Insights

Safeguarding Your Organization from Possible ACH Disbursement Fraud

While the benefits of using Automated Clearing House (ACH) payments for disbursements are numerous (i.e., less expensive than using checks, automated and time efficient), without strong, established internal controls in place, companies can fall victim to nefarious actions by hackers focused on the company’s use of ACH payments.  There has been a rise in social engineering schemes by bad actors, particularly at companies where internal controls were either not adequate to mitigate against potential illegal acts or were overridden by management.

Reviewing Current Controls and Implementing New Procedures

Management must be vigilant in an ever-changing cyber environment as hackers become more creative and devious in their efforts to access an organization’s assets or information.

The inherent risks of making ACH payments that can never be fully avoided include identify theft and fraudulent payment information. However, the company can mitigate these risks by regularly reviewing existing internal controls and procedures for best practices and verifying that each disbursement follows established protocols. The suggestions below describe procedures that organizations can use to strengthen controls.

  • Verifying a change in vendor information – If you happen to receive an email from a vendor requesting that you change any payment information, the best course of action is to call a telephone number you know is legitimate and confirm the change over the phone with a known contact. Cybersecurity threats target both your company and the vendors your company uses. Confirming this change through a verified phone call is a necessary step to safeguard against potential theft. Once complete, this change should be reviewed and approved by a supervisor of the business office.
  • Proper Approval of Disbursements – Ensure an appropriate member of the management team reviewed and approved the ACH funds transfer. Obtaining the proper approval of an ACH payment is important to ensure the disbursement is accurate and legitimate. If there are any concerns about the approval, contact the approver through another form of communication. For large and infrequent ACH disbursements, having a second approver is advisable.
  • List of Approved Vendors – Confirm that the vendor you are about to release funds to is a well-known vendor to your organization. Ensuring that the vendor is on an approved list of vendors significantly decreases the likelihood that an improper ACH payment will be made to an illegitimate payee. This list of vendors should be created and maintained by an appropriate member of the business office and approved annually by the Chief Financial Officer. It is also important to remove inactive vendors from this listing to avoid a misplacement of payment.
  • Verification of Payment Received – Contact the vendor after payment is made to confirm receipt for specific threshold amounts. The transfer of funds through an ACH payment is almost instantaneous; having the vendor acknowledge receipt will help ensure the funds were released to the proper party.

Takeaway

Reviewing your company’s current processes is key to identifying possible weaknesses that exist within your ACH disbursement function. We recommend that this be done at least annually to verify that the internal controls in place are adequate and still relevant and that no other risks have been identified that need to be addressed.

To see past publications please visit our Knowledge Center.

The information presented here should not be construed as legal, tax, accounting, or valuation advice. No one should act on such information without appropriate professional advice and after a thorough examination of the particular situation.