Automated Clearing House (ACH) payments are the quiet infrastructure behind salaries, supplier invoices, subscriptions and everyday bills, processed in large, low‑cost batches. For most organizations, ACH is cheaper and more predictable than cards or wires, which is why it powers payroll runs and recurring payments at scale.
ACH relies on widely shared account and routing numbers, making it an appealing target for fraud. Attackers don’t need to break the rails themselves; they just need to slip in unauthorized debits, hijack online access or redirect legitimate transfers into accounts they control. Batch settlement and limited transaction context can give these schemes enough time to succeed before they are spotted.
This guide explains how ACH fraud works in practice, who usually bears the loss when it happens and which concrete steps help businesses and financial institutions strengthen their defenses.
Key takeaways
- ACH fraud exploits widely shared account details and low‑context, batch‑processed transactions.
- Liability hinges on consumer vs business use, reporting speed and the strength of existing controls.
- Fast, well‑documented traces between sending and receiving banks improve recovery odds.
- Modern detection focuses on behavior and context, not just static rules and limits.
- Strong ACH fraud prevention combines MFA, ACH blocks/filters, real‑time monitoring and Nacha‑aligned risk frameworks.
Understanding the Types of ACH Fraud
You can think of ACH fraud less as a single tactic and more as a handful of repeat “plots” that keep showing up in slightly different costumes. Knowing these patterns makes it much easier to scan your own payments and spot when something feels off.
Unauthorized Debits and Stolen Banking Data
Unauthorized debits happen when someone uses your bank account and routing numbers to pull money without your permission. They often obtain these details from exposed checks, compromised billing systems, or large‑scale data breaches in which payment records are stolen.
Fraudsters often begin with a small withdrawal to see whether anyone reacts, then increase the value or repeat the debit once they feel safe. Strong controls limit which counterparties can pull funds from important accounts, surface unfamiliar debits quickly and give teams a direct route to challenge anything that should not be there.
Account Takeover and Credential Exploitation
Account takeover (ATO) focuses on access to digital banking rather than on the account numbers themselves. Criminals capture credentials through phishing pages, malware or reused passwords, then sign in through online or mobile channels and submit ACH transfers as if they were the legitimate user.
Once inside, they may change contact information, adjust notification settings and add new beneficiaries before initiating payments. Strong multi‑factor authentication, digital footprint, device and IP checks and behavioral analytics highlighting unusual login or payment patterns are central to limiting the impact of ATO.
Business Email Compromise and Redirects
Business Email Compromise (BEC) targets the communication layer around payments. A fraudster spoofs or takes control of a mailbox that appears to belong to an executive or supplier, then sends credible instructions to update bank details or expedite an ACH payment.
The resulting file often aligns with normal invoice amounts and timing, which is why it passes technical checks. Controls need to sit within the approval workflow: independent call‑backs using trusted contact details, dual authorization for changing beneficiary accounts and clear internal rules for validating urgent or unusual payment requests.
ACH Kiting and Batch Settlement Schemes
ACH kiting exploits settlement lags between institutions. Funds circulate between accounts at different banks so that balances appear sufficient at specific snapshots, even though the underlying debits have not fully cleared. Public holidays, weekends and batch cut‑off times are often used to stretch this window.
Viewed individually, these transfers may look ordinary. The risk emerges when you examine activity over several days: repeated transfers between the same accounts, round-figure amounts, short‑lived balance spikes and rapid withdrawals once credits arrive. Detecting kiting depends on monitoring flows over time, applying holds when behavior diverges sharply from historic patterns and paying special attention to accounts that mostly pass funds through rather than support genuine operating activity.
How to Trace and Recover an ACH Payment
When an ACH payment goes missing or looks suspicious, the goal is to understand where it is in the flow and whether the funds can still be held or recovered. The earlier you start a trace, the better your chances; once money has been withdrawn or moved again, options narrow quickly.
Information Required for the Trace
To kick off a trace, banks and payment teams usually need a small, precise set of details. Having these ready makes the process faster and reduces back‑and‑forth:
- Transaction amount and date
- ACH trace or reference number (from the file or statement)
- Name of the sender (originator) and the recipient (receiver)
- Account numbers and bank names for both sides, where available
- Any internal IDs used in your system (invoice number, customer ID, payout ID)
In practice, the trace number, date and amount are often enough for a bank’s operations team to locate the entry and confirm its status. The rest of the data helps validate that they are looking at the right transaction, especially when there are multiple payments for similar amounts.
The Role of the ODFI and RDFI in Recovery
Every ACH entry involves two banks: the Originating Depository Financial Institution (ODFI) and the Receiving Depository Financial Institution (RDFI). Understanding what each one can do during a trace helps set realistic expectations.
- The ODFI submits the ACH entry into the network on behalf of the sender. When something goes wrong, this is usually the institution that initiates the formal trace and, where appropriate, requests a return or reversal.
- The RDFI receives the entry and posts it to the recipient’s account. During an investigation, it can confirm whether funds have arrived, whether they are still in the account and, in some cases, place a hold or process a return if rules and timeframes allow.
If you are the sender, you typically start with your own bank or payment provider and ask them to open a trace with the RDFI. If you are the recipient waiting for funds, you often need the sender to request a trace on their end, then share updates as their bank works with the receiving institution.
Even when funds cannot be fully recovered, the trace output is useful: it shows whether the payment reached the destination, whether there were errors or returns and which party needs to act next (for example, resubmitting the entry, refunding a customer or escalating as fraud).
Who Is Liable for ACH Fraud?
Liability for ACH fraud depends mainly on who was targeted and how the fraud happened. Consumers are usually protected against unauthorized transfers if they report them quickly, while businesses face stricter standards and are often judged on whether their controls and their bank’s security procedures were “commercially reasonable.”
In scams where someone inside the business approves a payment based on a fraudulent request (for example, BEC), the organization itself often bears the loss, especially if verification steps were skipped. Clear contracts, documented security procedures and fast reporting are therefore just as important as the technical controls around the payments.
Detection: Identifying the Signals of ACH Fraud
Good controls do more than block obviously bad payments; they highlight patterns that don’t fit how accounts, customers or vendors normally behave. The signals below tend to appear early in ACH fraud cases, often before a complaint arrives.
- New bank details with instant activity: Freshly added accounts that start receiving or debiting funds straight away deserve attention, especially when they are linked to high‑value or high‑volume payments.
- Unusual payment velocity: Rapid‑fire retries, frequent edits to the same payment or clusters of similar transactions in a short window can indicate scripted attacks rather than normal operations.
- Mule‑style inflows and outflows: Accounts that suddenly receive multiple credits from unrelated senders, then empty out within hours, often function as pass‑through points for stolen funds.
- Profile and routing anomalies: Changes in bank details, SEC codes or routing patterns that do not match a customer’s history — combined with logins from unfamiliar devices, locations or networks — are strong reasons to slow down or review a payment.
- Document and communication red flags: Invoices with subtle formatting changes, new account numbers or unusual urgency in payment requests often sit upstream of ACH fraud; combining invoice checks with transaction monitoring catches more of these cases.
Leading fraud teams increasingly combine the above signals with real-time behavioral analytics, building a baseline of “normal” and treating deviations as prompts for extra verification rather than relying only on fixed rules.
ACH Fraud Prevention
To reduce ACH fraud, you need to make it harder to initiate a bad payment, limit where payments can go and spot unusual activity quickly. The measures below work best when applied together, not as standalone fixes.
1. Multi‑Factor Authentication & Out‑Of‑Band Verification
Strong authentication makes it harder for attackers with stolen credentials to reach payment tools in the first place. Multi‑factor authentication (MFA) should be required for anyone who can create, approve or release ACH payments, using something beyond a password, such as a secure app prompt or hardware token.
Out‑of‑band verification adds a separate check for sensitive actions, like adding a new payee or changing bank details. The system might trigger a confirmation call or a push notification in a secure app. For larger or higher‑risk transfers, asking a second person to review and approve the payment makes it much harder for a single compromised user to move money unnoticed.
2. ACH Blocks, Filters and Positive Pay
These measures help control which debits are allowed to hit your accounts. With an ACH block, you can tell the bank that no debits should ever be taken from a particular account, such as a reserve or savings account used only for internal purposes.
Filters and positive‑pay style checks are more selective. You provide a list of trusted companies or IDs that are allowed to debit an operating account, and the bank only allows matching transactions. Anything outside that list can be stopped or held for review. Updating this approved list regularly keeps it aligned with your real suppliers and partners.
3. Real‑Time Monitoring vs. Legacy Batch Screening
In older setups, ACH risk checks often ran once or twice a day, in line with batch processing. This left a gap between when a payment was created and when anyone looked at it closely. Real‑time transaction monitoring closes this gap by assessing the risk of a payment as soon as it is set up.
Modern systems don’t just look at the amount and the recipient, but also consider how that customer usually behaves, where they log in from and which device they use. If something looks out of character — such as an unusual payee or a new device sending a large payment — the system can pause the transaction and request additional confirmation, while ordinary payments continue as normal.
4. Nacha’s Risk‑Based Monitoring Rules
Nacha is the organization writing the operating rules for the ACH network in the United States. Its newer rules focus on “risk‑based” monitoring, which means every bank or payment provider should look at how ACH fraud could affect its business and set controls that match that level of risk.
In practice, this involves monitoring both outgoing and incoming ACH payments for warning signs in real time, maintaining written policies for alert handling and reviewing those policies regularly. Being able to show that you have considered ACH risk, put suitable controls in place and kept them up to date is important both for compliance and for any future discussions about who is responsible after a fraud event.
FAQ
ACH fraud is the misuse of bank account and routing numbers or online access to push or pull money through the ACH network without proper authorization. It typically involves unauthorized debits, compromised online banking, manipulated emails or timing gaps in batch settlement.
Consumers are usually protected if they report unauthorized transfers quickly, while businesses are assessed against “commercially reasonable” controls agreed with their bank. In scams where staff approve a fraudulent request, the business often bears much of the loss.
The strongest defenses combine multi‑factor authentication, out‑of‑band checks, ACH blocks and filters and real‑time monitoring of payment behavior. Clear internal approval rules and fast issue reporting are just as important as technical controls.
Nacha now expects banks and payment providers to monitor ACH traffic based on their actual fraud risk, not just formatting rules. This includes monitoring both outgoing and incoming payments, maintaining written policies and regularly reviewing controls to ensure they remain appropriate.
