The Automated Clearing House Network is used by financial institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals. The network handles millions of financial transactions in the United States every day. You couldn’t have direct deposit or online banking without ACH.
ACH is becoming increasingly popular as a way for hackers to steal money from bank accounts of unsuspecting victims. The new cyber-crime, labeled ACH fraud, has a remarkable resemblance to good old-fashioned check fraud. According to the FBI, this fraud is growing, with new cases and victims almost daily.
A new form of identity theft
ACH fraud targets valid online banking credentials. The scam usually begins when a company employee accesses a banks’ online cash management system to activate ACH files for direct deposit. Typically, the employee has received a “spear phishing” email containing an infected attachment or directs the employee to an infected website.
Malware containing a key-logging application that harvests the company’s bank account login information is installed when the unsuspecting employee opens the attachment or visits the website. Thieves simply begin transferring money out of the company’s bank accounts. Unfortunately, the bank probably won’t detect a problem since the transactions appear legitimate.
Protect your company’s accounts
FBI acknowledges that thieves have the upper hand designing software to defeat your defenses, but you can prevent much damage by instituting this time tested four-step protection plan:
1. Reconcile and verify your bank accounts and balances often.
2. Use complicated passwords and change them often.
3. Install/update firewalls and antivirus software on company computers.
4. Designate one or two computers that will perform ACH transactions and allow access to only selected employees.
Other steps you may take
• Do not allow unauthorized software to be used on your computers.
• Instruct employees working from home or other remote locations to also protect their computers. This is vital because their remote computers could infect your organization’s internal computer systems.
• Limit thieves access to your company information by not posting the company’s contact information or organizational chart on the company website.
• Instruct employees to not access web content by clicking on an email or instant message link.
• If you are accessing your bank’s website, don’t type information into pop-up boxes. Thieves utilize pop-up boxes to steal information.
• Discuss with your bank the steps they take to protect customers from ACH fraud. Pay particular attention to how the bank authenticates user information and the method used for encrypting transactions. Determine if the bank requires additional security information before authorizing a payment to a business that has never received a payment before.
• Put in place dual controls – one user ID and password to approve a wire transfer, and another user ID and password to release the same transfer.
According to Bloomberg Business, cyber criminals steal much as $1 billion a year through ACH fraud. There is no quicker way for your accounts to be drained by scammers, so take the necessary precautions to protect your company.
Cheryl Parson is president of the Better Business bureau serving West Central Ohio. The BBB may be found on the Internet at www.lima.bbb.org.