Monday, September 17, 2018

My Experience with ACH Fraud: My bank account was empty in 3 days

My blog has moved!  Please visit the new blog at:

I will no longer be posting to Dynamics GP Land, and all new posts will be at


By Steve Endow

NOTE: For readers outside the US, ACH stands for Automated Clearing House, which is an electronic payment system we use to deposit and withdraw funds from bank accounts.  Employers often use ACH to electronically deposit pay checks into employee bank accounts, and companies often use ACH to pay their vendors electronically.  Consumers often use ACH to pay their bills--if you want to automatically pay your cable TV or cell phone bill, you send the merchant your bank account information, and they automatically withdraw the funds each month from your bank account.  In the US, it's a modern form of "electronic" banking.  But for the rest of the world, I suspect it's an archaic, horribly designed system that has zero security.

Update:  On his blog post sharing this article, Mark Polino says that there are solutions, similar to Safe Pay / Positive Pay, that can be used to prevent ACH fraud.  While that may theoretically be true with some banks, certain types of business bank accounts, some corporate treasury management solutions, and for some payment scenarios (such as outbound payroll), I was told that Bank of America Small Business bank accounts have no such services that could be used to prevent the type of ACH fraud that I experienced.

I asked two different Bank of America employees (one call center rep and one at my branch with over 15 years of experience as a manager at BofA) if there is anything I can do to prevent this type of ACH fraud.  They both clearly and definitively said that there is absolutely nothing I can do to prevent such random fraudulent ACH transactions.  

I asked if they could block all ACH withdrawals on my account.  The branch manager said no--he said that there is no way to prevent an ACH withdrawal from hitting my account.  The only way he could block withdrawals from my account was the close the account.  He did mention that he does have the ability to block ACH withdrawals from a specific merchant ID, such as those that occur with a recurring monthly fee, like a gym membership.  But with the ACH fraud I experienced, there were multiple merchant IDs, so that would not have helped me.

Trust me, I asked multiple times and pointed out how incredibly absurd the situation was.  The Bank of America employees simply shrugged and said that the only solution is to close the compromised account and open a new one.  It was a surreal experience.

Update 2:  Reviewing the Bank of America web site (since the employees were of no help), it appears that they have a "Full Analysis Business Checking" account offering that might have some relevant ACH fraud prevention features.  If you maintain account balances of over $60,000, write more than 150 checks, and have more than 200 deposits a month (unclear if those transaction minimums are required), that type of account apparently offers "ACH blocks/authorizations", in addition to Positive Pay.  

Based on a review of this PDF form, it appears that ACH blocks / authorizations allows you to "whitelist" specific ACH company IDs for your trading partners, authorizing them specifically, as well as specifically blocking certain company IDs.  The form also has an option to completely block all ACH transactions against a specific account, something I was told was impossible with my account type.

These ACH features might work for situations where you have consistent ACH deposits or withdrawals with trading partners on a specific account, but I don't know if it would be manageable for a company that is receiving many one time ACH payments from customers, or ACH payments from from hundreds of customers. You would need to know the ACH company ID for every customer in advance of their ACH deposit--I don't even know how I would find my own ACH company ID if I were asked for it.  Any ACH transaction (deposit and withdrawal) that is not specifically whitelisted is blocked.

And it isn't clear if they have an option to manage the company IDs online, or if you have to fill out that form for every change.

I currently have no need to park $60,000 in my business bank accounts, so such account features are presumably not available to me.

Why can't banks allow me to approve each ACH transaction before it hits my account? Allow me to login to the online banking web site or mobile app, view a list of pending transactions, and approve or deny each one?  This isn't rocket science.  If the ACH platform cannot support such a workflow, the US banking system is truly the laughingstock of the modern world.

Update 3:  I had to call the bank to get copies of the recent statements for my closed account, since I no longer have access to the account online.  During the call, I asked this new rep if there were any options available to prevent the ACH fraud I experienced.  He indicated that he is not aware of any features on my Small Business account that would have prevented the fraud, but he mentioned that the bank can place a "Fraud Hold" on an account.  This is the first time I had heard of such an option, despite asking about it repeatedly previously.  The Fraud Hold results in an account balance of -$888,888.88, which is an indicator to Bank of America folks that the account has been placed on hold.  

Unfortunately, this rep, and one more Small Business sales rep I spoke with during this call resulted in no additional information or potential services that could have helped me to prevent the ACH fraud.  In fact, the sales rep had never heard of an actual case of ACH fraud, so I ended up educating him about the process, and he was shocked by the lack of resources and the process required to resolve the problem.

I asked about the "Full Analysis Business Checking" account type, but neither rep had any knowlege of it, as it is apparently handled by a different Treasury Management group that cannot be called directly.  I had to request that this secret department give me a call, as a potential sales prospect for their services.  And the saga continues...

I checked my email on Friday morning and saw a pretty standard email alert from my bank.

Hi Steve, an electronic withdrawal was made above your chosen alert limit:

Amount: $719.60
Account: Business Account *******1234

Transaction date: September 07, 2018

Hmmm, that's odd.

I don't pay my credit card using ACH.  And I definitely don't pay my credit card from that particular business bank account.

I thought to myself:  It's finally happening.  I've been waiting for it to happen for years, and now it is actually happening.

By Wednesday morning, my bank account was completely empty due to fraudulent ACH withdrawals.