By Steve Endow
NOTE: For readers outside the US, ACH stands for Automated Clearing House, which is an electronic payment system we use to deposit and withdraw funds from bank accounts. Employers often use ACH to electronically deposit pay checks into employee bank accounts, and companies often use ACH to pay their vendors electronically. Consumers often use ACH to pay their bills--if you want to automatically pay your cable TV or cell phone bill, you send the merchant your bank account information, and they automatically withdraw the funds each month from your bank account. In the US, it's a modern form of "electronic" banking. But for the rest of the world, I suspect it's an archaic, horribly designed system that has zero security.
I checked my email on Friday morning and saw a pretty standard email alert from my bank.
Hmmm, that's odd.
I don't pay my credit card using ACH. And I definitely don't pay my credit card from that particular business bank account.
I thought to myself: It's finally happening. I've been waiting for it to happen for years, and now it is actually happening.
By Wednesday morning, my bank account was completely empty due to fraudulent ACH withdrawals.
As soon as I realized what was happening on Friday morning, I called my bank and sat on hold for an HOUR. I finally spoke with a nice man who also immediately recognized the problem.
Yup, my account is being used for ACH fraud.
Here's a good article explaining the details:
https://www.csoonline.com/article/2125833/cyber-attacks-espionage/malware-cybercrime-ach-fraud-why-criminals-love-this-con.html
If you have ever used your business or personal bank accounts to make ACH payments, or receive ACH payments or wire transfers, you are at risk for ACH fraud. (I suppose there could be some risk even if you never use ACH, but I suspect the risk is quite low.)
Even better: If you have ever written a check, your account is at risk for ACH fraud.
As soon as you hand your bank account number and routing number to anyone, those two numbers can be used to drain your bank account without your approval.
Most of the time, the companies that receive your bank account information are trustworthy and deposit or withdraw funds appropriately. But if those two numbers for your bank account are ever compromised, funds can be withdrawn from your account. And there is very little you can do to prevent it.
Fortunately, I was conceptually aware of this, so years ago I setup a dedicated business account I use exclusively for ACH and wire transfer transactions. And I have a separate savings account into which I can 'sweep' funds, allowing to keep my ACH account balance relatively low to minimize risk.
In that sense, I was prepared for ACH fraud, but since this is the first time I've actually experienced it, it was a bit stressful.
Here are some things I learned.
Banks behave completely differently than credit card companies when it comes to fraud.
My credit card company constantly monitors my cards for potential fraud, and they proactively contact me if they detect any fraud. Once fraud is detected, they swiftly shut down the credit card account, immediately credit me for any fraudulent transactions, and promptly mail me a new credit card. In my experience, they have excellent customer service and handle everything.
My bank, on the other hand, demonstrated that it clearly doesn't care about ACH fraud. The online banking web site offers no options for me to flag transactions as fraud or report the fraud to the bank.
In order to report ACH fraud, you have to download a PDF form, fill it out, sign it, and the FAX it to the bank. Yes, that is correct--the ONLY way to submit the fraud claim form is via fax. You cannot submit it online. You cannot email it. You can't even mail it. Fax only. That's a pretty clear demonstration of how much my bank cares about ACH fraud.
The form has no telephone number on it either. So there is no way to call the special ACH fraud department to confirm receipt or check on the status.
So I naively filled out the form and found a free online fax service I could use to send the fax.
On Monday morning, the second fraudulent transaction appeared. This told me that this wasn't an accident, and that my account was definitely being targeted. So I made an appointment at my bank for that afternoon.
I met with the business accounts rep at my bank, and he wasn't the least bit surprised. It happens all the time. And no, there is nothing you can do to prevent it.
So I spent an hour at the bank while he setup a new business checking account for me.
Problem solved, right?
Nope.
You see, the ACH fraud form requires transaction ID information. Apparently my bank may not process the form for "pending" transactions. Because the second fraudulent ACH transaction was still pending, the bank employee recommended I keep the account open until the transaction cleared so that I could record the transaction ID and submit the second claim form.
Bad advice.
Guess what I saw in my Inbox on Tuesday morning?
Yup, another fraudulent ACH transaction.
So I filled out the second ACH claim form with the necessary transaction ID information from Monday's transaction, and made another appointment for the bank.
During my second appointment, the rep agreed that the decision to not close the account was a mistake, so we agreed that the account should be closed.
To close the account, I had to actually put money INTO the account to cover the overdraft from the most recent fraudulent transaction, as apparently the account cannot be closed with a negative balance. So I transferred funds to the account, and it was finally closed.
Kind of.
You see, because my bank apparently has a sense or humor, if one of the fraudulent ACH transactions gets rejected, the funds that were on hold will be deposited back into my closed bank account. And the bank account will AUTOMATICALLY REOPEN. Yes, you read that right. I stared at the bank employee in disbelief as he explained this to me. I literally started laughing at the absurdity of this. The bank employee was so indoctrinated with these procedures that he completely failed to recognize why I was laughing.
But it gets better. Once the account is closed, I will no longer see it in my online banking, and I will be unable to view the information for the most recent fraudulent transaction required to fill out the third ACH fraud claim form. So that means that I have to make yet another trip to the bank to have the bank employee look up the transaction information and fill out the form for me.
But, thankfully (I think?), all of the fraudulent transactions cleared and my account remained closed. After one more visit to the bank, all three ACH fraud claims were submitted, and on Friday the bank employee called the top secret ACH fraud department, which confirmed that all 3 claims were received.
He emailed me to give me the update, and let me know that ACH fraud claims typically take 10 days to be processed from the date of receipt of the claim. Something that the fraud claim form fails to explain.
So, let me summarize:
1. There is nothing you can do to prevent ACH fraud on your bank account, other than to never share the bank account number. Once ACH fraud occurs, your only option is to close the bank account.
2. By the time you realize fraudulent transactions are occurring, submit claim forms, and close your account, your bank account may be completely empty. And you may even have to deposit funds to cover overdraft, and you may also be charged overdraft fees.
3. You will need to setup a new account and make sure to transfer any auto pay / ACH transactions to the new account
4. It can take at least 10 days to get your money back from the bank (depending on your bank procedures)
This process likely varies significantly by bank, but this is the fun experience I had with one of the largest banks in the US.
![]()
![]()
NOTE: For readers outside the US, ACH stands for Automated Clearing House, which is an electronic payment system we use to deposit and withdraw funds from bank accounts. Employers often use ACH to electronically deposit pay checks into employee bank accounts, and companies often use ACH to pay their vendors electronically. Consumers often use ACH to pay their bills--if you want to automatically pay your cable TV or cell phone bill, you send the merchant your bank account information, and they automatically withdraw the funds each month from your bank account. In the US, it's a modern form of "electronic" banking. But for the rest of the world, I suspect it's an archaic, horribly designed system that has zero security.
I checked my email on Friday morning and saw a pretty standard email alert from my bank.
Hi Steve, an electronic withdrawal was made above your chosen alert limit:
Amount: $719.60
Type: ELEC DRAFT (ACH)
Account: Business Account *******1234
Merchant: CHASE CREDIT CRD EPAY
Transaction date: September 07, 2018
Hmmm, that's odd.
I don't pay my credit card using ACH. And I definitely don't pay my credit card from that particular business bank account.
I thought to myself: It's finally happening. I've been waiting for it to happen for years, and now it is actually happening.
By Wednesday morning, my bank account was completely empty due to fraudulent ACH withdrawals.
As soon as I realized what was happening on Friday morning, I called my bank and sat on hold for an HOUR. I finally spoke with a nice man who also immediately recognized the problem.
Yup, my account is being used for ACH fraud.
Here's a good article explaining the details:
https://www.csoonline.com/article/2125833/cyber-attacks-espionage/malware-cybercrime-ach-fraud-why-criminals-love-this-con.html
If you have ever used your business or personal bank accounts to make ACH payments, or receive ACH payments or wire transfers, you are at risk for ACH fraud. (I suppose there could be some risk even if you never use ACH, but I suspect the risk is quite low.)
Even better: If you have ever written a check, your account is at risk for ACH fraud.
As soon as you hand your bank account number and routing number to anyone, those two numbers can be used to drain your bank account without your approval.
Most of the time, the companies that receive your bank account information are trustworthy and deposit or withdraw funds appropriately. But if those two numbers for your bank account are ever compromised, funds can be withdrawn from your account. And there is very little you can do to prevent it.
Fortunately, I was conceptually aware of this, so years ago I setup a dedicated business account I use exclusively for ACH and wire transfer transactions. And I have a separate savings account into which I can 'sweep' funds, allowing to keep my ACH account balance relatively low to minimize risk.
In that sense, I was prepared for ACH fraud, but since this is the first time I've actually experienced it, it was a bit stressful.
Here are some things I learned.
Banks behave completely differently than credit card companies when it comes to fraud.
My credit card company constantly monitors my cards for potential fraud, and they proactively contact me if they detect any fraud. Once fraud is detected, they swiftly shut down the credit card account, immediately credit me for any fraudulent transactions, and promptly mail me a new credit card. In my experience, they have excellent customer service and handle everything.
My bank, on the other hand, demonstrated that it clearly doesn't care about ACH fraud. The online banking web site offers no options for me to flag transactions as fraud or report the fraud to the bank.
In order to report ACH fraud, you have to download a PDF form, fill it out, sign it, and the FAX it to the bank. Yes, that is correct--the ONLY way to submit the fraud claim form is via fax. You cannot submit it online. You cannot email it. You can't even mail it. Fax only. That's a pretty clear demonstration of how much my bank cares about ACH fraud.
The form has no telephone number on it either. So there is no way to call the special ACH fraud department to confirm receipt or check on the status.
So I naively filled out the form and found a free online fax service I could use to send the fax.
On Monday morning, the second fraudulent transaction appeared. This told me that this wasn't an accident, and that my account was definitely being targeted. So I made an appointment at my bank for that afternoon.
I met with the business accounts rep at my bank, and he wasn't the least bit surprised. It happens all the time. And no, there is nothing you can do to prevent it.
So I spent an hour at the bank while he setup a new business checking account for me.
Problem solved, right?
Nope.
You see, the ACH fraud form requires transaction ID information. Apparently my bank may not process the form for "pending" transactions. Because the second fraudulent ACH transaction was still pending, the bank employee recommended I keep the account open until the transaction cleared so that I could record the transaction ID and submit the second claim form.
Bad advice.
Guess what I saw in my Inbox on Tuesday morning?
Yup, another fraudulent ACH transaction.
So I filled out the second ACH claim form with the necessary transaction ID information from Monday's transaction, and made another appointment for the bank.
During my second appointment, the rep agreed that the decision to not close the account was a mistake, so we agreed that the account should be closed.
To close the account, I had to actually put money INTO the account to cover the overdraft from the most recent fraudulent transaction, as apparently the account cannot be closed with a negative balance. So I transferred funds to the account, and it was finally closed.
Kind of.
You see, because my bank apparently has a sense or humor, if one of the fraudulent ACH transactions gets rejected, the funds that were on hold will be deposited back into my closed bank account. And the bank account will AUTOMATICALLY REOPEN. Yes, you read that right. I stared at the bank employee in disbelief as he explained this to me. I literally started laughing at the absurdity of this. The bank employee was so indoctrinated with these procedures that he completely failed to recognize why I was laughing.
But it gets better. Once the account is closed, I will no longer see it in my online banking, and I will be unable to view the information for the most recent fraudulent transaction required to fill out the third ACH fraud claim form. So that means that I have to make yet another trip to the bank to have the bank employee look up the transaction information and fill out the form for me.
But, thankfully (I think?), all of the fraudulent transactions cleared and my account remained closed. After one more visit to the bank, all three ACH fraud claims were submitted, and on Friday the bank employee called the top secret ACH fraud department, which confirmed that all 3 claims were received.
He emailed me to give me the update, and let me know that ACH fraud claims typically take 10 days to be processed from the date of receipt of the claim. Something that the fraud claim form fails to explain.
So, let me summarize:
1. There is nothing you can do to prevent ACH fraud on your bank account, other than to never share the bank account number. Once ACH fraud occurs, your only option is to close the bank account.
2. By the time you realize fraudulent transactions are occurring, submit claim forms, and close your account, your bank account may be completely empty. And you may even have to deposit funds to cover overdraft, and you may also be charged overdraft fees.
3. You will need to setup a new account and make sure to transfer any auto pay / ACH transactions to the new account
4. It can take at least 10 days to get your money back from the bank (depending on your bank procedures)
This process likely varies significantly by bank, but this is the fun experience I had with one of the largest banks in the US.
Steve Endow is a Microsoft MVP in Los Angeles. He is the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.
