What is ACH fraud and how to prevent it

ACH fraud happens when criminals gain unauthorized access to bank accounts and use the Automated Clearing House (ACH) network to steal money through fake electronic transfers.

For businesses, a single fraudulent transaction can mean thousands of dollars lost, plus the time and resources needed to recover funds and restore trust. As more transactions move online, fraudsters have adapted their tactics, making ACH fraud one of the fastest-growing financial crimes.

What is ACH fraud?

ACH fraud is the unauthorized use of the Automated Clearing House (ACH) network to steal funds. Criminals often gain access to sensitive banking details, such as account and routing numbers, through phishing, malware, or poor security practices.

The ACH network is the backbone of US electronic payments, moving money between bank accounts for payroll, bill payments, and peer-to-peer transfers. In 2025, according to Nacha, it processed 35.19 billion transactions.

ACH fraud vs. other payment fraud

Unlike credit card fraud, where banks usually reverse disputed transactions quickly, ACH fraud involves direct debits or credits that are harder to recover once funds leave the account. This makes ACH fraud more damaging than wire fraud and disruptive for businesses.

Who is at risk for ACH fraud?

Businesses processing high volumes of ACH transactions, especially payroll and vendor payments, are prime targets. Small businesses face greater exposure since they often lack advanced fraud detection tools. Financial institutions are also frequent targets, while consumers may be affected if their information is compromised.

The shift from paper checks to electronic payments has only increased the risk, making ACH fraud a persistent concern for finance leaders.

How ACH fraud happens

Fraudsters follow a predictable attack chain to execute ACH fraud. While the specific tactics vary, most schemes move through three stages:

• Credential theft: Fraudsters obtain account and routing numbers through phishing emails, data breaches, malware, or even discarded checks and deposit slips.
• Transaction initiation: They use stolen information to submit unauthorized ACH debits or redirect outgoing payments to accounts they control.
• Fund extraction: Money moves to the fraudster's accounts before you detect the fraud, often within hours. From there, fraudsters quickly withdraw or transfer funds again to make recovery difficult.

Vendor impersonation to divert payments is one of the most common methods targeting businesses. A fraudster poses as a known vendor, requests a change to banking details, and intercepts the next payment you send.

Types of ACH fraud

ACH fraud takes several distinct forms. Understanding each type helps you recognize what you're up against and where your vulnerabilities lie.

Unauthorized ACH debits

Unauthorized debits occur when a fraudster uses stolen account information to pull funds directly from your bank account without your consent. They often acquire account and routing numbers through data breaches, discarded checks, or phishing campaigns.

For example, a restaurant owner notices $8,000 missing from their business checking account. Investigation reveals that fraudsters copied details from a discarded deposit slip and initiated an unauthorized ACH withdrawal.

Account takeover fraud

Account takeover happens when fraudsters gain direct access to your banking portal using malware, keyloggers, or stolen login credentials. Once inside, they control the account and can initiate transfers, change settings, or add new payees. These attacks can persist unnoticed for days or weeks.

A finance team discovers $50,000 missing from their account. Hackers had used credentials obtained in a prior breach to log in during off-hours and move funds to accounts they controlled.

ACH kiting

ACH kiting exploits the time delay between when ACH payments are initiated and when they settle. Fraudsters cycle money through multiple accounts to artificially inflate balances and withdraw the same funds multiple times before the transfers clear.

A scammer uses three bank accounts, cycling transfers just before settlement periods close. They withdraw from each account in turn, effectively spending money that hasn't settled yet.

Fraudulent ACH payments

Fraudsters submit altered invoices or fake payment instructions to trick you into sending ACH payments to the wrong accounts. The timing often aligns with busy billing periods, making it easier for these to slip through your normal review process.

Your finance team receives a routine invoice from a known vendor, but with revised bank account information. When paid, the funds land in a fraudster-controlled account instead.

Payment diversion scams

Payment diversion scams intercept legitimate payment processes and redirect funds to accounts the fraudster controls. The most common approach: impersonating a vendor and requesting a change to their banking information.

An employee's paycheck stops arriving. Inquiry reveals a fraudulent direct deposit change request had been submitted weeks earlier, redirecting their pay to a fraudulent account. This same tactic applies to vendor payments, where a single spoofed email can reroute tens of thousands of dollars.

Common ACH fraud tactics

Most ACH fraud schemes rely on a short list of proven tactics: phishing, business email compromise, data theft, and insider abuse.

Phishing and social engineering

Phishing scams trick your staff into revealing credentials by masquerading as legitimate institutions. Attackers send urgent emails or texts warning of account suspension or security alerts, prompting users to click links or submit login data. Social engineering takes it further—attackers pose as trusted figures such as bank reps or IT support and pressure staff to override standard security procedures.

A caller claiming to represent your company's bank contacts a finance manager, already citing partial account data, and insists additional details are needed immediately to secure the account. Teach employees to always pause and verify suspicious messages, hover over links to check domain names, and confirm requests through trusted channels.

Business email compromise (BEC)

According to the FBI, BEC became a $55 billion scam during the period of 2013 to 2023, reported in all 50 states and 186 countries.

BEC attacks manipulate trust within internal communications. Criminals either take over a valid email account or spoof an address similar to a legitimate one, then send fraudulent payment instructions. They often tailor requests based on prior knowledge of your vendor or billing relationships, making them one of the most damaging ACH fraud tactics for businesses.

For example, an AP clerk receives an email appearing to come from the CEO, asking for a $25,000 ACH payment to a new vendor. The request references recent company activity, making it seem credible. Always mandate secondary approval for vendor changes and validate changes via a different communication method, like a phone call.

Data theft and breaches

Data breaches that expose account and routing numbers directly enable ACH fraud. Unlike credit card numbers, which can be quickly canceled, bank account details rarely change, meaning stolen information remains useful for months or years. This data is widely shared on dark web marketplaces and is relatively easy to obtain.

Restrict access to account credentials to as few users as possible, and reconcile accounts daily to detect anomalous transactions early.

Insider threats

Employees with access to financial systems can alter ACH files, create fake vendors, or manipulate payment data. Insider threats are particularly dangerous because these individuals already have legitimate access and understand your internal processes.

Strong access controls, segregation of duties, and regular audits of user activity are your best defenses. No single person should be able to create a vendor record and approve a payment to that vendor.

Who is liable for ACH fraud?

Liability rules for ACH fraud differ significantly depending on whether the affected account is a consumer or business account. This distinction matters because it directly affects your financial exposure and how quickly you need to act.

• Consumer accounts: Banks typically bear liability if you report the fraud within the required timeframe. Federal regulations like Regulation E provide strong protections for individuals.
• Business accounts: Liability often falls on your business, especially if your controls were inadequate. The Uniform Commercial Code (UCC) governs most business account disputes, and protections are far less generous than consumer rules.
• Reporting deadlines: You have limited time to report unauthorized transactions to qualify for protection. For business accounts, this window can be as short as 24 hours.

The takeaway: If you're managing business accounts, the burden of prevention and fast detection falls squarely on you. Waiting even a day too long to report unauthorized activity can mean your bank has no obligation to help you recover the funds.

How to detect unauthorized ACH transactions

Early detection is your best chance at stopping ACH fraud before the money disappears. These four practices give you the visibility you need to catch unauthorized activity fast.

Monitor transactions in real time

Set up real-time alerts for all ACH activity on your accounts. Immediate visibility is critical because ACH fraud recovery depends on fast detection. Every hour counts. Watch for large or frequent transfers to unfamiliar accounts, sudden spikes during non-business hours, or repeated small transfers that may be testing your system.

You can also monitor ACH return codes for patterns that indicate fraud. Multiple R05 (unauthorized debit) or R07 (authorization revoked) returns can signal compromised accounts. ACH trace numbers allow your bank to quickly locate and investigate specific transactions if fraud is suspected.

Set up ACH debit blocks and filters

ACH debit blocks instruct your bank to reject all incoming ACH debits unless they come from pre-approved sources. ACH filters give you more flexibility. They allow only transactions that match specific criteria you've authorized, such as approved company IDs or dollar amounts.

Work with your bank to implement these controls. They're one of the most effective ways to prevent fraudsters from pulling funds, even if they have your account information.

Review account reconciliations daily

Daily reconciliation catches discrepancies before your reporting windows close. This is especially critical for business accounts, where you may have as little as 24 hours to report unauthorized transactions and preserve your recovery options.

Some businesses only review transactions monthly, but that's far too slow. A daily review takes minutes and can save you from six-figure losses.

Implement anomaly detection

Automated anomaly detection systems flag unusual patterns that manual review might miss. These tools can identify unexpected vendors, payment amounts outside normal ranges, or transactions initiated at odd times.

The best systems learn your normal transaction patterns over time and alert you when something deviates. This adds a layer of protection that doesn't depend on someone manually catching every irregularity.

How to prevent ACH fraud

You don't have to wait for ACH fraud to happen before you can act. These six prevention strategies address the most common vulnerabilities.

1. Verify vendors before sending payments

This is the single most effective prevention tactic. Always confirm changes to vendor payment information using a known phone number—never use contact information from a new email. Fraudsters count on you trusting the email in front of you instead of picking up the phone.

Confirm vendor credentials and verify ACH and bank details, including the ACH routing number, before issuing payments. Update records regularly to reduce fraud risk.

2. Require dual authorization for ACH transfers

Segregation of duties is a fundamental control. Require multiple approvers for ACH payments above a set threshold. No single person should be able to set up a vendor and approve a payment to that vendor.

Set transaction limits and conduct regular account reconciliations to catch anything that slips through.

3. Automate payment controls and policies

Automated approval workflows enforce your spending policies consistently and flag suspicious transactions before they process. The right accounts payable software can handle vendor verification, approval routing, and anomaly alerts, reducing the burden on your team and eliminating manual gaps that fraudsters exploit.

4. Train employees to recognize ACH scams

Your team is your first line of defense. Train staff to recognize phishing and social engineering tactics, and use mock exercises to reinforce learning. Key red flags to watch for include:

• Urgent requests demanding immediate payment
• Changes to vendor payment details sent via email
• Unfamiliar senders or slightly misspelled email addresses
• Pressure to bypass normal approval processes

5. Use ACH positive pay services

ACH positive pay matches incoming debits against a pre-authorized list you provide to your bank. Any debit that doesn't match is automatically rejected. This prevents fraudsters from pulling funds even if they have your account and routing numbers.

6. Limit access to banking credentials

Use multi-factor authentication (MFA) for all banking and financial system access. Restrict who can initiate or approve ACH transactions, and rotate passwords regularly using a secure password manager. The fewer people with access, the smaller your attack surface.

Stay current with Nacha operating rules and coordinate with your bank on emerging best practices to keep your controls up to date.

How to recover from ACH fraud

If your business has already been affected, acting fast is critical. Your chances of recovering funds drop significantly with every hour that passes.

1. Contact your bank immediately

Notify your bank as soon as you detect unauthorized activity and ask to freeze your account. Request that the bank initiate an ACH return if the funds haven't settled. Businesses often have only 24 hours to report fraudulent transactions for the best chance of recovery.

If you need to stop ACH payments that are already scheduled or recurring, contact your bank immediately to cancel them before they process.

2. Document the fraudulent transaction

Collect every detail about the fraudulent transaction: dates, amounts, account numbers, and any suspicious communications. Build a clear timeline. This documentation is essential for your bank's investigation, law enforcement reports, and potential insurance claims.

3. File a fraud report

File a police report to create an official record. Also report the incident to the FBI's Internet Crime Complaint Center (IC3) and the Federal Trade Commission, which provide guidance and resources for handling financial fraud.

4. Initiate an ACH fraud investigation

Your bank will investigate unauthorized transactions and work with the receiving bank to attempt recovery. Success depends heavily on how quickly you acted. If funds have already been withdrawn from the receiving account, recovery becomes much harder. If unsuccessful, consult legal counsel to explore claims under the UCC or other regulations.

5. Review and strengthen controls

After an incident, audit exactly how the fraud occurred. Identify the vulnerability, whether it was a phishing email, weak access controls, or a missing approval step, and fix it. Update access permissions, add verification steps, and train staff on new procedures. Establish daily account reconciliation if you haven't already, and invest in fraud detection tools that flag unusual activity before it escalates.

Inform vendors, clients, or partners affected by the fraud. Transparency helps preserve trust and allows others to take preventive steps.

Use Ramp to automate your AP and protect your business

While ACH fraud is a serious risk, it can be prevented with strong security measures and a proactive approach. Acting quickly when fraud occurs can help reduce long-term damage, but prevention is the best strategy.

Staying on top of fraud prevention can be difficult, but the right AP automation software can help. Ramp Bill Pay offers:

• Multiple layers of security to prevent unauthorized access
• Multi-factor authentication and step-up authentication for high-risk activities
• Automated monitoring and alerts for suspicious activity
• Invoice matching that flags potential overpayments or fraud

Ramp Bill Pay also streamlines your accounts payable process. You can automate approval workflows, ACH payment initiation, and vendor onboarding, freeing your team to focus on more strategic work.

See what else Ramp Bill Pay can do for your business.