The ACH network facilitates a number of payment types, each with its own risks and dedicated detection methods, resulting in the need to process and monitor both incoming and outgoing NACHA files. One of the key risks to consider when processing outgoing ACH payments causing serious loss to bank customers is account takeover. Criminals use schemes like phishing, theft of credentials, malware, and social engineering to gain access to the systems of a bank’s business customer, ultimately leading to account takeover to initiate unauthorized ACH transactions.
A less intrusive, but increasingly common scheme in COVID times is executive impersonation fraud, or “CEO fraud,” where a fraudster sends a fake email with access to the company bank account to an employee. The email appears to come from an executive or key business relation requesting an urgent funds transfer. While financial institutions take measures to protect their payment systems and networks, it is much harder to prevent and detect account takeover on the customer side.
IT security and awareness differ per customer, and a weak link is easily found by a determined attacker. Strong authentication procedures and detection systems monitoring location, session, and device information form an important first layer of defense against account takeover, but they are not sufficient. A fraudulent transaction may be initiated by a malware-controlled system of the actual customer or properly authenticated by a misguided employee.
Automated fraud solutions can employ several methods on each outgoing ACH transfer to protect the customer and the institution against account takeover:
- Verify whether the account should be allowed to initiate an ACH transaction, make an international (IAT) transfer, or have debits or credits posted on it through ACH at all.
- Apply outlier models to flag payments that are out of pattern for this account or customer, and check for known suspicious patterns like an initial penny transfer to test access and bank controls.
- Score outgoing payments based on the receiving account’s reputation, i.e., does this account have a history of doing business with the counter-party account, other accounts in the bank that have had transfers to or from that counter-party account, were those payments disputed, not paid, or reported as fraudulent?