How does ACH fraud happen?
Understanding how ACH fraud occurs is the first step in limiting risk. Like other types of fraud, ACH payment fraud can occur in several ways.
Fraudulent ACH returns
One of the more common types of ACH fraud occurs due to the ability to request a return for an ACH payment. There are two main types of ACH returns—bank-initiated returns and customer-initiated returns.
Bank returns can occur for a benign reason; for example, the user isn't aware they have insufficient funds in the account. But fraudsters can also exploit NSF (non-sufficient fund) returns for profit. For example, the fraudster transfers money to an investment account, which fronts the money to improve user experience while the ACH process finalizes. The fraudster then purchases crypto, which can't be recovered. By the time the ACH payment processes and returns an insufficient fund return code, the money is gone.
With customer-initiated returns, fraudsters may commit fraud by making a legitimate purchase and then claiming they never authorized the transaction. The money is returned to their account, while they still keep the product they purchased. Or, a user’s account information may be utilized by a fraudster to authorize a payment. When the user realizes the transaction occurred, they can dispute the transaction with their bank and receive the funds back. The risk of these returns can be predicted and limited using Plaid's ACH risk product. We'll discuss limiting ACH fraud risk in the next section.
Phishing attacks
Phishing attacks occur when a bad actor sends an email or text message that tricks people or organizations into revealing sensitive bank information that is then used to initiate unauthorized ACH payments.
For example, a fraudster might send a message that appears to come from the user or organization's bank. The messages often include urgent messages or warnings about suspicious account activity. When the user clicks the link in the email, they are redirected to a legitimate-looking site and prompted to log in. The attackers capture this information and use it to gain access to the real account and initiate fraudulent ACH payments or commit other types of payment fraud.
Ghost funding
Ghostfunding fraud occurs when users are given immediate access to funds that have not been fully settled through ACH, which fraudsters use to profit. For example, say a user creates an account with an investment app. They initiate an ACH transfer from their bank to the investment app. To improve user experience, the app credits the user's investment account while the ACH payment is processed (which can take several business days).
The user then purchases crypto or transfers the money to another account. Several days later, the ACH payment is returned for insufficient funds. The user has already spent the money they were fronted, and the investment app is unable to recover the funds.
Insider threats
Sometimes, the fraudsters are within your own company. Employees or contractors with access to sensitive information can potentially perpetuate ACH fraud. For example, they may approve invoices they know are fake and pocket the money. In some cases, employees may process the same payment twice, alter the payment amount before processing, or redirect payments to accounts they control.
Account takeover fraud
Those less common, account takeover fraud is still a risk for ACH payments. Using social engineering, for example, a fraudster may be able to gain access to an account. Once they control the account, they can make fraudulent transactions by transferring the funds to an account they control or even using the account to perpetrate other types of fraud, such as ghost funding.