Key takeaways:
- 79% of organizations reported attempted or successful payment fraud attacks in 2024, with ACH transactions being a major target.1
- With just your checking account and bank routing numbers, fraudsters can initiate unauthorized transactions and drain funds before businesses even realize they’ve been targeted.
- Train employees, monitor accounts, and leverage bank security tools like Comerica’s ACH Positive Pay™ to mitigate risks while maintaining the benefits of ACH payments.
Payment fraud is on the rise, and regardless of how your business processes payments, you could be at risk.
One of the most common targets for fraudsters in today’s digital economy is Automated Clearing House (ACH) payments — a form of electronic bank-to-bank transfer used for payroll, vendor payments and customer transactions. Known for their convenience and efficiency, ACH transactions have become a vital part of business-to-business payments.
Unfortunately, their widespread use also makes them a prime target for scams, with criminals leveraging tactics like phishing schemes, keyloggers and impersonation to access sensitive financial information. With just two pieces of information — checking account and bank routing numbers — fraudsters can initiate unauthorized transfers, often leading to major financial losses.
While ACH fraud can affect companies of all sizes, several factors may increase the likelihood of being targeted. In this article, we’ll explore how ACH payment scams happen, which businesses are most at risk and the key security measures you can implement to protect your organization.
79% of organizations were victims of payment fraud or attacks, according to the 2024 AFP® Payments Fraud and Control Survey Report.1
How does ACH payment fraud happen?
ACH payment fraud occurs when unauthorized individuals gain access to a business’s banking information and initiate fraudulent transactions. The process can range from simple to highly sophisticated, depending on the fraudsters' resources. Here’s how it typically unfolds.
Fraudsters start by gathering sensitive information. This information includes a company’s checking account and bank routing numbers, the two critical pieces of information needed to initiate ACH transactions. Details are commonly found on physical checks but can also be acquired through phishing schemes, keylogger malware or impersonation tactics.
Commonly, fraudsters will look to exploit security weaknesses. An often-used tactic involves targeting employees with phishing emails, posing as trusted vendors, financial institutions or even colleagues. The goal is to trick an employee into sharing login credentials or confidential banking details.
Once the necessary information is obtained, fraudsters initiate unauthorized transactions. Using ACH payments, they transfer funds from the business’s account to their own or pay for unauthorized purchases. In more advanced attacks, they may disguise the transactions to evade detection. For example, fraudsters might split larger transfers into smaller amounts or use vendor-like descriptions to blend in with routine payments.
Fraudsters also have multiple tools to cover their tracks. They may use multiple accounts or third parties to further obscure the origins of the fraudulent transactions. Without proper detection systems, businesses often don’t realize the fraud has occurred until it’s too late.
With just your checking account and routing number, fraudsters can exploit security gaps and initiate unauthorized ACH transfers.
Who is most at risk for ACH payment fraud?
Every business is a potential target for fraud — and the threat is pervasive. According to the Association for Financial Professionals (AFP), 79% of organizations reported attempted or successful payment fraud attacks in 20241. ACH payments were targeted in more than half of business email compromise (BEC) cases, surpassing wire transfers for the first time in the history of AFP’s reporting.
Businesses with high transaction volumes, such as distributors and wholesalers, are often prime targets due to the large sums of money they handle daily. Meanwhile, smaller organizations are also regularly targeted because of perceived weaknesses in their security measures — companies without advanced fraud detection systems or employee training are more susceptible.
Simply put, payment fraud represents a significant risk for companies of all sizes. And the results of a successful attack are often disastrous. According to AFP, 20% of organizations victimized by fraud were unable to recover lost funds1.
Payment fraud poses a significant risk to businesses of all sizes, with 20% of victimized organizations unable to recover their losses.
How can I protect my business from ACH payment fraud?
ACH payments provide businesses with speed, convenience, and efficiency — benefits that are too valuable to ignore. The key to maintaining these advantages is implementing proactive security measures that shield your organization from fraud.
Here’s how you can protect your business while continuing to use ACH transactions confidently and securely.
Educate and train employees
Employees are often the first line of defense against fraud. Conduct regular training sessions to help your team identify common phishing schemes, suspicious requests for financial information and fraudulent emails. Teach staff to verify requests for sensitive information before acting and to report any suspicious activity immediately. Implement anti-malware and cybersecurity tools
Protect your network by using firewalls, anti-malware software and intrusion detection systems. Keyloggers and other malware are common tools used in ACH payment fraud. With the right cybersecurity defenses, you can reduce the risk of fraudsters gaining access to your sensitive financial data.
Monitor and review accounts regularly
Set up automatic alerts and perform frequent audits of your business accounts. Regularly check your account balances and review transactions to catch suspicious activity early. Prompt detection allows you to notify your financial institution and take immediate action to recover funds.
Establish a vendor verification process
Fraudsters often impersonate vendors to gain access to payments. Protect your business by verifying vendors before processing any payments. Implement a system where employees confirm payment requests via an independent channel, such as a phone call to a verified number or video conference, to prevent fraudulent transactions.
Leverage bank security services
Many banks offer advanced tools to safeguard ACH transactions. For example, Comerica’s ACH Positive Pay™ lets you review and approve or deny transactions before they are processed. This extra layer of security ensures unauthorized transactions are caught before funds are withdrawn.
Mask your account information with a UPIC
A Universal Payment Identification Code (UPIC®) lets you receive ACH payments without exposing your real account number. A UPIC works like a standard account number for credits but blocks unauthorized debits, reducing the risk of ACH fraud while keeping your banking details private. Ask your Comerica Relationship Manager about UPICs and how to integrate them into your receivables strategy.
With fraud prevention measures in place, your business can confidently rely on ACH payments to support growth.
Pay with confidence
Protect your business from ACH payment fraud with the guidance of a trusted financial partner. Comerica Bank offers the experience and tools you need to secure your transactions and maintain confidence in your payment systems. Contact our team today to discuss customized fraud prevention strategies.
Sources
1Association for Financial Professionals. (2025). Payments fraud. Association for Financial Professionals. https://www.financialprofessionals.org/topics/payment-topics/payments-fraud
This information is provided for general awareness purposes only and is not intended to be relied upon as legal or compliance advice.
This article is provided for informational purposes only. While the information contained within has been compiled from source[s] which are believed to be reliable and accurate, Comerica Bank does not guarantee its accuracy. Consequently, it should not be considered a comprehensive statement on any matter nor be relied upon as such.