ACH fraud is Payroll’s newest headache

You couldn’t have direct deposit or online banking without the Automated Clearing House (ACH) network, the electronic system that handles millions of financial transactions in the United States every day. Unfortunately, online banking through the ACH network has generated a new cyber crime—ACH fraud, which is similar to good old-fashioned check fraud.

Payroll, which makes abundant use of the ACH network for direct deposits and other transactions, is particularly vulnerable to ACH fraud. And according to the FBI, this fraud is growing, with new victims and cases opened every week.

The new identity theft

ACH fraud exploits valid online banking credentials. It usually begins when a company employee accesses a bank’s online cash management system to initiate ACH files for direct deposit. Typically, this employee receives a “spear phishing” email that contains an infected attachment or directs her to an infected website.

Once the email recipient opens the attachment or visits the website, malware is installed on her computer. The malware contains a key logger that harvests the company’s bank account login information. The thieves now have all the information they need to steal your company’s identity and to begin transferring money out of your bank accounts. Moreover, the bank probably won’t question the transfers, since they look legitimate.

Protecting the company’s bank accounts

The FBI notes that thieves have the upper hand in designing software to defeat your defenses. Even so, follow this time-tested, four-step protection plan:

Ads_Payroll Handbook M
  1. Verify your bank account balances and reconcile balances often.
  2. Use complicated passwords and change them often.
  3. Limit access to the computer from which ACH transactions are initiated.
  4. Install and update firewalls and anti-virus software on that computer.

You can also take these steps:

  • Allow only known software to be used on your computer.
  • Deny thieves any information about your company by not posting the company’s contact information and organizational chart on the company’s website.
  • Tell employees who work from home or other remote locations to take the same steps you take to protect their computers. (This is necessary because their remote computers could infect your organization’s internal computer systems.)
  • When accessing your bank’s website, don’t key information into pop-up boxes. Thieves paste popup boxes onto a bank’s website to steal information.
  • Avoid accessing web content by clicking on an email or instant message link.
  • Determine the steps your bank takes to protect customers from ACH fraud. Pay attention to the bank’s firewalls and its method for en­crypt­­ing transactions and authenticating user infor­­ma­­tion. Also check to see if the bank requires additional security information before authorizing a payment to a business that has never received a payment before.