There is a problem with ACH phishing fraud that is not widely acknowledged. It is a security flaw that is affecting organizations today. Criminals are using it to steal from legitimate businesses.
The flaw isn't necessarily with ACH itself, but rather with how organizations manage it and communicate about it. Organizations rely on email too much today. We have to realize that email is not fundamentally secure. Email security is not 100%. Anyone can spoof an email address and commit ACH phishing fraud.
What this means is that criminals can impersonate a sender. While doing this, they can send out fraudulent ACH information to get a customer to send a payment destined for you, to their account. By using an email phishing attack, they can do this in a way that your network is never touched. You can have your customers be a victim of this even if you are 100% secure.
Yes, there are methods to secure customers from email phishing, and ZAG often consults with organizations to do just that. But there is little that your IT security team can do to make sure that your customer's email platform is more secure.
Ultimately we need to move away from relying on IT security to provide ACH security. Organizations need to implement a second factor of validation of an ACH change. Instead of simply accepting an email informing of an ACH change, customers need to be told that they should validate this with a second factor of communication. Finance should inform their customers that they should call either Finance or their Sales Rep to validate any changes to ACH routing information. Ultimately, this should be put into your Terms and Conditions with the customer.
We encourage IT security to reach out to their Finance Departments to put these rules in place. Tell your customers to call to verify any ACH change. It is the only way that you can prevent the risk of ACH fraud through email phishing.
Again, ultimately the fraudulent ACH email may have never touched your network. However, if your customers lose money by impersonating you, it will dramatically and negatively affect your relationship with your customer. It may ultimately ruin that relationship and cost you significantly.
Finance must step up and put in place security steps to secure the ACH infrastructure from this kind of risk. They need to know of this problem and not rely on IT to solve it.