Same Day ACH; All the fraud experts are predicting a big uptick in fraud when it goes into full effect one year from now. But the impacts could be felt even sooner as NACHA is reporting that 95% of banks are going to process both ACH debits and credits starting now.
The volume of transactions is predicted to be massive with 1.4 Billion transactions a day according to NACHA so this will fundamentally change the way many payments are handled each day.
So why is fraud expected to increase? Why will it go up when banks are essentially providing the same service to customers that they do today, only giving them their money sooner?
Well, the answer is because fraudsters love speed and convenience. Just like customers, but even more because fraudsters (like bank robbers) want to make a quick get-away. Same day ACH will enable the crooks to abscond with money before the bank even knows it was fraud.
Alternatively, today ACH is a cumbersome and slow way for a fraudster to get their money – it can take them 4 days. With same day ACH, they can have it in less than 2 hours. That’s why they love it.
Same Day ACH will eliminate the extended amount of time banks and payment providers like PayPal have to detect fraudulent fund transfers. It will move the prevention window from 4 days to less than 2 hours.
But same day ACH is not very attractive to fraud analyst. Analyst used to have lots of time to investigate an ACH, even send the customer a verification and wait for a response to see if the transaction was valid. But not anymore. Analyst will be forced to make more decisions on what to pay and not pay in less time than ever before.
Why are Banks even offering Same Day ACH?
There are 4 big use cases for same day ACH in the US. You can see why this is a big win for consumers.
#1) Same-day payrolls – Payroll files are notoriously slow to process and Accounting Departments need to submit the ACH files many days before the checks are due. It will significantly speed up the time to process
#2) Business to-Business Payments – Processing ACH payments is so slow that many businesses opt for Wire Transfer instead. This will speed up business to business payments
#3) Expedited bill payments – You know when you get that late notice from your utility and you have to tell them it will be 5-7 days for them to get paid while you do an online bill pay? That could all go away now.
#4) Account-to-account transfers – Getting money transferred from one account to another will never be faster or more convenient.
The only inconvenience to customers at this point is that they can’t send a transaction over $25,000 and they cannot send money internationally. This could limit the worst of the worst fraud scams while still allowing 99% of ACH transactions to still process same day.
How Large is ACH Fraud Now?
Because ACH was slow it was never the preferred target for fraudsters. So, ACH Fraud is relatively rare. Experts point out that only about 1 in every 80,000 ACH transactions today actually result in a fraud attempt. The Federal Reserve’s estimates of ACH losses shows that losses are dwarfed by other more serious loss types such as debit cards and checks.
If you compare that to credit card fraud where 1 in 1,000 transactions are fraudulent, that means that ACH fraud is 80 times less frequent or damaging than credit card fraud in the US.
ACH fraud is small now, but that will change with Same Day ACH as the fraud schemes ramp up.
So, Which Fraud Types Will Take the Biggest Hits?
Banks report their fraud losses differently but you can expect all of the following fraud types to potentially increase between 50% to 100%. Banks should be preparing their fraud loss budgets now. If there is no allocation for increased fraud in these areas, there should be.
Account Takeover Will Increase
It’s no secret that fraudsters are stockpiling online banking credentials in what we often refer to as “sleeper fraud” where they keep accounts on hand until they are ready to attack the bank en masse. After same day ACH, we can expect to see escalated levels of account takeover since the fraudster can move the money in larger and faster quantities on compromised accounts.
Online Banking Losses Will Increase
If you want to see what will happen to US Online Banking Accounts, just look to the UK for the most likely scenario. Online Banking losses in the UK doubled immediately after Faster Payments launched and never really came back down to the pre-faster pay levels afterwards.
Payment Fraud and Bill Pay Losses Will Increase
Banks that track their ACH and Bill Pay Fraud losses, will probably notice a big uptick in Bill Pay related fraud losses. Fraudsters can set up new payees and send funds, or even divert funds to new locations using the same payee accounts by changing the details. Bill Pay losses will increase with same day ACH.
5 Fraud Scams Banks Will Likely See Happen With Same Day ACH
To understand some of the scams that banks are likely to see, I reached out to industry experts familiar with fraud scams that happened in other parts of the world when faster payments have been implemented. These are experts like Maryann Miller who I wrote about last month who fights fraud globally.
Here are 5 Fraud Schemes experts think will hit your bank when same day ACH starts
# 1 Scheme – Online Banking Account Takeover
Online Banking Account Takeover is poised to increase dramatically in the coming years. With $13 Trillion in Deposits in US accounts, the fraudsters are licking their chops to get to it.
At this very moment, BotNet’s are running virtually around the clock performing Credential Stuffing, to find online banking accounts that can be drained. These programs only need to be successful 1 out of 10,000 times since there are literally hundreds of millions of credentials available on the DarkWeb that they can test. When one fails, there are thousands more to try and literally hundreds of bank sites that they can test each one with.
707 Million Records Breached Last Year Alone
Once a fraudster gains credentials, they can quickly drain a customer’s accounts by moving funds out of the account in much the same way that they did with the social engineering schemes.
Banks should ensure that they have effective authentication strategies and monitoring tools for Online Banking. I recommend, Iovation, ThreatMetrix, InAuth or Payfone. These companies offer consortium based device authentication for mobile and desktop as well as some monitoring tools.
#2 Scheme – Corporate Account Takeover
If you have seen the FBI reports you know that CEO Wire Fraud is out of control. Hackers and fraudsters have learned that infiltrating and taking over corporate and business accounts is extremely lucrative. Business and Corporate deposit accounts can result in million dollar fraud schemes while personal accounts may only net the fraudsters a few thousand dollars.
Corporate accounts are most the most susceptible to have payroll fraud schemes, account to account fraud schemes, payments made to fictitious vendors and embezzlement schemes by employees
Banks should closely monitor the delivery of ACH files and for suspicious transactions within those files.
#3 Scheme – Batch ACH File Manipulation
ACH files are traditionally submitted in batches. Whether they are payroll files, insurance claim payments, bill pay transactions, corporate payment files or business to business payments those files will be submitted two times each day for immediate debits and credits (in the morning and the afternoon)
Those ACH Batch files are particularly susceptible to systematic organized fraud. It could be internal fraud, or smart fraudsters that have infiltrated the bank’s networks using malware spawned by phishing emails.
There are 3 ways batch files can be manipulated or initiated.
#1 Batch Fraud Scheme – Fraudster Create a Fraud Payroll Batch File – After gaining access to the corporate accounts bank, the fraudsters submit a completely bogus payroll file that looks similar enough to legitimate file that it doesn’t raise red flags.
#2 Batch Fraud Scheme – Fraudsters Change a Few Records within a Legitimate Batch File – To reduce their likelihood of being detected, fraudsters might change several records within a legitimate batch such as adding new employee paychecks to a routine and legitimate file.
#3 Batch Fraud Scheme – Changing Payee Account Numbers – The fraudsters only change a single detail such as the payee account number where the funds are to be routed.
Batch file manipulation can often result in the most significant losses to banks. But it also shows why banks need to not only have good front end authentication controls but need monitoring tools to flag suspicious batches or transactions within each batch for scrutiny.
#4 Scheme – Sleeper Fraud or Money Mule Stockpiling
Money Mule accounts are used to receive fraudulent ACH or Wire Payments so that the money can be disguised and paid to the fraudsters. Money mule accounts can be deposit accounts, credit card accounts or any other type of account that can receive ACH payments.
Money mules may, or may not be aware of the fraud scheme. In many cases of fraud, the debiting ACH account has been taken over, as well as the receiving ACH account. Each account serves a purpose.
Sleeper fraud involves the stockpiling of money mule accounts for use later in a fraud scheme. Sleeper accounts are accounts that have no fraudulent activity but will be engaged when the fraudsters decide to conduct a scheme. By having access to many accounts, the fraudster’s can quickly industrialize their fraud schemes to still potentially millions from banks very quickly.
Sleeper Fraud – Because Fraudster Like to Plan Out Their Schemes Carefully
With same Day ACH, banks need to be aware that the risk of fraud are not only with the debiting of ACH transactions but as well with the receiving of ACH transactions.
EWS is on the forefront with some great technology to make realtime payments safe from both a sending and receiving perspective. Their realtime payments solution provided through ClearXchange works because banks have created a consortium to share their data with each other to identity information on both the sending and receiving accounts.
#5 Scheme – PayPal, Venmo Payment Fraud Increases and Attacks
PayPal and Venmo are both moving to processing near realtime payments through ACH transactions. Starting next year, both PayPal and Venmo will begin letting customers instantly move funds from the accounts into their banking accounts. Currently customers have to wait 4 days to get access to their funds but the new services will make it far more convenient and fast.
And we know what happens when you give money fast. The crooks take the money fast. Which is exactly what is likely to happen.
PayPal’s current withdrawal policy is kind of a drag for fraudsters who don’t want to wait 4 days to get their money.
With the move to faster payments, bank can expect to see more fraud attempts and losses on person to person payments as well as all of the fraud schemes that PayPal enables.
The move to near realtime money movement will undoubtedly attract all of the international scammers (romance schemes, lottery scams, IRS Tax schemes) that are always looking for a quick payment that cannot be recovered.
Should you be planning for Same Day ACH?
If you haven’t started planning for same day ACH and the impending Faster Payment trend, you probably want to. Not only is virtually every region on the world implementing Faster Payment initiatives but most companies and organizations in the US all have their own strategies for making money movement and payment faster and more convenient.
If you are a fraud analyst or work in the fraud prevention space you’re in the right line of work because there will be no shortage of need for your experience.
Thanks for reading. Let me know what you think and drop me a line if you’re seeing other scams I haven’t mentioned here.