Jared Ducommun
Risk Management Consultant - Business Insurance, AAI
Automated Clearing House (ACH) transactions occur every day. They’re used to process payroll, pay vendors, settle recurring bills, deposit checks, make transfers, and more. They’ve become ubiquitous, and many of us don’t think about them much at all.
Until something goes wrong.
ACH fraud is a growing threat to organizations of all sizes in all industries, including small to medium-sized businesses. Companies in agriculture, manufacturing, construction, retail, healthcare, and more are all susceptible. In fact, the Association for Financial Professionals (AFP) 2025 Payments Fraud Report found that 76% of all organizations were victims of payments fraud attacks during 2025.
Unfortunately, many finance teams treat ACH security as an afterthought, assuming their bank will reimburse them or that fraudsters only target large corporations.
However, banks often don't reimburse businesses for ACH fraud. Once the money leaves your account, you have approximately 24 hours before it has disappeared. Smaller businesses often never recover from the financial hit.
How does ACH fraud happen?
Much of it is the result of social engineering—phishing schemes, malware sneaked onto corporate sites, and cybercriminals tricking employees and sometimes even management into providing sensitive information by using business email compromise tactics (BEC) to pose as vendors, company executives, or even a financial institution. Criminals also exploit the one- to two-day batch-processing lag with kiting techniques that move funds to fake accounts before the fraud is detected.
Some cybercriminals have successfully manipulated internal systems or impersonated a trusted vendor by providing false payment instructions. There are potential red flags that indicate fraud—unusual transactions outside normal schedules, changes to vendor banking information, and requests for urgent ACH transfers, for example—but ACH transfers can move so quickly that these anomalies may often go undetected.
How serious is ACH fraud?
According to a yearly study done by the American Financial Professionals (AFP), 1 in every 5 ACH fraud attempts is successful. In 2024, ACH scams reached more than $2.8 billion in losses, according to the FTC. And there are more ACH fraud attempts every year.
Here are just a few examples of recent attacks:
- A metal fabricator lost more than $550,000 due to a fraudulent email scam that impersonated a supplier and redirected payments to a fake account.
- A mortgage servicer was hit with 1.4 million improperly initiated ACH withdrawals.
- A management firm saw 150 unauthorized ACH transactions across ten HOAs, with funds diverted to fraudulent vendors.
- A nonprofit organization reported losing over $150,000 due to an ACH scam that resulted from a phone phishing incident.
3 questions to help prevent ACH fraud
To combat ACH fraud, make sure to ask three key questions:
1. Do you have the right coverage for an ACH fraud attack?
Talk with your broker or insurance carrier to find out. Do you need cyber coverage, crime coverage, or both? Run through multiple scenarios to ensure you’re covered correctly and completely.
2. Do your financial institutions have strong safeguards in place?
- ACH blocks and filters to stop unauthorized transactions
- Two authorized employees to approve transactions
- Multi-Factor Authentication (MFA)
- Behavioral analytics and artificial intelligence to establish normal customer behavior and flag unusual transactions
- Transaction limits and monitoring for anomalies
- Customer education and authentication
- Positive Pay, which matches incoming ACH transactions against a list of pre-authorized, expected transactions
3. Do you have your own internal safeguards?
Ongoing employee and management training, sometimes offered by your financial institutions or your broker, can help avoid ACH fraud or, at the very least, prepare you for when it might happen.
ACH fraud remains a persistent threat. It can be profitable for criminals and relatively easy to execute. Additionally, it may be challenging to detect due to its discreet nature. It’s important to ask these key questions and develop a plan to protect your organization from ACH fraud.
Marsh McLennan Agency (MMA) is here to help
MMA offers specialists in fraud and cybercrime to help you develop a plan to protect your organization from ACH fraud. We can analyze your coverage to make sure you have the right protection in place. Additionally, we provide internal employee training to strengthen your safeguards.
To learn more, contact us today.
This information is for general risk-management guidance only and is not legal or insurance advice. Coverage and regulatory obligations vary—consult your broker, carrier, and legal counsel for advice specific to your situation.
