How do you pay your bills electronically?
Do you direct your bills to be paid from your bank to the vendor?
Or do you log in to your vendor’s website—local utilities, Discover card, etc.—and put in your bank account information to pay your bill?
Pretty typical, right? I pay my bills both ways.
Now, think like a fraud perpetrator. A fraudster needs just two pieces of information to pull off an Automated Clearing House (ACH) fraud: the bank account and routing number. The perpetrator then simply pays a bill via Internet or phone to the unsuspecting individual or organization’s bank account. A fraudster can gain the bank account and routing number from phishing-type schemes, or it could be an inside job.
We have investigated fraud schemes in which someone in a trusted position, i.e., a controller, VP of finance or CFO, decides to have the company pay his or her personal bills. This type of fraud typically starts with small amounts, which may go undetected. Here are a few factors contributing to the success of this fraud:
- Lack of segregation of duties – There may be only a few individuals with access to the bank statement or enough accounting knowledge to understand what they are looking at.
- Ability to make unchecked journal entries – Typically, they will use a dumping ground account, i.e., supplies or maintenance, to account for cash use in the accounting records.
- Lack of routine online account review by management – While we recommend this daily, many management “trust” their colleagues or are too busy. (We’ve heard it all.)
Below are some easy steps organizations can take to protect against ACH frauds, both from the phishing scam and the inside job.
- ACH Block – This service automatically returns all ACH debits or credits directed at the bank account; legitimate or not, no one can ACH amounts from the account.
- ACH Filter – This service automatically returns all ACH items that are not preauthorized. If you know your organization wants to allow specific ACHs for Home Depot or Staples, for example, those are allowed. A maximum dollar amount, exact dollar amounts and maximum number of occurrences filters also can be applied.
Although a fraud could be perpetrated just like I pay my bills, it’s good to know there’s a way to protect your organization’s funds from ACH fraud—if you proactively protect them.