Skip to main content

In this post, we look at payment scams and how to avoid them. We have compiled best practices from the National Automated Clearing House Association (NACHA) and added some suggestions of our own to help you protect your business from becoming a victim. We have also included four latest scams to guard against, so let’s get started!

Nine best practices to avoid ACH payment scams

Verify by phone before you send funds. Always call the vendor or company directly to verify the payment information.

You should use previously known numbers that you have verified are correct. You should not use the numbers provided and never initiate any changes based only on an email or text request.

Be cautious of new payment information.

Fraudsters use legitimate-looking emails to get you to change where the funds are sent. So beware of emails that provide new account information.

Match your payment to a legitimate invoice before paying.

Fraudsters frequently pose as trusted vendors requesting payment. Before initiating payments, match the payment amount and details to a legitimate invoice.

Verify before clicking on a link or opening an attachment in an external email or text.

Fraudsters find email formats online and match the formatting to try and fool you. So even if an email may appear to be from someone you know, but can be a fraudster phishing for your password, business bank account, or other sensitive information. Recently, emails with links containing malware have been on the rise.

Never respond via email for verification.

If it’s a fraudster emailing you, they either control the spoof (look-alike) email account or have access to the valid email account and can respond, making it appear legitimate when it’s not.

Trust, but verify.

Do your research before doing business with a new vendor or company.

Limit devices.

Keep your payment processing on as few machines as possible, add two-factor authentication, and limit access and web browsing on those machines.

Add controls.

Consider dual control for ACH payments (electronic funds transfers).

Set rules.

Create email system rules that flag emails with extensions similar to company email (for example, .co instead of .com). Register all Internet domains that differ slightly from your company’s domain where possible.

Latest Scams

Scams are constantly evolving, but here are some of the latest variants.

Business email compromise (BEC) and phishing scams.

BEC scams target companies that use ACH payments and wire transfers to make payments to other businesses. BEC scams start with fraudsters sending phishing emails where the email appears to be from a familiar source. The unsuspecting employee thinks it’s a legitimate email, clicks a link, provides their password, and gives business bank account details or other sensitive information. The fraudster gains access to the employee’s email account and monitors the account to understand who initiates and requests ACH payments or wires.

Senior executive spoofing scams

A company employee receives an email or text transfer request that appears to be from an executive within the business. The email address will look very similar to the company’s email domain, including the name of the CEO or other company leader. In reality, the email request comes from a hacked or “spoofed” email account made to appear legitimate. Text messages that contain the executive’s name and the employee’s name but are from an unknown phone number. In each case, there is a sense of urgency, trying to trick the employee into making a quick decision to send the money before they have had a  chance to research and verbally confirm the request.

Overpayment scams

In this scam, the fraudster poses as a trusted vendor and sends a check for more than the amount you agreed to with the actual vendor. The fraudster then insists that the overpayment be wired back to them. You later learn that the check was returned, and your company is liable for the total amount.

Vendor spoofing scams

An email or phone call is received from a trusted vendor that requests a change in payment instructions. Assuming the communication was legitimate and without checking and verifying to confirm the request, the employee changes the payment instructions and initiates a transfer directly into the fraudster’s bank account. What makes these requests so nefarious is that they closely mimic a legitimate request you could receive from that supplier.

Three tools to protect your business account

ACH debit blocks

An ACH debit block allows you to block any ACH debits and credits, stopping all funds from leaving your account. You can target blocks to a specific type of ACH entry (request), company, or maximum amount.

To set up a debit block, you must contact your bank and complete an ACH debit block agreement. This is a simple process that your bank can set up very quickly. Since the risk of fraudulent activity is rising, a debit block can be a great prevention tool.

Please keep in mind that you will need to authorize your bank which transactions to permit expressly; if you are setting up a new payment processing account, a debit block can prevent you from accessing the funds made by ACH payments.

ACH filters

A solid alternative to an ACH debit block is an ACH filter. An ACH filter blocks all transactions except those you add a list of permitted transactions. For example, your list could include payees to whom you authorize payments to be made too. So you have control over your transactions without blocking all of them.

ACH filters can frequently send a text or email alerts, notifying you when funds have left your account. These alerts help you keep track of your account activity and allow you to spot any potentially fraudulent transactions quickly.

Hard holds

A hard hold blocks all payments from the account and is one step before closing your bank account. Hard holds are only recommended in severe fraud cases where you believe your bank account has been breached.

It’s a mistake that you immediately close your bank account after fraud has been detected. A hard hold plays a vital role since it allows the account to sit for a while; otherwise, you may be charged overdraft fees if ACH debits are sent to your closed account. In addition, a hard hold protects you while you set up a new account.

Banks’ policies vary regarding hard holds. For example, some banks won’t let you put a hard hold on your account if you owe a balance on a bank-issued credit card.


ACH payments provide many benefits to your business in terms of convenience and eliminating paper checks and accompanying manual processes. However, while ACH payments are highly secure, they are also subject to fraud, like all payment types.

To protect your business and your bank account, we recommend you use the best practices outlined previously and a tool like ACH Filters which block all but those transactions you have pre-approved.   If you suspect suspicious activity, an ACH debit block should be activated, which blocks ACH debits and credit to your account. And in cases of serious fraud, you can use a hard hold to prevent account activity.   Each of these methods should be part of an overall plan of protecting all your payments, ACH included, from fraud.


Payment scams and how to avoid them – IntelliPay