How To Protect Your Business From ACH Phishing

by | Apr 1, 2020 | Security

A few years ago, a lone hacker sitting in his basement might be satisfied stealing some data or infecting machines with a virus. Not so much today, with a recent report from Verizon stating that 71% of data breaches now target stealing a company’s money. Instead of a lone hacker, criminal organizations are now targeting a business’s financials, and they’re succeeding by taking billions of dollars each year globally. In this post, I’ll share their favorite tactic and how you can protect your business.

Even though video conferences are on the rise, email continues to be a primary communication channel for teams. Especially for executive communication. Which makes it a common attack vector for cybercriminals. A favorite technique is phishing.

February to March 2020, industry experienced a 667% increase in phishing attacks.

Most people reading this will know what phishing is. Still, in case not it’s, “the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity in an electronic communication.”

Increasingly, the objective of phishing attacks is ACH transfers. Most enterprise executives widely understand this, yet at the same time, many of us know of someone who’s a victim of cybercrime. ACH phishing is one security threat that businesses shouldn’t fall victim to, but they do time and time again.

Small to medium-sized businesses are especially vulnerable. Take the food and hospitality industries, for example, a sector that has invested the least in cybersecurity. They spend an average of around $1,230 a year. The good news is that this is up from 2018 when they spent $1,025.

If you’re a CEO or CFO of a small to medium business, it’s time to start paying attention (today). The United States’ Secret Service recently warned corporate America about fraudulent emails related to COVID-19 that contain malicious attachments.

The article on CNBC noted three other common traits we commonly see in ACH phishing:

  • Attacks imitate companies or government agencies that employees expect to hear from, e.g., banks with news about the Paycheck Protection Program
  • Targeting Employees with text messages about coronavirus
  • Phishing the executive and finance team’s email by pretending to ask be an email from the CEO

If there’s a takeaway here, it’s to understand that criminal organizations use crises like health pandemics to spread malware. They also use seasonal events like tax time to attack businesses. Very unfortunate, but true.

In March 2020, 2% of all phishing attacks mentioned “coronavirus.”

All employees are at risk, with C-level executives a frequent target because of their influence and control of banking and accounting systems. The higher an individual is in an organization, the bigger the opportunity for cybercriminals. The Association for Financial Professionals reported that it’s not the payment method that’s typically at risk but the process leading up to payment initiation. In other words, people are the weak link.

While it’s crucial to protect a company’s infrastructure, it’s also essential to provide proper training designed to protect employees from ACH fraud. IT leaders need to think about the training they provide to executives and employees to keep the company safe from ACH phishing and other types of cyberattacks.

The good news is that there are easy to implement solutions

Here are five solutions to help you combat ACH fraud. If you’re a senior leader in your company, check-in with your teams to make sure these are in place:

  1. Pick up the phone to confirm an executive’s financial directive
  2. Use multi-factor authentication (MFA)
  3. IT checking email for “impossible travel”
  4. Create alerts for auto email forwarding
  5. Flag external emails

Pick up the phone

The first point of defense is to put manual verification processes in place to prevent email phishing. Make it a policy to verify all email requests to initiate an ACH transfer by phone. When your team receives a questionable email, the recipient should feel safe knowing she can call and speak with the sender to confirm the request. Even the CEO or CFO, and yes, even late on a Friday afternoon or a weekend.

Multi-factor authentication

Every organization should have multi-factor authentication (MFA) in place for all systems. It’s an effective way to protect an organization from criminal activities and prevent unauthorized access. MFA is also helpful in preventing email threats. MFA identifies a user by validating two or more factors, which usually include something the user knows, something the user is, or something the user has. It could also include biometric authentication, soft tokens, or mobile authentication.

Impossible travel

Organizations should use what’s calls “impossible travel.” For example, if someone sends an email from Paris, France, and at the same time they send one from Salinas, California, it’s not physically possible to be at both places at once. Impossible travel can be a good indicator of a hacking attempt. If found, the system will deny login access and send an alert to the system administrator to identify abnormal usage.


Set up automatic alerts to notify admins when email auto-forwarding gets turned on. In one scenario, a cybercriminal could hack a user and log in to their email account. They then set up forwarding to learn how the user and company operate and then wait for the right opportunity to trigger an ACH request as that user. Auto forwarding is another telltale sign that an email account is compromised.

Flagging external emails

Flagging external emails with a small banner can warn people that the item in question originated from outside of their organization. Doing this provides an extra visual check that doesn’t impede work but causes users to pause for a moment when faced with a potential phishing email. It gives them a reason to double-check if an email looks suspicious. The alert is an excellent visual sign that a user should pay attention to and ask themself, “Do I really want to action that?”

Bonus tip, training

It is all and well to implement the above suggestions. Often the greatest threat to any technical security solution is humans. We strongly recommend that all companies provide formal phishing awareness training for all employees. Especially those responsible for financial and IT systems.

Is your team prepared?

The good news is, if one or more of the ideas above are new, you have options. There are practical and achievable things you can do that will dramatically improve your company’s security. By following these steps, it’s easy for every small enterprise to protect itself from ACH phishing attacks. Have a conversation with your security team today. If you’re unsure where to start with any of these recommendations, we are here to help.

Related Content