HerbeinLogo--white
HerbeinLogo--white

ACH Fraud: What You Don’t Know Could Cost You

June 3, 2025

In this episode of ⁠The Herbein Conversation's Fraud Fighters series, host Debbi Fetter, Partner and Managing Director of Herbein’s Risk Management practice, is joined by Michelle Sowers, Senior Manager with Herbein’s On Demand Accounting and Advisory Services team. Together, they dive into real-world examples of ACH fraud, explore why businesses are especially vulnerable, and offer actionable tips to help you detect and prevent fraudulent transactions. Learn how to safeguard your business with daily monitoring, verification protocols, employee education, and more.

Debbi S. Fetter: Hello everyone and welcome to another episode of the Herbein Conversation Podcast where we dive into some of the most pressing issues in the modern workplace.

I'm Debbi Fetter, Partner and Managing Director of our firm's Risk Management practice and host of Herbein’s Fraud Fighters podcast series, your go-to podcast for the latest in fraud and cybersecurity tips and trends.

Today we're tackling ACH fraud, a growing threat that's costing businesses millions each year.

Joining me is Michelle Sowers, a Senior Consultant and our On Demand Accounting and Advisory Services practice.

Michelle works closely with clients who rely on ACH payments for their business transactions, and she's seen firsthand how fraud can impact organizations. Michelle, thanks for being here.

Michelle L. Sowers: Thanks Debbi. I'm excited to dive into this topic because ACH fraud is something we see more and more, and unfortunately, a lot of businesses don't realize they've been targeted until it's too late.

Debbi S. Fetter: Excellent. Before we dive into ACH fraud, would you give our listeners a brief overview of what our On Demand Accounting and Advisory Services team does and how you can assist our clients?

Michelle L. Sowers: Sure. Our team provides services from transactional to strategic.

We work with companies to make sure that our services are customized to what each client needs. It can range from assistance with your monthly bookkeeping, controller services to assist with things such as financial reporting, and even CFO services to help with more complex items such as budget or forecasting.

There is so much that we can do to assist companies and their accounting teams, and sometimes we are the entire accounting team. Again, we like to customize our services to what a business needs and wants.

Debbi S. Fetter: Thank you for that. So, you truly act as CFO or controllers in an outsourced capacity?

You are not solely just bookkeepers.

Now on to the topic at hand which is ACH fraud and how we can help our audience mitigate it. On this episode, we're turning the tables and having you ask me real life fraud scenarios from clients or colleagues who found themselves victims of this type of fraud. With that, fire away.

Michelle L. Sowers: Recently, a business received what looked like a routine e-mail from a vendor requesting an ACH payment. The request even came from the vendor's correct e-mail address, but after processing the payment, the client found out that the bank details had been changed and the money was gone without any monies being paid to the client's vendor. How does something like that happen?
 
Debbi S. Fetter: This is a classic case of business e-mail compromise or BEC. Hackers gain access to a vendor's e-mail account, monitor communication, and then send fraudulent payment instructions, often at just the right time. Since the e-mail appears legitimate, businesses don't think twice before updating banking details. Unfortunately, once the funds are transferred, they're incredibly difficult to recover. So always confirm changed payment or address change details with your contact at the vendor. One quick phone call to validate can save money and headaches down the road.

I'd also encourage our listeners to visit our Fraud Fighters archives and listen to our episodes dedicated to business e-mail compromise and accounts payable fraud for more fraud fighting tips.

Michelle L. Sowers: That's concerning, especially since businesses rely on ACH payments for efficiency.

We actually had another business client that had fraudulent ACH hit their payroll account. Their bank temporarily gave them the funds back, but said that if the bank cannot get the money returned, they will deduct it again from the client's account.

They said that the client only had 24 hours to report it. This was a case that was only discovered when their controller did the checking account reconciliation at the end of the month. It was something like 45 or 60 days that had passed from the posting of the transaction. Are there rules regarding fraudulent transactions with a bank account to make sure business is reimbursed for the fraudulent charges?

Debbi S. Fetter: Yes, that's a tricky question and can vary from bank to bank, really depending upon their own internal policies and practices. Several factors play into who bears the loss, and for how much that loss is, is dependent upon the type of account. Is it a business account versus a personal account? There are different rules that govern those types of accounts. For instance, Regulation E, NACHA, the Uniform Commercial Code, or a variation and a hybrid of all of them. But here's some general rules:

For reporting timeframes, businesses typically have a shorter window to report fraudulent ACH transactions compared to personal accounts. Personal accounts are protected under Regulation E and have up to 60 days to report unauthorized transactions with very distinct crediting and reimbursement criteria. Many banks require businesses to report unauthorized transactions within 24 hours. If the fraud is reported promptly, the bank may be able to reverse the transaction or prevent further unauthorized transfers.

The next item to consider are their bank policies. The bank's policy to temporarily credit the business account while investigating the fraud is standard. If the bank cannot recover the funds, they may reverse the credit. This is why timely reporting is crucial. If the fraud is not reported within the specified timeframe, the business may be held liable for the losses. Unlike personal accounts, where reported timely within those 60 days an individual could bear no loss for the fraudulent transaction per Regulation E, business accounts are governed under the Uniform Commercial Code. This code provides less protection and more liability for businesses, and the business may be on the hook for the entire amount.

And then finally, the NOTCHA rules. NOTCHA, or the payment network that governs ACH transactions, emphasize fraud detection prevention, but do not mandate reimbursement for fraudulent business transactions. That's why it's a case-by-case basis dependent on your banks policies and procedures.

Michelle L. Sowers: What steps should a business take to protect their funds or at least minimize their losses?

Debbi S. Fetter: Sure. Foremost, time is of the essence. Monitor your accounts daily. Establish a routine to view your bank account transactions via online banking daily. A quick scan by the business should quickly flag a fraudulent transaction. Set up online banking alerts for deposits or withdraw transactions of a certain dollar amount. Most every bank offers these services for free. And use other bank services. Many offer ACH positive pay. And lastly, educate your employees - vigilance is critical.

Michelle L. Sowers: That's great information. Do you have any closing thoughts or advice for businesses looking to tighten their ACH fraud defenses?

Debbi S. Fetter: I always have advice. ACH Fraud isn't going away anytime soon, but businesses that stay informed, train their teams and implement strong and timely controls are in the best position to prevent it, or at least keep it at bay. If something feels suspicious, trust your instincts and verify before processing payments.

My top five controls?

  • Number one: monitor your accounts and account transactions timely. Set up those real time alerts for balance changes via your banks online banking system. Log onto your online banking account daily and look for suspicious activity. Use your bank's products and services like ACH positive pay to assist in identifying fraudulent transactions.
  • Number two: Add an extra layer of security through MFA to significantly reduce the risk of unauthorized access to ACH transactions. This requires users to provide two or more verification factors to gain access, making it harder for fraudsters to compromise accounts.
  • Number three: Regular account reconciliation. It seems simple, but many either don't perform a reconciliation or the person performing it is not independent of completing the transactions and could actually be perpetrating the fraud themselves at the business
  • Number four: Verify ACH information changes. Always verify any requests for changes to ACH information by calling a trusted number on file. This helps ensure that the request is legitimate, and not part of a phishing scam designed to steal funds.
  • Last, but not least, educate your employees and establish protocols. Educate employees about the risks of ACH fraud. Establish clear protocols and procedures for handling ACH transactions. Training staff to recognize phishing emails, fraudulent requests and other common scams can help prevent fraud before it occurs.

And with that, we come to the end of today's episode. Michelle, thank you again for sharing your insights and asking those questions on behalf of our clients. Good information for a fraud toolboxes.

Michelle L. Sowers: Thanks for having me, Debbi. It's been a pleasure, and I've learned a lot.

Debbi S. Fetter: And thank you to our listeners. We hope we've given you some beneficial tools for your fraud toolboxes. Should you need assistance establishing or implementing controls, fine tuning your ACH processing procedures, or just want to talk through some of your fraud concerns, reach out to our Herbein Risk Management team or On Demand Accounting and Advisory Services team.

If you enjoyed this episode, I'd like to encourage our audience to listen to our Fraud Fighters series on the Herbein Conversation podcast, which is available on our website - herbein.com - Spotify, or Apple podcasts.

Stay tuned for future topics and remember, keep up the fight and see you next time fraud fighters!

Popular Posts

How Trump’s Win Will Affect Your Taxes

Reminder: 2024 Taxable Fringe Benefits Reporting

Federal Income Tax Benefits for Individuals with Disabilities

Earned Income Credit (EIC) Notification Deadline: What Employers Need to Know

Corporate Transparency Act Challenges

 View All Blog Posts