ACH Payments: How They Work, How They're Exploited, and How to Defend Them

Introduction: The Rail That Moves American Commerce

The Automated Clearing House network is the circulatory system of American business payments. In 2024, the ACH network processed more than 31 billion transactions totaling over $80 trillion — payroll, vendor payments, tax disbursements, insurance premiums, mortgage payments, and thousands of other recurring and one-time payment types. For most organizations, ACH is the primary mechanism by which vendor payments are made (and payroll is delivered). It is ubiquitous, inexpensive, and operationally dependable.

It is also among the most actively exploited payment rails in the fraud landscape.

Understanding ACH risk requires understanding how the network works — because the same structural features that make ACH efficient are precisely the features that fraud actors exploit. The remedies are well established and, in many cases, now legally mandated. The gap between what best practice requires and what most organizations have implemented remains, for many, uncomfortably wide.

How ACH Payments Work

ACH is a batch-processing payment network administered by Nacha (the National Automated Clearinghouse Association), which publishes and enforces the operating rules that govern how transactions are originated, processed, and settled.

The transaction chain involves four primary parties.

1. The Originator is the organization or individual initiating the payment — in the vendor payment context, this is typically the AP function of the paying company.

2. The Originating Depository Financial Institution (ODFI) is the Originator’s bank, which receives the payment instruction, formats it as an ACH entry, and submits it to the network.

3. The Receiving Depository Financial Institution (RDFI) is the bank at which the recipient holds their account.

4. The Receiver is the ultimate recipient of the funds — the vendor, employee, or other counterparty.

ACH transactions are submitted in batches, not individually. The ODFI aggregates payment entries and submits them to an ACH Operator — either the Federal Reserve (FedACH) or the Clearing House (EPN) — which sorts and routes entries to the appropriate RDFIs. Settlement occurs on a same-day or next-business-day basis, depending on the processing window and the transaction type.

Same-Day ACH, introduced in 2016 and expanded through subsequent Nacha rule amendments, now handles a significant and growing volume of business payments, with multiple processing windows available throughout the business day.

Each ACH entry carries a Standard Entry Class (SEC) code that describes the nature of the transaction and determines which rules apply to it. For business-to-business vendor payments, the relevant SEC code is CTX (Corporate Trade Exchange) or CCD (Corporate Credit or Debit). For payroll, PPD (Prearranged Payment and Deposit) is standard. The WEB SEC code governs ACH debits initiated via the internet — a category that has attracted particular regulatory attention given its elevated fraud risk.

ACH carries a return mechanism that distinguishes it from wire transfers. An RDFI can return an ACH entry — for reasons including invalid account number, account closed, no account on record or authorization issues — within defined timeframes. For most unauthorized debit entries, the return window is 60 days from the settlement date. This reversibility is meaningful but not unlimited, and it does not apply to ACH credits in the same way: once an ACH credit is posted to a recipient's account, recovering it requires the recipient's cooperation or legal action, neither of which is fast or certain.

How ACH Payments Are Exploited

The ACH network's fraud exposure is concentrated in several recurring attack patterns. Each is well documented, each is actively used, and each exploits a specific vulnerability that preventive controls can address.

Vendor Banking Redirect (Account Takeover via Vendor Impersonation)

This is currently the most costly and prevalent form of ACH fraud targeting AP functions. The attack pattern is straightforward: a fraud actor — either an external criminal impersonating a vendor or a malicious insider with system access — causes a change to the banking information for an existing vendor in the organization's vendor master file. Subsequent ACH payments intended for the legitimate vendor are routed instead to a fraudulent account controlled by the attacker.

The change is almost always introduced through social engineering. A Business Email Compromise (BEC) attack targeting AP staff is the most common vector: the attacker, operating from a spoofed or compromised email account, contacts AP with a routine-seeming request to update the vendor's banking details. The email looks legitimate. The request sounds routine. Without a verification protocol that operates independently of the email channel, the fraudulent update enters the system and payments begin flowing to the attacker.

The Cleveland Public Library case illustrates the operational reality. Fraudsters impersonating a legitimate vendor contacted the library with a banking detail change request. Without adequate verification protocols, the change was processed. Nearly $400,000 was diverted before the fraud was detected. State auditors attributed the loss directly to the absence of verification controls for vendor information changes.

Vendor payment-redirect attacks account for some of the largest individual BEC losses, precisely because ACH payments to established vendors are processed with less scrutiny than new vendor payments.

The FBI's IC3 data consistently shows that vendor payment-redirect attacks account for some of the largest individual BEC losses, precisely because ACH payments to established vendors are processed with less scrutiny than new vendor payments, and because the fraud may continue across multiple payment cycles before detection.

Unauthorized ACH Debits

Organizations are not only ACH originators — most also hold accounts that can be debited via ACH. An unauthorized ACH debit occurs when a party initiates an ACH debit against an organization's bank account without authorization. This may be an outright criminal attack using account credentials obtained through data breach or phishing, or it may be a dispute involving a legitimate ACH debit for which the organization claims it did not provide proper authorization.

The return window for unauthorized debits provides some recovery optionality, but detection must occur within the return timeframe. Organizations that do not monitor ACH activity against their accounts — daily or more frequently — may not identify unauthorized debits within the window available for recovery.

ACH Kiting and Float Exploitation

ACH kiting is primarily a risk for banks. It exploits the timing gap between ACH submission and settlement. A bad actor initiates ACH transactions designed to create the appearance of available funds that do not actually exist, exploiting float for short-term liquidity or outright theft. Same-Day ACH has reduced but not eliminated the settlement windows that kiting schemes exploit.

Origination Credential Theft

ACH originators access the ACH network through their ODFI, typically via an online banking platform or a treasury management system. These platforms are protected by access credentials that, if compromised, allow an attacker to originate fraudulent ACH transactions directly. Credential theft via phishing, malware or insider access represents a less common but high-consequence attack vector — one that bypasses vendor master controls entirely by attacking the origination platform itself.

The Regulatory Framework: Nacha Operating Rules and the Compliance Imperative

ACH payments are governed by Nacha's Operating Rules, which impose substantive obligations on originators that go well beyond procedural compliance. For AP and treasury functions, three areas of the rules carry operational significance.

Account Validation Requirements

The most consequential compliance development for ACH originators in recent years is the account validation rule. Nacha's Operating Rules require that before initiating the first ACH credit to a vendor account — and before initiating any payment following a change to the account number — the originator must use a "commercially reasonable" method to validate the account.

What constitutes commercially reasonable validation? Nacha has identified three acceptable approaches: ACH prenotification (a zero-dollar test entry sent through the ACH network), micro-deposit verification (small deposits confirmed by the recipient), and commercially available account validation services (real-time services that verify account validity and, depending on the service, account ownership). Self-report — simply accepting the banking details a vendor provides — does not meet the commercially reasonable standard and cannot be relied upon as a standalone control.

This rule is not advisory. Large originators must comply. For smaller originators, the direction of regulatory travel is unambiguous: unverified account data is no longer an acceptable basis for ACH disbursements under the Nacha Operating Rules.

The 2026 Risk Management Amendments

Nacha's risk management rule package brought two significant changes. Amendments effective March 20, 2026, address originator obligations for fraud monitoring — requiring that originators maintain a commercially reasonable fraud detection system appropriate to the nature and volume of their ACH activity. Additional amendments effective June 22, 2026, extend and refine these requirements, with particular attention to return rate monitoring and the obligations of ODFIs to oversee originator compliance.

For AP functions that have not reviewed their ACH origination practices against the current rule set, that review is overdue. The risk is not only financial — Nacha's enforcement mechanism can, in cases of serious non-compliance, result in suspension of ACH origination privileges, a consequence whose operational impact would extend well beyond any individual fraud loss.

Return Rate Monitoring

Nacha establishes threshold return rates — the percentage of ACH entries that are returned — above which an originator is subject to scrutiny, required remediation, and potential sanctions. High return rates are both a compliance problem and a diagnostic signal: they indicate that ACH entries are being sent to incorrect, closed, or non-existent accounts, which is precisely the condition that pre-payment account validation is designed to prevent. Organizations with elevated return rates frequently have gaps in their account validation processes that the return data is revealing.

The Control Architecture: Defending ACH Disbursements

The controls available for ACH payments are well established. Their effectiveness depends on consistent implementation and enforcement — which is where most organizations' gaps lie.

Pre-Payment Account Validation

This is the foundational control for ACH credit disbursements and the one most directly required by the Nacha Operating Rules. Every vendor banking record should be independently validated before the first payment is issued and after any change to the account number. The validation method should confirm not only that the account exists and can receive ACH transactions, but — to the extent the chosen method supports it — that the account is held in the name of the vendor entity on record.

Purpose-built account validation services provide real-time or near-real-time confirmation and are now widely available. Pre-notes remain a valid and Nacha-recognized method but do not confirm account ownership and introduce a processing delay. The appropriate method depends on the organization's volume, risk tolerance, and the urgency of the payment cycle.

Vendor Banking Change Protocols

If there is one control that the fraud case record most consistently identifies as the difference between loss and prevention, it is the protocol for handling changes to existing vendor banking information. Every request to change a vendor's ACH destination account should trigger a mandatory, out-of-band verification — a callback to a phone number maintained independently of the request channel, not to a number provided in the change request itself — before the change is entered into the vendor master.

This control is simple in concept and frequently absent in practice. The organizations that have sustained the largest ACH redirect losses have overwhelmingly failed at exactly this point: they processed banking change requests by email, without independent verification, because that was the established informal workflow.

Dual Authorization for ACH Batches

ACH credit batches — the files submitted to the ODFI for processing — should require approval by an individual other than the person who prepared the batch. This segregation of duties provides a check against both error and insider fraud. In organizations where AP staff have both the ability to modify vendor records and the ability to release ACH batches, a single compromised or dishonest employee can redirect payments without any independent review.

Positive Pay for ACH (ACH Debit Blocks and Filters)

Most banks offer ACH debit block and filter services that provide Positive Pay-equivalent protection on the debit side. A full ACH debit block prevents any ACH debit from posting to a designated account. ACH debit filters allow debits only from pre-authorized companies (identified by company ID). For accounts that are not intended to be debited by external parties — including dedicated disbursement accounts — a debit block is a straightforward, low-cost control that eliminates unauthorized debit exposure entirely.

Daily Reconciliation and ACH Activity Monitoring

ACH fraud that is detected within the return window can often be recovered. ACH fraud detected after the return window is largely unrecoverable. Daily reconciliation of bank account activity against authorized payment records — identifying any ACH debit or credit that does not correspond to an approved transaction — provides the detection speed necessary to act within available return windows. Exception reporting within the ERP or AP system should flag any ACH batch that deviates from established patterns in amount, vendor or frequency.

Segregation of the Vendor Master from Payment Release

The employee or system that can modify vendor banking information in the master file should not be the same employee or system that can release ACH payments to that vendor. This separation is fundamental. Where it does not exist, the risk of undetected fraud — whether from insider manipulation or from a social engineering attack that tricks a single employee into both changing the record and releasing the payment — is substantially elevated.

Employee Training and BEC Awareness

The ACH redirect attack is, at its point of entry, a social engineering problem. The technical controls described above are necessary but not sufficient if the people responsible for vendor banking changes do not recognize BEC tactics, do not question requests that arrive by email, and do not apply verification protocols consistently regardless of the apparent urgency of the request. Training that uses realistic scenarios — including the specific email patterns and urgency language that BEC actors use — is a meaningful complement to technical controls, not a substitute for them.

The Recovery Reality

ACH credits are not wire transfers — they carry a return mechanism that provides a window for recovery. But that window is not wide, and it closes faster than most organizations' detection cycles operate without deliberate monitoring.

An ACH credit that has posted to a fraudulent account can be returned as an unauthorized transaction within 60 days of settlement — but only if the RDFI cooperates and the funds are still present in the account. Fraud actors typically move funds quickly, often through layered transfers or conversion to cryptocurrency, precisely to defeat the return mechanism. The practical recovery window is often measured in hours, not days.

For AP functions, this means that ACH fraud detection is not an end-of-month reconciliation problem. It is a daily operations problem. Organizations that review bank activity monthly will routinely discover ACH fraud well outside any meaningful recovery window.

Conclusion: The Most Manageable High-Risk Payment Method

ACH occupies a distinctive position in the payment risk landscape. It is the payment method most heavily used for vendor disbursements, which makes it the most frequent target of AP-directed fraud. It is also the payment method with the most developed control toolkit — bank account validation, dual authorization, ACH debit blocks, return mechanisms, and a regulatory framework that now mandates minimum standards for originator controls.

That combination — high risk, high control availability — means that ACH fraud losses are, more than those associated with any other payment method, preventable. The organizations that sustain significant ACH fraud losses have almost universally failed to implement controls that were available to them and, increasingly, required of them.

The Nacha Operating Rules define the floor. Defensible ACH risk management builds above it.