Business man talking on cell phone

Protect Your Payroll: Tips to Stop ACH Fraud

February 11, 2021

Paying employees by direct deposit is a win-win.

If you’re an employer, completing payroll electronically – via Automated Clearing House (ACH) transactions – gives you more control over disbursements, saves time, and helps eliminate the costs associated with paper paychecks.

Meanwhile, your employees can be sure their paychecks arrive on time, don’t have to worry about lost or stolen checks, and don’t need to run to the bank every payday. Given these benefits, it’s not too surprising that a recent survey by the American Payroll Association found that 94% of workers get direct deposit.

What About ACH Fraud?
ACH transactions are considered a safer alternative to paper paychecks. In fact, a survey by the Association for Financial Professionals found fewer reports of fraud related to a business’s ACH transactions compared to checks, wires, and credit cards. That’s great news for businesses that have adopted ACH for their payroll.

However, because ACH transactions are so common, and highly automated, they’re definitely a target of criminals. Fraudsters often attempt to commit ACH fraud against large businesses with a high volume of transactions to help their crime go unnoticed. But thieves will also target a small business’s accounting or payroll department – where a lack of personnel or proper safeguards makes them more vulnerable to payroll fraud.

In many cases, thieves commit ACH fraud by gaining access to a business’s payroll system and changing payment information to route funds to accounts they control which could be U.S.-based or foreign. Once the transactions clear, they transfer the money offshore. In this way, criminals have siphoned large amounts of money out of businesses and the pockets of employees.

How It Happens
While ACH fraud can’t be committed by forging checks, it could be done with access to your online banking or payroll system. Thieves may try to gain access by infecting business computer systems with malware that tracks users’ keystrokes in order to steal the login information for online accounts. Once they’ve accessed your system, criminals may be able to submit ACH files or alter account information to redirect payments to themselves.

Thieves often employ social engineering tactics to commit this type of fraud.

One of their preferred methods is the classic phishing email. Odds are, you’ve seen a few of these sneaky emails in your inbox or junk folder. In essence, phishing emails are unsolicited, fraudulent messages that appear to come from a business you know. They’re designed to trick you into giving up sensitive information by clicking on a link, replying, or downloading a malicious file.

Payroll departments can also be targets of phishing attacks, which can include not only emails but phone calls or text messages from criminals impersonating a trusted business, such as your bank or payroll service. They may claim the business’s login credentials are about to expire and must be “updated” to maintain access to its online system – then use the stolen login information to access the system themselves.

Remember: Your financial institution and other legitimate businesses will never contact you out of the blue to request sensitive online login or banking information.

Thieves may also attempt a business email compromise (BEC) scheme. In this scenario, they’ll hack into the email account of someone in your company, such as the business owner, CEO, or another employee, or they will create a fake account that appears to belong to them. Posing as this individual, the scammers contact the person in charge of payroll and instruct them to update the payroll with new account information.

The well-meaning employee may comply, unknowingly redirecting an employee’s wages to a separate bank account controlled by the scammers (this is known as a payroll diversion scheme).

Other Forms of Payroll Fraud
In addition to guarding against outside criminals targeting your ACH services, you should also look out for payroll fraud within your business.

Internal threats include timesheet or timecard fraud, where a dishonest employee inflates their recorded hours on their timesheet or abuses the company timeclock by having a friend help them punch in early or punch out late to get credit for more time than they worked.

Another internal payroll fraud involves “ghost” employees. Without sufficient oversight, an unscrupulous employee in charge of payroll can add a fictitious “employee” to the payroll and automatically send company funds via ACH to a bank account they can access.

These forms of internal fraud quickly drive up your payroll costs. Closely monitoring employee hours and use of the company timeclock are good practices to employ to mitigate this risk. Also, regularly reconcile balance sheet accounts and payroll records, and require authorization for updates to your payroll.

Guard Against Payroll Fraud
An informed, careful staff is the best defense against payroll fraud. Empower your employees to speak up about anything that appears suspicious, and have payroll/accounting staff double-check emailed payment requests by calling or speaking face-to-face with the sender.

Also, follow these best practices:

  • Maintain a separation of duties within your payroll process by implementing a dual control system for the initiation of payments.
  • Ensure you have two-factor authentication set up to help protect your online accounts in case criminals gain access to your login information.
  • Audit and monitor your payroll and ACH transactions.
  • Regularly update your computers’ operating system and antivirus software.
  • Make sure your employees know what to do if they receive a phishing email.
  • If you suspect an unauthorized ACH transaction on your business bank account, contact your bank right away, and report any internal/external fraud to law enforcement.

You can also take advantage of cost-effective cash management tools to assist in protecting your checking account. For example, you can set up ACH Positive Pay to help you spot suspicious ACH transactions and make payment/return decisions online, and you can set up ACH Debit Block to automatically return any debits submitted to business accounts that aren’t used for payments. Additionally, Positive Pay can provide extra protection for your business’s check writing.

Work Faster & Bank Safer
ENB is here for your business with flexible accounts and powerful cash management tools to streamline your small-business banking and payroll, while helping to protect your business from fraud. Connect with our local team to discuss your needs.