In just three days, my bank account was completely drained due to ACH fraud.

ACH Fraud: My Experience and What You Need to Know

This blog has moved to a new location. You can now find it at: https://blog.steveendow.com/

I won’t be posting new content on Dynamics GP Land anymore. For all the latest updates, head over to https://blog.steveendow.com

Thank you!

By Steve Endow

NOTE: For those unfamiliar with US banking, ACH stands for Automated Clearing House. It’s basically a system for electronic payments within the US, used for things like direct deposit, vendor payments, and bill pay. While considered “electronic banking” here, it might seem outdated and insecure to others around the world.

Update: Mark Polino, in his blog post, mentioned potential solutions similar to Safe Pay or Positive Pay to combat ACH fraud. However, my experience with Bank of America Small Business accounts suggests otherwise. I was explicitly told by two Bank of America representatives that such services are unavailable for my account type and that there’s no way to prevent this kind of fraud. They couldn’t even block all ACH withdrawals, only those from specific merchant IDs, which wouldn’t have helped in my situation. Their only solution? Close the compromised account and open a new one.

The whole ordeal was incredibly frustrating.

Update 2: Digging into Bank of America’s website, I found a “Full Analysis Business Checking” account that might offer relevant ACH fraud prevention tools. This account type, with its high transaction volume and balance requirements (potentially over $60,000), mentions “ACH blocks/authorizations” and Positive Pay.

Based on this PDF form, it seems like these “ACH blocks/authorizations” let you create a “whitelist” of trusted ACH company IDs and block others. You can even block all ACH transactions for an account, something I was previously told was impossible.

While this might work for businesses with regular, predictable ACH transactions, it’s unclear how feasible this is for companies handling numerous one-time or customer-initiated ACH payments. It also requires knowing every customer’s ACH company ID beforehand.

Furthermore, there’s no information on managing these IDs online or how often you need to update that form. Since my current business doesn’t require maintaining such a high account balance, these features remain inaccessible.

The whole situation begs the question: why can’t banks implement a system where we approve individual ACH transactions before they go through? Why not have an online banking feature for reviewing and approving pending transactions? It’s not complicated technology. The US banking system seems severely behind if it can’t accommodate such a workflow.

Update 3: When requesting statements for my closed account, I brought up ACH fraud prevention with the bank representative again. He mentioned a “Fraud Hold” that places the account balance at -$888,888.88 as a flag for Bank of America. This was the first time I heard of this option despite multiple inquiries.

Unfortunately, neither this representative nor the Small Business sales rep I spoke to afterwards provided any additional solutions. The sales rep, completely unaware of real-world ACH fraud cases, was shocked by my experience and the lack of preventive measures.

I inquired about the “Full Analysis Business Checking” but they had no knowledge of it, as it’s apparently managed by a separate, unreachable Treasury Management group. I had to request a call back from this elusive department as a potential sales lead. The saga continues…

It all started with a seemingly normal email alert from my bank on a Friday morning:

“Hi Steve, an electronic withdrawal was made above your chosen alert limit:

Amount: $719.60

Type: ELEC DRAFT (ACH)

Account: Business Account ********1234

Merchant: CHASE CREDIT CRD EPAY

Transaction date: September 07, 2018”

Something felt off. I don’t use ACH payments for my credit card, especially not from that particular business account. It was a sinking feeling, the one I’d dreaded for years, finally becoming a reality.

By Wednesday, my business account was wiped clean by fraudulent ACH withdrawals.

I immediately called my bank upon realizing what was happening on Friday. After an hour-long wait, a helpful representative confirmed my suspicions: ACH fraud.

This article sums up the situation well: https://www.csoonline.com/article/2125833/cyber-attacks-espionage/malware-cybercrime-ach-fraud-why-criminals-love-this-con.html

Here’s the thing: if you’ve ever used your bank accounts for ACH transactions, wire transfers, or even written a check, you’re vulnerable. Sharing your account and routing numbers, while necessary, inherently exposes you to risk.

Thankfully, I’d anticipated this and set up a dedicated business account for such transactions, keeping its balance relatively low and transferring funds to a separate savings account. While mentally prepared for ACH fraud, actually experiencing it was stressful nonetheless.

Here’s what I learned: banks handle fraud much differently than credit card companies.

Credit card companies proactively monitor for suspicious activity and contact you immediately if they detect anything. They promptly shut down compromised accounts, credit you for fraudulent transactions, and issue a new card swiftly. Their customer service in these situations is usually excellent.

My bank, however, showed little concern for ACH fraud. There’s no online system for flagging fraudulent transactions. Instead, you’re required to download a PDF form, fill it out, sign it, and fax it. You read that right – fax is the only way to submit the fraud claim. No online submissions, no email, no regular mail. Clearly, they prioritize combating ACH fraud.

To make matters worse, the form lacked any contact information for the ACH fraud department, leaving me unable to confirm receipt or check on its status.

I found a free online fax service and sent the form, naively hoping for the best.

By Monday morning, a second fraudulent transaction appeared, confirming that my account was indeed targeted. I scheduled a meeting at my bank that afternoon.

The representative wasn’t surprised at all. According to him, this happens frequently, and there’s nothing anyone can do to prevent it. I spent the next hour setting up a new business checking account.

Problem solved, right? Not quite.

The ACH fraud claim form requires transaction IDs, and apparently, the bank won’t process claims for pending transactions. Since the second fraudulent transaction was still pending, the bank employee advised me to keep the account open until it cleared.

Bad advice.

Tuesday morning brought another fraudulent transaction. I filled out a second ACH claim form, this time with the transaction ID from Monday’s fraudulent activity, and scheduled another meeting at the bank.

During this second visit, the representative acknowledged that not closing the account was a mistake. We agreed to close it, but I had to deposit funds to cover the overdraft from the most recent fraudulent transaction. Apparently, closing an account with a negative balance is impossible.

Finally, the account was closed.

Or so I thought.

Here’s where it gets truly absurd: if any of the fraudulent transactions get rejected, the funds held by the bank would be deposited back into my closed account, automatically reopening it. I stared at the bank employee in disbelief as he explained this, laughing at the absurdity of it all. He, desensitized to these procedures, couldn’t comprehend my reaction.

Adding insult to injury, once the account closed, I lost access to online banking and wouldn’t be able to see the details of the most recent fraudulent transaction needed for the third ACH claim form. This meant yet another trip to the bank to have an employee retrieve the transaction information and fill out the form for me.

Thankfully, all fraudulent transactions eventually cleared, and my account remained closed. After a final visit to the bank, all three ACH fraud claim forms were submitted. The bank employee, contacting the elusive ACH fraud department, confirmed receipt of all three claims.

He emailed me with an update, informing me that ACH fraud claims typically take 10 days to process from the date of receipt, information conveniently absent from the claim form itself.

To summarize my ordeal:

  1. Preventing ACH fraud seems impossible: Based on my experience, the only way to truly prevent it is by never sharing your bank account number, which is unrealistic. Once it happens, your only option is to close the account. Some banks might offer ACH fraud prevention services, but mine didn’t.
  2. Financial repercussions are swift: By the time you detect, report, and close the account, it might be completely drained. You might even have to deposit funds to cover overdrafts and potentially face overdraft fees.
  3. Account closure is just the beginning: You’ll need to set up a new account and transfer all your automated payments and ACH transactions.
  4. Getting your money back takes time: It can take at least 10 days to receive your funds from the bank after they process your claim.

While this might vary depending on the bank, this was my experience with one of the largest banks in the US.

Steve Endow is a Microsoft MVP in Los Angeles.  He is the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.

You can also find him on Twitter, YouTube, and Google+

http://www.precipioservices.com

Licensed under CC BY-NC-SA 4.0