ACH Fraud
On this page
Before diving into ACH fraud, understand:
- ACH operations and payment processing basics
- Bank transfers as a payment method
- Third-party fraud vs. friendly fraud distinction
- ACH fraud = Unauthorized bank debits or fraudulent payment redirects
- Different from card fraud: returns happen days later, liability rules differ, no chargeback system
- BEC (Business Email Compromise) is the biggest ACH threat: $2.9B lost in 2023
- Verification tools (Plaid, MX) help but don't eliminate risk
- Return windows: 2 days for unauthorized consumer, 1 day for corporate, but fraud claims extend to 60+ days
- Prevention: verify bank ownership, validate payee identity, implement dual authorization
ACH fraud works differently than card fraud. The timing is slower, the liability is murkier, and the biggest threat doesn't even touch your payment system.
ACH vs. Card Fraud
| Factor | Card Fraud | ACH Fraud |
|---|---|---|
| Real-time authorization | Yes | No |
| Instant decline possible | Yes | No (settles first) |
| Dispute timeline | 60-120 days | 2-60 days |
| Liability framework | Clear (network rules) | Murky (Reg E, UCC, NACHA) |
| Fraud detection tools | Mature | Limited |
| Liability shift available | Yes (3DS) | No |
Types of ACH Fraud
1. Business Email Compromise (BEC)
The biggest ACH threat. $2.9 billion in losses in 2023 (FBI IC3 report).
BEC doesn't hack your payment system. It tricks your employees into making legitimate-looking payments to fraudsters.
| BEC Variant | How It Works |
|---|---|
| Invoice fraud | Fake or modified vendor invoice with fraudster's bank details |
| CEO impersonation | "Urgent" email from "CEO" requesting wire/ACH payment |
| Vendor impersonation | Email from compromised vendor requesting updated bank info |
| Payroll redirect | Employee "requests" direct deposit change to fraudster account |
| Lawyer impersonation | Fake attorney requesting payment for confidential matter |
Detection signals:
- Email domain slightly off (acme-inc.com vs. acmeinc.com)
- Urgency pressure ("must send today")
- Request to bypass normal approval process
- New or changed bank account details
- Request to keep transaction confidential
Prevention:
- Verify bank changes by phone (using known number, not email signature)
- Dual authorization for payments above threshold
- Payment verification callbacks for new vendors
- Email security (DMARC, SPF, DKIM)
- Employee training on BEC tactics
2. Unauthorized Account Debits
Someone debits a bank account without authorization. The account holder files a return.
| Scenario | How It Happens |
|---|---|
| Stolen account credentials | Fraudster obtains routing/account numbers |
| Account takeover | Fraudster takes over victim's account, initiates ACH |
| Subscription abuse | Company continues billing after cancellation |
| Identity theft | Fraudster opens account in victim's name |
Return codes you'll see:
- R10: Customer advises unauthorized (consumer)
- R29: Corporate customer advises not authorized
- R07: Authorization revoked
3. Return Manipulation
Legitimate customer initiates payment, then claims unauthorized to get money back.
This is ACH's version of "friendly fraud":
- Customer authorized the payment
- Customer received goods/services
- Customer claims "unauthorized" to reverse payment
Challenge: Proving authorization is harder for ACH than cards. No 3DS, no CVV, no signature.
4. Push Payment Fraud
Victim is tricked into sending money to fraudster's account.
Unlike unauthorized debits (pulls), push payments are initiated by the victim, so they're nearly impossible to recover.
| Scenario | Example |
|---|---|
| Romance scam | Victim sends money to fake romantic interest |
| Investment scam | Victim invests in fake opportunity |
| Overpayment scam | Victim "refunds" overpayment from fake check |
Your exposure: If you're a platform facilitating person-to-person transfers, push payment fraud can hit your reputation and create regulatory scrutiny.
ACH Return Codes That Signal Fraud
| Return Code | Meaning | Fraud Signal? |
|---|---|---|
| R01 | Insufficient funds | Usually not fraud |
| R02 | Account closed | Could be stolen account |
| R03 | No account / unable to locate | Fake account number |
| R04 | Invalid account number | Typo or fake |
| R07 | Authorization revoked | Customer cancellation |
| R08 | Payment stopped | Customer dispute |
| R10 | Customer advises unauthorized | Fraud or friendly fraud |
| R11 | Check truncation entry return | Error |
| R29 | Corporate unauthorized | Fraud or friendly fraud |
R10 Deep Dive
R10 (Customer Advises Not Authorized) is the ACH equivalent of a fraud chargeback.
Timeline:
- Consumer can claim unauthorized for 60 days after statement
- Bank must investigate and provisionally credit within 10 days
- You see the return 2-3 days after bank initiates
Your options:
- Accept the return
- Provide evidence of authorization (difficult without proper documentation)
- Pursue customer directly (collections, legal)
Prevention: Verify bank account ownership before debiting.
ACH Verification Tools
Bank Account Verification
Tools that confirm account ownership:
| Tool | What It Does | Limitations |
|---|---|---|
| Plaid | Links to bank, verifies ownership | Customer must authenticate |
| MX | Similar account linking | Customer must authenticate |
| Yodlee | Account aggregation | Customer must authenticate |
| Micro-deposits | Deposits 2 small amounts, customer verifies | Slow (2-3 days), can be gamed |
| Prenotes | Zero-dollar test transaction | Only checks account exists, not ownership |
What Verification Does and Doesn't Prove
| Verification Type | Proves | Doesn't Prove |
|---|---|---|
| Plaid/MX account link | Account exists, customer can log in | Customer owns account (could be ATO) |
| Micro-deposit verification | Account exists, someone can see deposits | Account ownership |
| Name match | Name on account | Account wasn't compromised |
| Balance check | Funds available | Funds will still be there tomorrow |
No verification tool prevents BEC. BEC fraud uses legitimate, verified accounts belonging to fraudsters. Verification confirms the account is real, not that the payee is legitimate.
Timing Windows and Liability
Consumer ACH (Reg E)
| Timeframe | Consumer Liability |
|---|---|
| Report within 2 business days | Max $50 |
| Report within 60 days | Max $500 |
| After 60 days | Unlimited (depends on bank) |
For merchants: This means a consumer can claim unauthorized up to 60 days later and you'll see an R10 return.
Corporate ACH (UCC)
Corporate accounts have different rules:
- No Reg E protection
- Must report unauthorized by next business day (often)
- Bank agreements vary significantly
For merchants: Corporate returns are faster (R29), but corporate claims of unauthorized are rarer.
Same-Day ACH
Same-day ACH (SDA) speeds up settlement but also speeds up fraud:
- Funds move same day
- Less time to catch fraudulent transactions
- Returns still take 2+ days
Prevention Strategies
For Inbound Payments (Customers Paying You)
| Strategy | What It Does |
|---|---|
| Bank account verification | Confirm account exists and customer can access |
| Name matching | Check name on account matches customer name |
| First-payment holds | Hold funds for 3-5 days on new accounts |
| Balance verification | Confirm funds available before shipping |
| Velocity limits | Limit new account payment amounts |
For Outbound Payments (You Paying Others)
| Strategy | What It Does |
|---|---|
| Dual authorization | Two approvers for payments above threshold |
| Callback verification | Call vendor to verify bank changes (use known number) |
| Payment delay | 24-48 hour hold on new payee payments |
| Email security | DMARC, SPF, DKIM to prevent spoofing |
| Training | Employees trained on BEC tactics |
BEC-Specific Controls
□ All bank account changes require phone verification
□ Dual authorization for payments > $X
□ 24-hour delay on payments to new accounts
□ Vendor management database (no ad-hoc payments)
□ Email security configured and monitored
□ Regular BEC awareness training
□ Clear escalation path for suspicious requests
Responding to ACH Fraud
When You Receive an R10/R29 Return
□ Identify the transaction and customer
□ Review authorization evidence
□ Check for pattern (same customer, same behavior)
□ Decide: accept return or dispute
□ If disputing: contact your bank with evidence
□ If accepting: blacklist customer, consider collections
When You Discover BEC
□ Immediately contact your bank
□ Request wire recall or ACH return (time-sensitive)
□ Document everything (emails, approvals, timeline)
□ Report to FBI IC3 (ic3.gov)
□ Engage legal if significant amount
□ Review and strengthen controls
Recovery Options
| Situation | Recovery Chance |
|---|---|
| Caught within hours | Medium (wire recall may work) |
| Caught within 1-2 days | Low (funds often moved) |
| Caught after settlement | Very low |
| Fraudster's account still has funds | Better (legal action) |
Test to Run
ACH fraud prevention audit:
Inbound payments:
□ How do we verify bank account ownership?
□ Do we hold first ACH payments from new customers?
□ What's our R10 rate? Is it trending up?
Outbound payments:
□ Who can add new payees?
□ How do we verify bank account changes?
□ Do we have dual authorization for large payments?
□ When did we last train staff on BEC?
Record answers. If you can't answer these, you have gaps.
Scale Callout
| Volume | Focus |
|---|---|
| Under $100k/mo ACH | Basic verification (Plaid or micro-deposits). Manual review of returns. |
| $100k-$1M/mo ACH | Automated verification. First-payment holds. R10 monitoring. |
| Over $1M/mo ACH | Full verification stack. Balance checks. Velocity limits. Real-time return monitoring. |
| B2B outbound payments | BEC controls are critical. Dual auth. Callback verification. |
Where This Breaks
-
BEC bypasses payment controls. BEC tricks employees into making legitimate payments. Your payment fraud detection won't catch it because the payment itself is authorized.
-
Verification doesn't prove payee identity. Verifying a bank account confirms the account is real. It doesn't confirm the payee is who they claim to be.
-
Same-day ACH reduces detection time. Faster settlement means less time to catch fraud before funds move.
-
Corporate accounts have weaker protection. No Reg E means fewer consumer protections. Corporate fraud can be harder to recover.
Next Steps
Accepting ACH payments?
- Implement bank verification → Plaid, MX, or micro-deposits
- Hold first payments → 3-5 day hold on new accounts
- Monitor R10 returns → Track rate and investigate spikes
Making ACH payments?
- Implement dual authorization → Two approvers above threshold
- Verify bank changes by phone → Never trust email alone
- Train on BEC → Quarterly awareness training
Had an ACH fraud incident?
- Contact bank immediately → Speed matters for recovery
- Report to FBI IC3 → ic3.gov
- Review controls → What would have prevented this?
Related Topics
- ACH Operations - ACH processing operations
- ACH Return Codes - Full return code reference
- Bank Transfers - Payment method overview
- BEC & Phishing - Email-based fraud
- Third-Party Fraud - Stolen credentials fraud
- Friendly Fraud - False claims of unauthorized
- Settlement & Reconciliation - ACH timing
- Holds and Reserves - Managing ACH risk