In the wake of a surge in fraudulent Automated Clearing House (ACH) transfers, NACHA -- the Electronic Payments Association has released some tips for financial institutions and their customers to combat the problem.
In a recent bulletin, NACHA -- a nonprofit that oversees the ACH network -- described the problem of corporate account takeovers by cybercriminals stealing online banking credentials of small and midsize businesses. Last month, the FBI estimated the attempted losses from fraudulent ACH transfers at $100 million.
According to NACHA, one of the reasons criminals are targeting small and midsize organizations is because -- generally unlike individual banking consumers -- many of them have the ability to initiate ACH credits and wire transfers via online banking. This funds transfer capability is usually related to the company's origination of payroll payments; criminals who hijack the corporate account may add fake names to a payroll file.
NACHA offered five steps financial institutions can take to protect corporate accounts from being taken over and used for ACH fraud:
* Deploy multifactor and multichannel authentication.
* Require business customers to initiate payments under dual control, with distinct responsibility for transaction origination and authorization.
* Enable out-of-band confirmation of payment initiation for certain types of payments.
*Provide out-of-band alerts for unusual transaction activity.
*Establish and monitor exposure limits related to customers' banking activities.
Financial institutions should also weigh fraud detection and risk management services offered by their ACH operators, NACHA advised.
Meanwhile, business customers should make sure security software is updated, initiate ACH and wire transfer payments under dual control, monitor and reconcile accounts on a daily basis, and use alerts about unusual transaction activity, the organization said. Workstations used for online banking shouldn't be used for general Web browsing, and businesses should consider using a dedicated computer for online banking.
Rayleen Pirnie, an investigations specialist and senior manager of fraud and risk at EPCOR, a nonprofit that provides payments system education and support to banks and other organizations, said the attacks on corporate accounts began in September 2008.
Criminals have recently added a new layer of complexity to the attacks by attacking two businesses and initiating ACH debits to pull money from one to the other, Pirnie said. For example, a recent case involved criminals using stolen credentials from a small veterinary office in Ohio to initiate a debit against a large corporation in New Jersey, she said. Instead of initiating fraudulent payroll credits, criminals are exploiting a function of the ACH network that allows a company to debit another company for which it has account and routing numbers.
"What I'm hearing from different sources is that's becoming more common," Pirnie said.
The Washington Post recently reported a case in which thieves tried to steal $1.3 million from a large property management firm by initiating debits against it with credentials stolen from a painting company.
ACH systems are all different and provide various capabilities that businesses can use to thwart this kind of fraud, including debit alerts and a white list of acceptable organizations authorized to debit a company's account, Pirnie said. She advises businesses talk with their financial institutions to find out what's available.
BC Krishna, founder and CEO of Memento, a Burlington, Mass.-based provider of antifraud technology to the financial industry, said ACH fraud is increasing as use of the ACH network is exploding.
"It used to be that ACH was a very closed, relatively obscure payment mechanism that a small club of people used," he said. "Because of all these people participating in electronic funds transfers now, we're seeing more exposure."