Are your ACH internal controls strong enough to protect you from fraudsters? SAO has a new resource to help you

Do you remember the Nigerian prince scheme—that long-running internet fraud where the bad actor drains your bank account after obtaining your information? Fraudsters made $703,000 in 2018 alone on that one. While some fraudsters are still working that old scam, others have moved on to impersonating your employees and vendors to redirect Automated Clearing House (ACH) payments meant for payroll direct deposits or vendor payments. In fact, Washington governments reported $4.7 million lost to these schemes in 2020 and 2021.

How do these bad actors target your ACH payments? They typically start by emailing your staff to change vendor or employee information. They might ask to update contact information first, which allows them to update banking information months later without raising alarms. Once they get staff to change the bank account information, vendor or employee payments will go straight to them. If they hacked into a vendor's actual email account, they may even wait until a large payment is going out before they make their move.

Employees can also perpetrate ACH fraud. If employees have the right system access, it only takes a few keystrokes to change a vendor's banking information to a personal account. They sometimes even switch it back and forth in case someone is monitoring the information. Some employees might use the same bank account they use for their paycheck, while others are crafty and open a new account.

You should know that once you send an ACH payment, the money is gone. Your bank, as the originating bank, can request the receiving bank return the funds. However, the receiving bank is under no obligation to do so and, in many cases, it's not even possible. Fraudsters may have already moved the money out.

Fraudsters are constantly evolving their scams, so you need to be vigilant and ensure your government's internal controls evolve, too. To help you, SAO has developed a new resource: Best Practices for ACH Electronic Payments. This new resource has:

• Tips to help you develop and maintain policies for your ACH payment process
• Key areas to address in your ACH employee fraud training so your staff becomes “responsibly suspicious” and learns how to spot red flags
• Recommendations about how to segregate duties to reduce your fraud risk—an important practice for preventing and detecting ACH payment fraud
• Advice to help you establish a verification process for new payee information or requested changes to existing contact information, mailing addresses or banking information
• Guidance for managers on how to monitor for and prevent unauthorized payee account changes in the vendor master and ACH payment files

We'll talk more about fraud schemes at the upcoming 2022 Washington Finance Officers Association (WFOA) conference in September. Don't miss our “Fighting Fraud Friday” and “Financial Responsibilities in Cybersecurity” sessions on the final day of the conference.

How to reach us for more assistance

Remember, SAO can help. If you have technical questions, submit them using our HelpDesk in the client portal.

We also have financial management specialists at SAO's Center for Government Innovation available to talk with you about best practices, resources, or internal controls. For assistance, reach out to us at Center@sao.wa.gov.