When it comes to ACH Fraud, the fraudster sends what looks like a legitimate email from an employee or from a vendor, requesting a change to their ACH or Direct Deposit bank account. As a professional bookkeeper, Jody Linick personally knows of three businesses that have been hit by this fraud since January.
ACH fraud has unfortunately become increasingly popular, so what can bookkeepers do about it? Here’s how it goes down and some best practices to prevent it.
Payroll ACH Fraud
The fraudster sends an email that looks legit, with a credible signature block in the email, requesting that their ACH information be changed. This kind of fraud is called “Spoofing.”
One client of mine was the victim of this fraud in December/January. The email arrived the last week of December, between Christmas and New Year, when many businesses are barely open.
The bookkeeper emailed the employee back, requesting a completed ACH Change form. The “employee” returned the form, but it was unsigned, so the bookkeeper replied again that a signed form was required.
The fraudster sent the ACH form again, with an image of a voided check and an e-signature. The bookkeeper changed the banking info in the payroll system. Later, at the end of January, the actual employee contacted the bookkeeper to inquire why they had not been paid all month, and the fraud unraveled. In the end, two payrolls were stolen, totaling $3,600 in gross wages.
Upon reflection, the bookkeeper and business owner determined that the fraudster got the employee’s name and title from LinkedIn, created a real-looking signature block, then randomly sent emails to the business’s domain, testing bookkeeper@, accounting@, and probably more similar emails until they got a hit. This particular company uses accounting@[companyname].com, so the spoofed email got through to a real person.
Vendor ACH Fraud
A colleague, who is the full-time employee bookkeeper for a manufacturing company, told me that just this month she received an email from a Vendor asking that the bill pay ACH info be changed, and an attached bill be paid using the new ACH info.
The bookkeeper thought the request was odd, but the email and bill looked legit, so she made the requested changes. In the end, $20,000 was stolen, but working with the banks some of the money has been partially recovered.
Best Practices
The clear trend here is a request to change ACH info arrives in a legit-looking email. The Best Practice is easy and simple: pick up the phone and call the employee, or a known person at the Vendor’s phone number, to confirm whether or not the ACH request is legitimate.
Do not send an email to say you will be calling – just call. Make this a written policy, and be sure the simple internal control of making a verification phone call is followed each and every time.
To Report or Not Report
If the fraudster succeeds in fooling you, or your client, you have to decide whether or not to contact the police or the FBI. There are many factors to consider, including the time it will take, the amount stolen, and whether or not the banks involved are assisting in recovery.
In the case of the payroll fraud noted above, after contacting both the sending and recipient bank, and enduring long hold times, delays, and little concrete action, the client decided to drop it and write the relatively small $3,600 amount off as a fraud. The late reporting of the fraud by the employee was a factor.
In the case of vendor fraud, the company contacted the banks involved and filed a police report right away. As a result, so far at least half of the funds have been recovered.
To report spoofing or phishing attempts, or to report that your client has been a victim of email and internet fraud, you can file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/. While there is no guarantee the funds will be recovered, at least the FBI can start tracking the scam artists in their database.
Conclusion
ACH fraud is on the rise, and easy to prevent with one simple phone call. Be sure to alert your staff to these new scams, and publish and implement the new best practice policy of calling the requestor to confirm the request for change is legitimate.