quickly you report the fraud.

Financial impact of eCheck fraud

BEC attacks resulted in $2.8 billion in losses in 2024 from 21,442 complaints according to the FBI IC3 report. For a company with 50 to 150 employees, a single BEC incident can represent a catastrophic percentage of annual operating budget or available cash reserves. The financial impact extends beyond the immediate theft to include investigation costs, legal fees, insurance deductibles, and the operational disruption of rebuilding compromised systems.

How to prevent eCheck fraud

These controls work for companies with 50 to 500 employees without requiring enterprise budgets or dedicated security teams.

Implement positive pay systems

Positive Pay services verify ACH debits against your authorized payment files before transactions clear by establishing filters and blocks that manage what can post to your business account. The most effective starting point is to block all unauthorized ACH debits at the account level, then create specific filters permitting only authorized companies.

Many banks offer ACH Debit Block at no additional cost for business checking customers, while full Positive Pay services typically cost a modest monthly fee for SMBs. That's minimal expense compared to potential six-figure fraud losses from a single compromised payment.

Turn on multi-factor authentication

Multi-factor authentication stops most account takeover attempts before they succeed. Require MFA for all banking access, use strong unique passwords with a password manager, and restrict access to minimum necessary personnel. When employees leave, remove their access immediately to prevent unauthorized account access through credentials they still possess.

Use transaction monitoring tools

Daily account reconciliation is your most important fraud detection control. Reviewing all transactions every day catches fraud within the 24-hour reporting window. Modern expense management platforms automate this by flagging suspicious activity like unexpected banking detail changes, suspicious vendor email domains, and unverified accounts before payments go out.

Verify payee information

Implementing a uniform procedure for verifying bank account information that gets followed for every transaction, regardless of size, prevents most fake vendor invoice fraud. Your verification process should include several critical checkpoints:

  • New vendor verification: Verify banking information through the vendor's website or original invoices rather than email where criminals can easily insert themselves.
  • Change authorization requirements: Require written authorization on vendor letterhead for account changes and wait 24 to 48 hours between the change request and payment processing.
  • Call-back verification: Use a known phone number from your original records to confirm any banking detail modifications before processing payments.

Never use contact information provided in the change request email, as that's often how criminals redirect your verification attempts back to themselves.

Safe eCheck processing best practices

Choose encrypted payment platforms

Prioritize platforms that meet NACHA Operating Rules for encrypted account storage and security standards for payment processing. The encryption protects your banking credentials when stored, though it doesn't eliminate the risk that comes from transmitting those credentials during transactions.

Train employees on fraud detection

Implement quarterly security awareness training focusing on recognizing BEC attacks and other fraud types targeting your organization. Training should emphasize verification procedures for payment changes, including independent verification of any banking detail updates through phone calls to known vendor numbers rather than relying on email communications where criminals can intercept or spoof messages.

Conduct regular account audits

When vendor banking information changes come through, your verification process becomes critical:

  • Confirm through known contacts: Call the vendor using a phone number from previous invoices or your vendor master file to confirm changes before processing payments.
  • Implement waiting periods: Establish a mandatory 24 to 48 hour waiting period between vendor account change requests and payment processing to allow time for independent verification through multiple channels.
  • Secondary approval thresholds: Require secondary approval for transactions exceeding $5,000 to $10,000, creating a second checkpoint where fraud can be detected.

Never use contact information from the change request email, as this completes the criminal's redirection loop.

What to do after eCheck fraud

If fraud hits your accounts, the first 24 hours become critical for recovery. Your immediate actions determine whether you preserve liability protection and maximize recovery chances.

Contact your bank immediately

Businesses must report unauthorized ACH transactions within 24 hours, compared to 60 days for consumer accounts. This critical regulatory timeline directly impacts your liability protection and recovery options. Contact your bank's fraud department within this window and take these immediate steps:

  • Provide transaction details: Include dates, amounts, account numbers, and any evidence of unauthorized access to support the investigation.
  • Request an ACH return: Use appropriate NACHA return reason codes, specifically R29 for business accounts reporting unauthorized transactions.
  • Get written confirmation: Document the return request, expected timeline, and a case reference number for your records.
  • Submit FBI complaint: File with the FBI's Internet Crime Complaint Center at ic3.gov within 48 to 72 hours.

File reports with authorities

Submit your complaint to the FBI IC3 where BEC losses get tracked as high-priority investigations. File a report at reportfraud.ftc.gov to create an official record with federal authorities. Consider filing with local police if you need a police report for insurance claims.

Review your insurance policy

Submit claims with cyber liability or crime insurance policies within policy timeframes, as these deadlines are often strict and missing them eliminates coverage. Your insurance review should cover several areas:

  • Submit comprehensive claims: File for direct losses, investigation costs, and legal fees depending on your policy terms.
  • Consult tax professionals: Explore potential tax implications if your business cannot recover stolen funds, as some fraud losses may be deductible.
  • Document everything: Keep detailed records of fraud incidents, recovery attempts, and any partial fund recoveries to support both insurance claims and tax treatment.

Protecting your business from eCheck fraud

eCheck fraud combines the worst characteristics of payment fraud: you absorb 100% of losses under UCC Article 4A, face a 24-hour reporting window, and recover substantial funds in only 22% of cases according to AFP research. The $2.8 billion in BEC losses during 2024 proves these aren't theoretical risks.

Your defense strategy requires multiple layers working together:

  • Preventive controls: ACH debit blocks stop unauthorized transactions before they process, while MFA prevents account takeover attempts. These foundational controls eliminate the most common attack vectors targeting businesses at your stage.
  • Detection systems: Daily reconciliation catches fraud within the critical 24-hour reporting window. Modern spend management platforms like Ramp automate this monitoring with real-time fraud detection that flags suspicious activity like unexpected banking detail changes or unverified vendor accounts.
  • Verification workflows: Dual authorization for vendor banking changes and mandatory waiting periods between change requests and payment processing create multiple checkpoints where fraud gets caught. Independent verification through known phone numbers stops BEC attacks before funds transfer.

The combination matters more than any single control. Fraudsters exploit gaps between controls, which is why layered defenses catch threats that slip through individual measures.

Frequently asked questions about dangers of eChecks

Are eChecks safer than credit cards?

No. Credit cards offer better liability protection and faster dispute resolution than eChecks for businesses. With eChecks, your business absorbs 100% of fraud losses and faces a 24-hour reporting window compared to the extended protections credit cards provide.

Can fraudulent eChecks be reversed?

Sometimes, but it depends on timing and available funds. You must report within 24 hours to preserve liability protection, though recovery rates remain low even with prompt reporting. The money often moves too quickly through multiple accounts for banks to claw it back.

How long before eCheck fraud gets detected?

Detection timing depends on how often you reconcile accounts. Daily reconciliation catches fraud within 24 hours, while monthly reviews can delay discovery by 30 days or more. This timing difference directly impacts your ability to report within the critical window and pursue recovery.

Should small businesses accept eChecks?

It depends on your cash flow management and fraud control capabilities. eChecks work well for vendor payments you initiate when you use layered security controls like ACH debit blocks, MFA, daily reconciliation, and dual authorization. For receiving customer payments, you'll need to weigh the lower processing costs against the higher fraud risk compared to business credit cards, which offer stronger fraud protections but higher processing fees.