How to Help Detect and Prevent Automated Clearing House (ACH) Fraud

Automated Clearing House (ACH) fraud is one of the fastest-growing threats to financial institutions today. According to the U.S. Federal Reserve’s 2024 survey of risk officers, nearly 1 in 3 financial institutions reported ACH fraud attempts, and 11% suffered losses.¹ Fraud attempts increased by 9% compared to the prior year, outpacing growth in debit and credit card fraud.²

For small and midsized financial institutions, the risk is even more pressing. These institutions often lack the same fraud detection resources as larger banks, making them more vulnerable to bad actors targeting ACH systems. Even a single successful incident can result in significant financial damage, operational disruption and reputational risk.

“More people and businesses are using this type of transaction, but financial institutions should be aware of the risks involving ACH and the potential for fraud,” said Jerry Keup, National Underwriting Officer, Banks and Diversified Financial at Travelers. “There are steps these institutions can take to reduce the likelihood of a fraudulent incident taking place, but they should be vigilant and address any vulnerabilities seriously.”

What is ACH fraud?

ACH fraud occurs when a bad actor initiates unauthorized ACH transfers from a victim’s personal or business bank account. The goal might be to:

• Funnel money into their own account.
• Make purchases.
• Pay off loans or lines of credit using stolen funds.³

These transfers can be triggered digitally with little more than a bank account number and routing number – details that can be easily obtained or guessed, especially in phishing and social engineering schemes.

ACH fraud vs. Other payment fraud

An ACH transfer is a type of electronic funds transfer (EFT), but not all EFTs are ACH transactions. EFT is a general term for digital transfers between banks, including wire transfers and card payments. ACH transactions are specific to the U.S. ACH network, which processed over $80 trillion in transactions in 2024.⁴

While the ACH network – governed by Nacha, a nonprofit organization that sets and enforces rules for ACH payments⁵ – provides speed and efficiency, these very attributes increase vulnerability. A faster processing window shortens the time institutions have to flag and intervene in suspicious activity, which makes real-time detection essential.

What ACH fraud looks like

Understanding how fraud plays out in real life can help institutions spot patterns early. Here are three examples of ACH claim scenarios:*

• Case #1 - A customer opened a new bank account and the bank contended that someone, likely the fraudster, hacked into the online banking system at a third-party trust company. The hacker used the routing numbers and account numbers of victims to move funds into the fraudster’s account at the bank – totaling over $68,000. Funds were withdrawn quickly through multiple channels, including ATMs, in-branch visits and purchases.
• Case #2 - A credit union member made large purchases until their account was nearly maxed out. The member then topped off the account with a $14,100 fraudulent ACH deposit – giving the appearance of available funds to make even more charges. When the fraud was discovered, the reversal left the institution holding the loss and prompted an insurance claim.
• Case #3 - A customer received two ACH deposits totaling over $14,000 from a third-party account and rapidly withdrew most of the funds. After investigation, it was revealed that the customer had shared credentials with someone they met online. The individual on the other end orchestrated the fraud using compromised bank details from other victims.

These examples show that ACH fraud can take many forms: internal manipulation, social engineering and account takeovers. Each case underscores the need for layered monitoring and rapid response procedures.

*Claim scenarios are based on actual claims, composites of actual claims or hypothetical situations. Resolution amounts are approximations of both actual and anticipated losses and defense costs. Facts may have been changed to protect confidentiality.

ACH Fraud prevention strategies for banks

ACH fraud is a dynamic threat and one that continues to evolve. Fortunately, financial institutions can take action. Understanding how fraud typically occurs and putting safeguards in place can make a meaningful difference.

Below are two key areas – detection and customer-specific prevention strategies – where institutions can strengthen their defense.

Detecting ACH fraud: What to look for

ACH fraud often involves synthetic identity fraud, which involves fake identities built using real and fabricated personal data. According to the Federal Reserve, these are some red flags to watch for:⁶

• Credit file depth inconsistent with customer age or profile.
• Multiple identities using the same Social Security number.
• Numerous applications from the same phone number, mailing address or IP address.
• Use of secured credit lines or piggybacking to build credit.
• Social Security numbers issued after 2011.
• Multiple authorized users on an account with no shared address or surname.

In-person applications may also be used to enhance the illusion of legitimacy – especially in smaller communities where fraudsters seek to build trust or exploit process gaps.

Advanced monitoring and analytics

Fraudsters are increasingly turning to generative artificial intelligence (Gen AI) to create convincing “synthetic” identities by combining real pieces of personally identifiable information (PII) from various sources.⁷ To combat this, modern analytic and technology tools can help financial institutions:

• Flag inconsistencies in customer behavior or application data.
• Monitor transactions for suspicious ACH activity.
• Identify “money mule” or “sleeper” accounts using consortium data shared across thousands of banks.⁸

These analytics platforms often integrate directly with core systems and can offer fraud scoring, transaction profiling and behavior-based alerts – giving staff more than a gut check to rely on.

Preventing ACH debit fraud in small institutions

Smaller institutions face distinct challenges. Limited staff, fewer IT resources and legacy systems can make comprehensive fraud prevention feel out of reach. However, they also have unique strengths and scalable options:

• Implement layered defenses. Use transaction thresholds, dual controls and multifactor authentication (MFA). Monitor new accounts more closely during the first 30 to 60 days.
• Educate customers. Fraudsters often trick users into handing over credentials through ID theft scams or business email compromise. Community banks and credit unions may have closer customer relationships that make education efforts more impactful and trusted.
• Leverage partnerships. Smaller institutions may not have in-house AI or behavioral analytics, but they can access them via vendors or third-party platforms tailored to community banks.
• Share threat intelligence. The Federal Reserve encourages institutions to collaborate with peers through fraud prevention consortiums and payment industry groups.⁹

ACH fraud protection and insurance coverage

Even the strongest internal defenses can fall short. For that reason, it’s critical that financial institutions have an insurance policy designed specifically to address ACH-related losses.

What type of insurance addresses ACH fraud?

Financial institution bond insurance (FI Bond) helps protect companies against a wide array of exposures, including:

• ACH fraud
• Forgery
• Embezzlement
• Computer fraud

When choosing an FI Bond policy, look for one that includes endorsements that help cover two common ACH fraud scenarios:

1. A fraudster opens a deposit account, then funds it with unauthorized ACH transfers from other victims’ accounts.
2. A fraudster secures a loan or line of credit, then uses stolen ACH funds to make repayments.

How ACH fraud protection supports risk management

ACH fraud losses can be significant, often reaching tens of thousands of dollars or more per event. For smaller financial institutions, these losses may be as financially disruptive as a natural disaster. Having appropriate coverage in place can:

• Limit financial fallout.
• Support regulatory compliance.
• Maintain institutional trust.
• Provide access to expert claims resources in the aftermath of a loss.

Take action now to protect against ACH fraud

Preventing ACH fraud requires great vigilance, but it also takes a proactive, layered strategy. For small and midsized institutions, that means identifying red flags early, educating customers, leveraging modern fraud detection tools and ensuring that the right insurance is in place.

Travelers has the experience and resources to help. Our specialized underwriters, risk management and claim professionals understand the unique needs of financial institutions. And we’re here to help manage and mitigate these risks every step of the way.

Contact a Travelers insurance agent today to help strengthen your financial institution’s defenses against ACH fraud.

Sources
^1,2https://www.frbservices.org/binaries/content/assets/crsocms/news/research/2024-risk-officer-survey-results.pdf
³https://www.csoonline.com/article/526384/malware-cybercrime-ach-fraud-why-criminals-love-this-con.html 
^4,5https://www.nacha.org/content/about-us
^6,9https://fedpaymentsimprovement.org/wp-content/uploads/frs-synthetic-identity-payments-fraud-white-paper-october-2019.pdf
⁷https://www.bostonfed.org/news-and-events/news/2025/04/synthetic-identity-fraud-financial-fraud-expanding-because-of-generative-artificial-intelligence.aspx
⁸https://verafin.com/wp-content/uploads/2024/08/feature-sheet-ach-fraud-nasdaq-verafin-20240805.pdf