<img height="1" width="1" src="https://www.facebook.com/tr?id=852282609072225&amp;ev=PageView%20&amp;noscript=1">

Cybersecurity update: ACH is the fastest-growing payment fraud

July 15, 2019
Jerry Brodnax
Jerry Brodnax

When the Association for Financial Professionals recently examined the cyber fraud landscape, they found that ACH debit and credit fraud was the only fraud scheme to see an increase in 2018. Some 33% of responding organizations said they had been the victims of actual or attempted fraud on ACH debits last year, up from 28% in 2017, and 20% reported being the targets of ACH credit fraud, up markedly from 13% the previous year.

ACH Payment Fraud


ACH usage is so common it was enough to drive the overall growth of attempted or actual payments fraud up to 82% from 78% in 2017.  Take a look at two of the newer fraud schemes targeting ACH payments:


  1. Bogus Invoice Payment

Phishing attacks through a vendor or supplier are becoming more common, which makes sense because the vendor-supplier relationship is a trusted one.  How does it work?  Attackers call or email a business that has a longstanding relationship with a supplier, pretending to be that supplier. The crooks trick the business into sending funds for a legitimate invoice to a new account controlled by them. If the business makes the payment, the fraud usually isn’t detected until the business is contacted by the actual supplier to request payment on the authentic – and now past due – invoice.


When the phishing attack begins with the vendor, the cyber thief sees all their files, allowing the crook to create a fake but official-looking invoice from a lookalike domain that the attacker controls. The attacker has full view of the vendor’s email account and sees that invoices are typically emailed. The crook emails a fake invoice with a new ACH payment address hoping the business will process it for payment.  If the business does so, the funds are likely to be lost.


  1. Payroll Diversion Change

Human Resource administrators are being duped into sending payroll funds to fraudsters’ accounts. The crook steals login credentials from executives or employees, then sends an email to HR requesting a change in direct deposit account information. If account information for the direct deposit is changed, the paycheck winds up in the scammer’s account.


Security research firm Agari says that payroll diversion scams are on the rise and are gaining traction as a result of social engineering. “Unlike traditional business email compromise (BEC) attacks, which are starting to raise red flags with financial institutions, payroll diversion attacks eliminate the interaction with banks because it is a direct deposit instead of a wire transfer,” said Crane Hassold, Agari’s Senior Director of Threat Research. Funds are being siphoned off in attacks that are tricking HR associates into sending funds to fraudulent accounts.


Protect your business with ACH Fraud Prevention Tools

You can reduce operational risk and protect yourself from unauthorized ACH transactions by monitoring your accounts, and by reconciling or at least reviewing your accounts daily.


Hancock Whitney has two services can help you protect against ACH Fraud:

  • ACH Positive Pay allows you to review each ACH debit and decide to accept or reject it.
  • ACH Block prevents all ACH transactions from posting to an account without your input.


Remember, ACH rules are different for businesses than consumers. As a business or institution, you do not have Regulation E protection that gives consumers 60 days to return an unauthorized ACH item. If you detect that an unauthorized ACH item has posted to your business account, you must report it within 24 hours.


Empower your staff with payment procedures

Often, the best way to minimize your exposure to risk is simply to use common sense. When dealing with special payment requests such as a change of address or bank account, it is best to confirm it first. Cybersecurity experts are now implementing a new standard for payments: Never Trust, Always Verify.  Visit our Cybersecurity Resource Library to review our whitepapers and download our checklists to fortify your defense against cyber criminals.


Cyberattacks target people in countless ways using an array of tools, tactics, and approaches. All of these are people-focused attacks that have one thing in common: they rely on identity deception.  It is important for your company to have policies that encourage verification and allow for questions.  Instead of managing for speed, as in ASAP, manage for security: “As Securely As Possible.” 


If you have any questions or concerns, we invite you to reach out to our Treasury Services Specialists for a Cybersecurity Review for your business. Contact us at 1-866-230-2304.




This information is provided for educational and informational purposes only. We provide links to external web sites for convenience. Hancock Whitney Bank does not endorse and is not responsible for their content, links, privacy or security policies.  




“The Latest AFP Fraud Study Unveils a Surprising Jump in Fraud on the ACH;” by John Stewart in Digital Transactions, April 10, 2019 

“Why Phishers Like B2B;” from PYMNTS website, posted on August 9, 2018

“Fraud Makes Headway Via Payroll Diversion;” By PYMNTS, Posted on January 25, 2019

“Study Sees BEC Scams Gaining Ground;” By PYMNTS, Posted on January 18, 2019

“Protecting People: A Quarterly Analysis Of Highly Targeted Cyber Attacks” | Winter 2019;” Proofpoint