Monday, September 17, 2018

My Experience with ACH Fraud: My bank account was empty in 3 days

My blog has moved!  Please visit the new blog at:  https://blog.steveendow.com/

I will no longer be posting to Dynamics GP Land, and all new posts will be at https://blog.steveendow.com

Thanks!



By Steve Endow


NOTE: For readers outside the US, ACH stands for Automated Clearing House, which is an electronic payment system we use to deposit and withdraw funds from bank accounts.  Employers often use ACH to electronically deposit pay checks into employee bank accounts, and companies often use ACH to pay their vendors electronically.  Consumers often use ACH to pay their bills--if you want to automatically pay your cable TV or cell phone bill, you send the merchant your bank account information, and they automatically withdraw the funds each month from your bank account.  In the US, it's a modern form of "electronic" banking.  But for the rest of the world, I suspect it's an archaic, horribly designed system that has zero security.



Update:  On his blog post sharing this article, Mark Polino says that there are solutions, similar to Safe Pay / Positive Pay, that can be used to prevent ACH fraud.  While that may theoretically be true with some banks, certain types of business bank accounts, some corporate treasury management solutions, and for some payment scenarios (such as outbound payroll), I was told that Bank of America Small Business bank accounts have no such services that could be used to prevent the type of ACH fraud that I experienced.

I asked two different Bank of America employees (one call center rep and one at my branch with over 15 years of experience as a manager at BofA) if there is anything I can do to prevent this type of ACH fraud.  They both clearly and definitively said that there is absolutely nothing I can do to prevent such random fraudulent ACH transactions.  

I asked if they could block all ACH withdrawals on my account.  The branch manager said no--he said that there is no way to prevent an ACH withdrawal from hitting my account.  The only way he could block withdrawals from my account was the close the account.  He did mention that he does have the ability to block ACH withdrawals from a specific merchant ID, such as those that occur with a recurring monthly fee, like a gym membership.  But with the ACH fraud I experienced, there were multiple merchant IDs, so that would not have helped me.

Trust me, I asked multiple times and pointed out how incredibly absurd the situation was.  The Bank of America employees simply shrugged and said that the only solution is to close the compromised account and open a new one.  It was a surreal experience.



Update 2:  Reviewing the Bank of America web site (since the employees were of no help), it appears that they have a "Full Analysis Business Checking" account offering that might have some relevant ACH fraud prevention features.  If you maintain account balances of over $60,000, write more than 150 checks, and have more than 200 deposits a month (unclear if those transaction minimums are required), that type of account apparently offers "ACH blocks/authorizations", in addition to Positive Pay.  

Based on a review of this PDF form, it appears that ACH blocks / authorizations allows you to "whitelist" specific ACH company IDs for your trading partners, authorizing them specifically, as well as specifically blocking certain company IDs.  The form also has an option to completely block all ACH transactions against a specific account, something I was told was impossible with my account type.

These ACH features might work for situations where you have consistent ACH deposits or withdrawals with trading partners on a specific account, but I don't know if it would be manageable for a company that is receiving many one time ACH payments from customers, or ACH payments from from hundreds of customers. You would need to know the ACH company ID for every customer in advance of their ACH deposit--I don't even know how I would find my own ACH company ID if I were asked for it.  Any ACH transaction (deposit and withdrawal) that is not specifically whitelisted is blocked.

And it isn't clear if they have an option to manage the company IDs online, or if you have to fill out that form for every change.

I currently have no need to park $60,000 in my business bank accounts, so such account features are presumably not available to me.

Why can't banks allow me to approve each ACH transaction before it hits my account? Allow me to login to the online banking web site or mobile app, view a list of pending transactions, and approve or deny each one?  This isn't rocket science.  If the ACH platform cannot support such a workflow, the US banking system is truly the laughingstock of the modern world.



Update 3:  I had to call the bank to get copies of the recent statements for my closed account, since I no longer have access to the account online.  During the call, I asked this new rep if there were any options available to prevent the ACH fraud I experienced.  He indicated that he is not aware of any features on my Small Business account that would have prevented the fraud, but he mentioned that the bank can place a "Fraud Hold" on an account.  This is the first time I had heard of such an option, despite asking about it repeatedly previously.  The Fraud Hold results in an account balance of -$888,888.88, which is an indicator to Bank of America folks that the account has been placed on hold.  

Unfortunately, this rep, and one more Small Business sales rep I spoke with during this call resulted in no additional information or potential services that could have helped me to prevent the ACH fraud.  In fact, the sales rep had never heard of an actual case of ACH fraud, so I ended up educating him about the process, and he was shocked by the lack of resources and the process required to resolve the problem.

I asked about the "Full Analysis Business Checking" account type, but neither rep had any knowlege of it, as it is apparently handled by a different Treasury Management group that cannot be called directly.  I had to request that this secret department give me a call, as a potential sales prospect for their services.  And the saga continues...





I checked my email on Friday morning and saw a pretty standard email alert from my bank.


Hi Steve, an electronic withdrawal was made above your chosen alert limit:

Amount: $719.60
Type: ELEC DRAFT (ACH)
Account: Business Account *******1234
Merchant: CHASE CREDIT CRD EPAY

Transaction date: September 07, 2018


Hmmm, that's odd.

I don't pay my credit card using ACH.  And I definitely don't pay my credit card from that particular business bank account.

I thought to myself:  It's finally happening.  I've been waiting for it to happen for years, and now it is actually happening.

By Wednesday morning, my bank account was completely empty due to fraudulent ACH withdrawals.




As soon as I realized what was happening on Friday morning, I called my bank and sat on hold for an HOUR.  I finally spoke with a nice man who also immediately recognized the problem.

Yup, my account is being used for ACH fraud.

Here's a good article explaining the details:

https://www.csoonline.com/article/2125833/cyber-attacks-espionage/malware-cybercrime-ach-fraud-why-criminals-love-this-con.html


If you have ever used your business or personal bank accounts to make ACH payments, or receive ACH payments or wire transfers, you are at risk for ACH fraud.  (I suppose there could be some risk even if you never use ACH, but I suspect the risk is quite low.)

Even better: If you have ever written a check, your account is at risk for ACH fraud.

As soon as you hand your bank account number and routing number to anyone, those two numbers can be used to drain your bank account without your approval.

Most of the time, the companies that receive your bank account information are trustworthy and deposit or withdraw funds appropriately.  But if those two numbers for your bank account are ever compromised, funds can be withdrawn from your account.  And there is very little you can do to prevent it.

Fortunately, I was conceptually aware of this, so years ago I setup a dedicated business account I use exclusively for ACH and wire transfer transactions.  And I have a separate savings account into which I can 'sweep' funds, allowing to keep my ACH account balance relatively low to minimize risk.

In that sense, I was prepared for ACH fraud, but since this is the first time I've actually experienced it, it was a bit stressful.


Here are some things I learned.

Banks behave completely differently than credit card companies when it comes to fraud.

My credit card company constantly monitors my cards for potential fraud, and they proactively contact me if they detect any fraud.  Once fraud is detected, they swiftly shut down the credit card account, immediately credit me for any fraudulent transactions, and promptly mail me a new credit card.  In my experience, they have excellent customer service and handle everything.

My bank, on the other hand, demonstrated that it clearly doesn't care about ACH fraud.  The online banking web site offers no options for me to flag transactions as fraud or report the fraud to the bank.

In order to report ACH fraud, you have to download a PDF form, fill it out, sign it, and the FAX it to the bank.  Yes, that is correct--the ONLY way to submit the fraud claim form is via fax.  You cannot submit it online.  You cannot email it.  You can't even mail it.  Fax only.  That's a pretty clear demonstration of how much my bank cares about ACH fraud.

The form has no telephone number on it either.  So there is no way to call the special ACH fraud department to confirm receipt or check on the status.

So I naively filled out the form and found a free online fax service I could use to send the fax.

On Monday morning, the second fraudulent transaction appeared.  This told me that this wasn't an accident, and that my account was definitely being targeted.  So I made an appointment at my bank for that afternoon.

I met with the business accounts rep at my bank, and he wasn't the least bit surprised.  It happens all the time.  And no, there is nothing you can do to prevent it.

So I spent an hour at the bank while he setup a new business checking account for me.

Problem solved, right?

Nope.

You see, the ACH fraud form requires transaction ID information.  Apparently my bank may not process the form for "pending" transactions.  Because the second fraudulent ACH transaction was still pending, the bank employee recommended I keep the account open until the transaction cleared so that I could record the transaction ID and submit the second claim form.

Bad advice.

Guess what I saw in my Inbox on Tuesday morning?

Yup, another fraudulent ACH transaction.

So I filled out the second ACH claim form with the necessary transaction ID information from Monday's transaction, and made another appointment for the bank.

During my second appointment, the rep agreed that the decision to not close the account was a mistake, so we agreed that the account should be closed.

To close the account, I had to actually put money INTO the account to cover the overdraft from the most recent fraudulent transaction, as apparently the account cannot be closed with a negative balance.  So I transferred funds to the account, and it was finally closed.

Kind of.

You see, because my bank apparently has a sense or humor, if one of the fraudulent ACH transactions gets rejected, the funds that were on hold will be deposited back into my closed bank account.  And the bank account will AUTOMATICALLY REOPEN.  Yes, you read that right.  I stared at the bank employee in disbelief as he explained this to me.  I literally started laughing at the absurdity of this.  The bank employee was so indoctrinated with these procedures that he completely failed to recognize why I was laughing.

But it gets better.  Once the account is closed, I will no longer see it in my online banking, and I will be unable to view the information for the most recent fraudulent transaction required to fill out the third ACH fraud claim form.  So that means that I have to make yet another trip to the bank to have the bank employee look up the transaction information and fill out the form for me.

But, thankfully (I think?), all of the fraudulent transactions cleared and my account remained closed.  After one more visit to the bank, all three ACH fraud claims were submitted, and on Friday the bank employee called the top secret ACH fraud department, which confirmed that all 3 claims were received.

He emailed me to give me the update, and let me know that ACH fraud claims typically take 10 days to be processed from the date of receipt of the claim.  Something that the fraud claim form fails to explain.


So, let me summarize:

1. Based on my experience, there is nothing you can do to prevent ACH fraud on your bank account, other than to never share the bank account number. Once ACH fraud occurs, your only option is to close the bank account.  (Maybe there are some banks that offer ACH fraud prevention services, but mine did not)

2. By the time you realize fraudulent transactions are occurring, submit claim forms, and close  your account, your bank account may be completely empty. And you may even have to deposit funds to cover overdraft, and you may also be charged overdraft fees.

3. You will need to setup a new account and make sure to transfer any auto pay / ACH transactions to the new account

4. It can take at least 10 days to get your money back from the bank


This process may vary by bank, but this is the fun experience I had with one of the largest banks in the US.


Steve Endow is a Microsoft MVP in Los Angeles.  He is the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.

You can also find him on Twitter, YouTube, and Google+




No comments: