ACH payment fraud is becoming more common, and it is believed that the fraudsters target certain types of individuals. Unfortunately, school districts are one of those targets. Financial institutions play a crucial role in safeguarding bank accounts from fraud; however, the account owner bears the burden to report the fraud within a specific time limit. The National System of Fines provides the structure for evaluating alleged Rules violations. Per Nacha, if you suspect an ACH fraud, you must submit your report within 90 days of the alleged rules violation occurrence.
To submit a report, you will need the following information:
- Your contact and organization information, as well as your participant status (ODFI, RDFI or ACH Operator).
- A clear description of the alleged violation, including the sequence of events and consequences of the violation.
- The specific Rule provision that may have been violated.
- Transaction information:
- SEC Code
- Transaction Code
- Settlement Date
- Dollar Amount
- Trace Number
- Account Number
- Date of Alleged Rules Violation
- Copies of all relevant documents with your report, such as Company/Batch Header Records, Entry Detail Records or Addenda Records.
- Any written communication between the complainant and party in alleged violation of the Rules.
- Signature of an authorized representative of the complainant.
How does wire or ACH fraud happen?
It generally starts with a fraudster gaining information through social engineering. This can happen via a call, text or email where the victim provides information that allows the fraudster to gain access either to an email or bank account. We have seen where someone has gained control of a vendor’s email account and then sends a request to a district to initiate or change the bank account where the payment should be sent.
What should you do if you receive a request to initiate or change an ACH account?
Verify the request independently. This means calling the vendor from a phone number you have on file. Do not use the phone number that is listed on the email request.
Other preventative strategies include setting up restrictions on your bank account. These include the following:
- ACH positive pay: you provide a list to the bank of all approved vendors.
- ACH debit blocks and filters: these allow the account holder to specify which ACH based transactions are permitted.
- ACH rules and alerts: establish rules and alerts such as high-value ACH debit or a transaction from an unknown source.
Other strategies include frequent account monitoring and continuous education regarding the latest ACH scams.
Similar to ACH payments are wire transfers. Scammers will implement similar strategies to trick you into wiring money to what appears to be a valid bank account for a valid reason. Once you wire the money, it is very difficult to reclaim it back. Wiring money does not offer the same protection as when using a credit card.
Per the FTC, below are some tips to protect against money wiring scams:
- Never wire money through companies like MoneyGram, Ria, or Western Union to anyone you haven’t met in person. (That’s a scam: no matter what reason they give.)
- Don’t wire money to anyone who says they work at a government agency like the FTC, IRS, SSA, U.S. Customs and Border Protection, or a well-known company. (That’s a scam: the government will never ask you to send money this way.)
- Never wire money to anyone who pressures you into paying immediately.
- Don’t wire money to anyone who says a wire transfer is the only way to pay.
- Never wire money to someone who tries to sell you something over the phone. (It’s illegal for a telemarketer to ask you to pay with a wire transfer.)
Some common wiring scams include getting an email from a vendor stating their bank account information has changed, or someone claiming to be from a utility company. As with ACH scams, always verify the request independently.
If you suspect that money was wired to a fraudster, contact the bank and report the fraudulent transfer, and see if the wire transfer can be reversed.
If anyone is demanding that you wire money, report it to the FTC at ReportFraud.ftc.gov.
Shari Diamond, CIA
Partner
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.