Industry experts say ACH fraud is on the rise and the trend is catching banks off guard.
The Automated Clearing House (ACH) network has traditionally been considered low risk, but as it's become more widely used, criminals are targeting it more, experts said. ACH payments include direct payroll deposits, business-to-business payments and direct payment of consumer utility bills. According to the NACHA, the electronic payments association that oversees the ACH network, there were more than 18.2 billion ACH payments last year, up 1.2 million from 2007.
"It seems to be the favorite fraud target in the last few months," said Avivah Litan, vice president and distinguished analyst at Gartner Inc. "It's a big issue and there's not a lot of protection against ACH and wire fraud. Most banks counted on strong user authentication. They figure if they have a one-time password token, that it would be enough. It's not enough."
Paul Henninger, director of fraud solutions at transactional risk management software firm Actimize Inc., estimates that the company has seen about a 25% to 30% increase in attempted ACH fraud over the past year, and the rise has prompted a significant number of financial institutions to investigate more sophisticated transaction monitoring systems.
"The increase in ACH fraud is largely due to the fact that it's a more accessible payments product for retail customers, who have historically been more vulnerable to fraud due to Trojans, phishing, etc.," he said.
The ACH channel hasn't gotten as much scrutiny from banks as other channels when it comes to fraud, while the risk has increased with more checks being converted to ACH transactions, said Nick Holland, a senior analyst at Aite Group LLC, a Boston-based research and advisory firm. Plus, with big institutions using ACH to transfer funds, the damage from ACH fraud can be significant, he said, and criminals haven't missed a beat.
"The fraudsters, as always, have the upper hand," he said. "They know where the vulnerabilities are."
Originally, ACH transactions were between known parties and were preauthorized by the account holder, said Mike Urban, senior director of fraud solutions at risk analytics provider FICO. Several new types of on-demand and check conversion transactions have changed that, which has increased the risk. "Receiving financial institutions now find out about an ACH transaction as it happens, rather than before it happens," he said.
ACH fraud schemes run the gamut, experts said. One type of ACH fraud involves a criminal compromising a commercial customer's online credentials, generating an ACH file in the originator's name, and quickly withdrawing money before the true originator uncovers the fraud, said Mike Mulholand, director of fraud solution strategy at enterprise fraud management company Memento Inc. On the retail side, a fraudster steals a customer's online credentials and if the victim has automated bill pay, can add himself as a bill pay recipient.
Other schemes involve company or bank insiders modifying ACH files to steal money and fraudsters making micro deposits to multiple accounts to verify valid ones, he said.
Gartner's Litan said ACH fraudsters have become more targeted in their approach and are taking the time to identify cash managers at businesses in specific geographical areas. "Now they know who the corporate cash managers are and which banks they're likely to do business with," she said. "A couple years ago it wasn't that sophisticated."
Criminals also exploit ACH for kiting schemes, similar to check kiting, Urban said. They "leverage ACH's short window on fund movement and availability ... to transact increasing dollar value ACH transactions to boost accounts and cover other accounts across financial institutions," he said. They then siphon the funds through other channels such as an ATM.
Mulholand predicts ACH fraud will inevitably grow. For the most part, both retail and commercial customers access ACH transactions through online banking, he explained. "The nexus between online banking and ACH fraud will grow stronger as more people move away from writing checks and into a true electronic payment system. Online banking will be the gateway to that electronic payment system and fraudsters will move there also."
The riskiest ACH transactions are those between two parties that don't necessarily know each other performing one-time transactions, he added, noting that's a low but growing percentage of transactions right now.
Financial institutions are very concerned about the potential for increased ACH fraud, according to survey by Aite Group of 23 North American banks and credit unions last fall. Eighty-six percent said ACH fraud will be an important or extremely important concern by 2011.
To tackle increasing ACH fraud, Aite Group's Holland said banks need to take a holistic approach to fraud management. "They need to keep up to speed with the way the criminal element is looking for loopholes and the points of least resistance," he said.
Gartner advises institutions to take a three-pronged approach: strong authentication via a token or other mechanism, fraud detection and verification of suspicious transactions through another channel.
"If you use those three together, you can really stop most of the fraud," Litan said. "But right now most banks are not prepared for this."