How To Protect Your Business From ACH Phishing

by | Oct 20, 2020 | Security

A few years ago, a lone hacker sitting in his basement might be satisfied stealing some data or infecting machines with a virus. Those days are long gone, with a recent report from Verizon stating that 71% of data breaches now target stealing a company’s money. Instead of a lone hacker, criminal organizations are focused on your business’s financials, and they are succeeding by taking billions of dollars each year globally. In this post, I’ll share one of their favorite tactics and how you can protect your business.

The threat is only increasing as more people work from home during the COVID-19 pandemic. Even though video conferences are on the rise with widely adopted tools like Microsoft Teams and Zoom, email continues to be a primary communication channel for business. Especially for executive communication. Which makes it a common attack vector for cybercriminals. A favorite technique is phishing. More likley, spear phishing.

February to March 2020, industry experienced a 667% increase in phishing attacks.

If you’re not familiar with phishing, it is “the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication.”

You might be familiar with the term because of the Twitter hack in mid-2020, which the company says was a social engineering attack. They wrote, “The social engineering targeted a small number of employees through a phone spear phishing attack.” It is important to note the methodical approach cybercriminals take to social engineering, and to remember that we are no longer talking about ‘a lone hacker sitting in his basement.’

Increasingly, the objective of spear phishing attacks is ACH transfers. Most enterprise executives widely understand this, yet at the same time, many of us know of someone who’s a victim of cybercrime. This is even true for organizations with a sophisticated approach to security, such as Twitter. ACH phishing is one security threat that businesses shouldn’t fall victim to, but they do time and time again. The weak link is usually people, who are susceptible to social engineering.

Small to medium-sized businesses are especially vulnerable. Take the food and hospitality industries, for example, a sector that historically invested the least in cybersecurity. They spend an average of around $1,230 a year. The good news is that this is up from 2018 when they spent $1,025.

The CEO and CFOs of a small to medium business should start paying attention to ACH fraud threats today. The United States’ Secret Service recently warned corporate America about fraudulent emails related to COVID-19 that contain malicious attachments.

An article on CNBC noted three other common traits we commonly see in ACH phishing:

  • Attacks imitate companies or government agencies that employees expect to hear from, e.g., a bank with news about the Paycheck Protection Program
  • Targeting employees with text messages about coronavirus
  • Phishing the executive and finance team’s email by pretending (spoofing) to be an email from the CEO

If there’s a takeaway here, it’s to understand that criminal organizations use crises like health pandemics to spread malware. They also use seasonal events like tax time to attack businesses. Even the Small Business Administration COVID-19 loan relief program was not off limits, with one cybercriminal spoofing the SBA webpage and targeting businesses via phishing emails.” All very unfortunate, but true.

In March 2020, 2% of all phishing attacks mentioned “coronavirus.”

Since the onset of COVID-19 and the increase in remote work, we’ve seen an increase in voice phishing (vishing). With fewer employees in an office and in physical proximity to colleagues, vishing is much easier to execute.

ZDNET notes that, “According to the FBI and CISA, in mid-July 2020, cybercriminals started a vishing campaign targeting employees working from home for US companies. The attackers collected login credentials for corporate networks, which they then monetized by selling the access to corporate resources to other criminal gangs.” To reiterate, these are sophisticated actors, using techniques such as spoofing phone numbers in an attempt to trick employees into believing a call is legitimate.

All employees are at risk, with C-level executives a frequent target because of their influence and control of banking and accounting systems. The higher an individual is in an organization, the bigger the opportunity for cybercriminals. The Association for Financial Professionals reported that it’s not the payment method that’s typically at risk but the process leading up to payment initiation. In other words, people are the weak link.

While it’s crucial to protect a company’s infrastructure, it’s also essential to provide proper training designed to protect employees from ACH fraud. IT leaders need to think about the training they provide to executives and employees to keep the company safe from ACH phishing and other types of cyberattacks.

The good news is that there are easy to implement solutions

Here are six solutions to help you combat ACH fraud. If you’re a senior leader in your company, check-in with your IT, risk, and security teams to make sure these are in place:

  1. Pick up the phone to confirm an executive’s financial directive
  2. Use multi-factor authentication (MFA)
  3. Check email for “impossible travel”
  4. Create alerts for auto email forwarding
  5. Flag external emails
  6. Conduct regular training exercises with all employees (even the C-suite)

Pick up the phone

The first point of defense is to put manual verification processes in place to prevent email phishing. Make it a policy to verify all email requests to initiate an ACH transfer by phone. When your team receives a questionable email, the recipient should feel safe knowing she can call and speak with the sender to confirm the request. Even the CEO or CFO, and yes, even late on a Friday afternoon or a weekend.

Multi-factor authentication

Every organization should have multi-factor authentication (MFA) in place for all systems. It’s an effective way to protect an organization from criminal activities and prevent unauthorized access. MFA is also helpful in preventing email threats. MFA identifies a user by validating two or more factors, which usually include something the user knows, something the user is, or something the user has. It could also include biometric authentication, soft tokens, or mobile authentication.

Impossible travel

Organizations should use what’s called “impossible travel.” For example, if someone sends an email from Paris, France, and at the same time they send one from Salinas, California, it’s not physically possible to be at both places at once. Impossible travel can be a good indicator of a hacking attempt. If found, the system will deny login access and send an alert to the system administrator to identify abnormal usage.


Set up automatic alerts to notify admins when email auto-forwarding gets turned on. In one scenario, a cybercriminal could hack a user and log in to their email account. They then set up forwarding to learn how the user and company operate and then wait for the right opportunity to trigger an ACH request as that user. Auto forwarding is another telltale sign that an email account is compromised.

Flagging external emails

Flagging external emails with a small banner can warn people that the item in question originated from outside of their organization. Doing this provides an extra visual check that doesn’t impede work but causes users to pause for a moment when faced with a potential phishing email. It gives them a reason to double-check if an email looks suspicious. The alert is an excellent visual sign that a user should pay attention to and ask themself, “Do I really want to action that?”

Conduct regular employee training

It is all and well to implement the above suggestions. Often the greatest threat to any technical security solution is humans. We strongly recommend that all companies provide formal phishing awareness training for all employees. Especially those responsible for financial and IT systems.

We have had great success with a solution from KnowBe4, that delivers new hire awareness and ongoing testing to keep employees alert to the risks of phishing. Contact us if you’d like to know more.

Bonus pro tips

The ZDNet article referenced earlier has several excellent tips for organizations and individuals to help protect the security of their business. It’s worth taking a few minutes to review their checklist.

Is your team prepared?

The good news is, if one or more of the ideas above are new, you have options. There are practical and achievable things you can do that will dramatically improve your company’s security. By following these steps, it’s easy for every small to medium enterprise to protect itself from ACH phishing attacks. Have a conversation with your security team today. If you’re unsure where to start with any of these recommendations, we are here to help.

Related Content