Bank Transfer Fraud

Bank Transfer Fraud: Everything You Need to Know

No matter how safe a financial transaction is, there’s bound to be a fraudster — probably thousands of them — who will try to game the system to their advantage.

Bank transfers are considered one of the most secure ways to electronically transfer money between parties. But, bank transfer fraud is still a real and increasing threat. Last year, as a matter of fact, consumers and businesses lost more money to bank transfer and cryptocurrency fraud than all other methods combined.

In this post, we’re talking about what constitutes bank transfer fraud. We’ll look at some different types and cover a few ways of identifying them. Finally, we’ll go over some of the steps you can take to keep from becoming a victim.

What is Bank Transfer Fraud?

Bank Transfer Fraud: Bank transfer fraud is a type of payment fraud. It typically occurs when fraudsters either make unauthorized purchases with stolen bank account information, or use that information to hijack money transfers between users.

The Automated Clearing House, or ACH, is a nationwide network of over 10,000 members, used by financial institutions in the United States for payment processing. This network provides an electronic infrastructure for moving funds from one financial institution to another. It enables businesses to accept eChecks, and offer customer services like direct deposit and online bill payment.

In simple terms, bank transfer fraud is any type of fraudulent activity performed through the ACH. To commit ACH fraud, a criminal needs a bank account number and a bank routing number from either an individual or a business. That’s all it takes for a third party to make unauthorized purchases or transfer a lump sum or recurring payments from the victim’s account.

This is made possible by a check’s “float;” the time it takes for a check deposited at one bank to clear at another. Bad actors pose as legitimate users, fooling banks into thinking non-existent funds are available for withdrawal, or that transferred monies are being received by the correct party.

Important!

Funds get verified within 24 to 48 hours of the transaction being initiated, in most cases. That window — between initiation and settlement — is when bank transfer fraud is most likely to happen.

Examples of Fraudulent ACH Transfers

Bank transfer fraud seems pretty succinct, based on the definition I provided above. But, it actually covers a pretty broad range of tactics. Some of the targets and techniques related to bank transfer fraud include:

Unauthorized Debits

The criminal uses their stolen account information to gain access to their victim’s account. They then impersonate the valid user and make purchases without the user’s authorization.

Business Email Compromise (BEC)

Fraudsters send legitimate-sounding emails to many of an organization’s employees at once. The emails appear to come from a known source: for example, one allegedly coming from your accounting department might ask for the wiring information for a vendor.

Account Takeover

After swiping a commercial customer's private account details, the crook opens a phony ACH file in that organization's name. They then withdraw as much as possible from the account before the scam is discovered.

Ghost Funding Fraud

Some apps or platforms give users immediate access to deposit before the ACH payment is fully confirmed and settled. Posing as the account holder, the fraudster withdraws the deposit and disappears with the money.

Payroll Impersonation

Workers are tricked into entering personal account information, believing they are setting up a direct deposit. Their paycheck funds, however, get hijacked and re-directed to a scammer's account.

A Real-World Look at Chargeback Management

Based on a survey of over 400 merchants, the report presents a comprehensive, cross-vertical look at the current state of chargebacks and chargeback management.

Access the FREE Report

How Do Scammers Get the Info They Need to Commit Bank Transfer Fraud?

The examples I outlined above raise a question: how do fraudsters manage to get the account information that they need to pull off these bank transfer scams?

As with other types of fraud, there are multiple ways to go about things. Some common tactics include:

Data Theft

One of the easiest ways for criminals to gain access to your organization’s account data is through a data breach. They buy a batch of credentials off the dark web, then either use the information to log into existing bank accounts or create new ones.

Phishing Scams

An employee who is legitimately authorized to make ACH transactions receives and opens a scam email. In doing so, that worker unknowingly allows the fraudster to swipe account credentials or other information.

Insider Threats

Sometimes the fraudster was — or is now — an insider. In other words, one of your employees steals and hands off login info to an outsider, or uses the ACH files directly to steal money on their own.

Important!

While fraudsters may blanket your company with BEC or phishing emails, they only need one employee’s response in order to gain information.

Common QuestionIs bank transfer fraud the same as wire fraud?No, but they’re similar in many ways. Technically speaking, both wire fraud and bank transfer fraud target a form of electronic funds transfer, or EFT. Wire fraud doesn’t involve the ACH network, though.

Wire transfers are more costly, but they’re also faster, taking minutes or hours instead of days. Bank transfers give fraudsters more time to commit their crimes, but wire fraud attacks make it easier for a scammer to carry out an attack and disappear before anyone realizes what happened.

Can Bank Transfer Fraud be Reversed?

TL;DR

Stopping a payment is only possible if you contact the bank before it’s processed, as banks can’t reverse a transfer without the receiving party’s consent. Reversals are rare and typically only allowed in provable cases of unauthorized transactions, fraud, or if the recipient account has been closed.

It depends. You might be able to stop payment, just as you would with a paper check. That only works if you contact the bank before the payment is processed, though. After that, getting your funds back is tricky.

The bank only acts as a facilitator, so it can’t simply reverse the transfer without the consent of the receiving party. If the transfer is intra-bank, bank agents may request a reversal on your behalf. But, if it involves more than one bank, you’re probably on your own.

Did You Know?

One common bank transfer fraud scheme is re-routing payroll or government checks to a fake account. This can be highly lucrative to the fraudster, both because it typically involves higher amounts, and because it’s easier to hit a large number of transfers simultaneously.

Fraud is fraud, however it’s committed. We can show you ways to prevent financial fraud in your business. Ask us how.

Essentially, the beneficiary has to admit that a wrong transaction was made to their account. If they agree to a reversal, it will happen within seven working days.

If the other party doesn’t want to send your money back — and, let’s be honest, what fraudster is going to agree to send the money back? — your only recourse is to take legal action. Again, though, that gets exponentially more complicated if the transfer was between two different banks.

Finally, we should point out that there are only certain reasons a bank would even entertain a reversal. For example, the transaction was not authorized, or was a case of fund transfer fraud, or the merchant recipient has closed down.

Who's Liable for ACH Transfer Fraud?

TL;DR

Responsibility often falls on the merchant or the originating bank, though in some cases, receiving banks may also be held accountable if reasonable steps to prevent fraud were not taken. Liability varies based on factors such as the type of fraud, involved parties, and implemented fraud-prevention measures.

Bank transfer fraud losses were estimated to reach $24 billion in 2024. So who ends up paying for that?

The answer can differ based on the parties involved, the type of fraud, and what fraud-prevention tactics were associated with the transaction (among other factors). But, in most circumstances, either the merchant or the “sending” bank (officially, the originating depository financial institution, or ODFI) is liable for an unauthorized bank transfer.

ACH is one of only a few payment methods where financial liability could potentially fall on the receiving bank. If a transaction is hit with a return (the ACH equivalent of a credit card chargeback), the bank that received the payment may be liable.

Everything You Need To Know A Beginner’s Guide to Chargebacks

Chargebacks can wreak havoc on your cash flow and profitability. This FREE paperback book is your guide for preventing chargebacks and, when they happen, fighting them more effectively.

Send Me My Free Paperback Book!

More recent mandates have even made it possible for you, the merchant, to get stuck with the bill for a fraudulently intercepted ACH payment. Avoiding liability depends on your ability to show that you took “reasonable” steps to prevent the fraud.

You have to prove that you are employing reasonable security on your email system, and had no way to know that your email system had been hacked or that a specific email was fraudulent. Whether the customer made a reasonable effort to verify the bank account information before trying to make the purchase can also be a factor.

Fraud Tactic	Description	Who’s Liable?
Fraudulent ACH Returns	A customer makes a purchase, then keeps the item and files a fraudulent ACH return.	The merchant (except as noted above).
Phishing Attacks	Someone within an organization authorized a payment to a fraudster, not realizing it was a scam.	The merchant.
Ghost Funding	A criminal drains a dummy account and then vanishes.	The entity that fronted the money to the account.
Insider Threats	ACH fraud is committed by an employee within an organization.	The entity that hired the scammer.

How to Detect Bank Transfer Fraud

Bank transfer fraud is best handled before it happens. The more prevention safeguards you put into place, the harder you make it for fraudsters. If running the scam on you seems too difficult, crooks are likely to seek an easier target.

Detection is key here. Of course, success depends on you knowing and recognizing some of the red flags that could point to fraud. For example:

Unexpected Requests: Out of the blue, you’re asked to wire money, or you get a request for your bank account information or login credentials.
Inconsistencies: A request comes in that looks legitimate on the surface, but doesn’t match the alleged requester’s previous behavior.
Urgent Requests: The request is made to sound like an emergency situation which must be dealt with immediately to avoid consequences.
Complicated Payment Instructions:The request includes instructions that are difficult to follow, involves weird requests, or unusual steps.
Payments Without a Link: The payment or receipt has no apparent link to legitimate parties or confirmable goods, services, or contracts.
Large Cash Deposits: A large amount of cash is deposited into an account, either all at once or in multiple smaller portions within a small timeframe.
Multiple Payroll Payments: Multiple payroll transfers from different entities to the same account should raise suspicions.
Foreign Accounts: The transfer involves a foreign bank account or virtual wallet, especially one located in a region known for lax scrutiny over banking.

There’s a good chance that any of these red flags will be picked up by either the sending or receiving institution. You should still be on the lookout for discrepancies, though, and alert your bank if you find anything looks amiss.

Important!

There are two specific safety measures you can put in place: an ACH debit block, and an ACH filter.

An ACH debit lock protects your funds by blocking all ACH debits and credits for a specific bank account. With a block, no transactions will be considered. ACH filters are more flexible; they stop most ACH transactions from your account. But, it lets you set specific criteria for transactions you do want to authorize, such as a list of approved vendors.

To put either of these into practice, you’ll need to contact your bank.

While focusing on bank transfer fraud can help, there are many more types of fraud out there. Chargebacks911® has a wealth of experience-based knowledge and expertise in providing cost-effective prevention and risk mitigation strategies. Contact us today to learn more.

FAQs

Is bank-to-bank transfer safe?

Yes. Electronic bank-to-bank transfer is considered one of the safest ways to transfer funds overall.

Can you get money back from bank transfer if scammed?

Sometimes, but there are multiple things to consider. The sender may be able to recover scammed funds by stopping the transfer. Once the transfer has been made, however, the bank can’t do anything without the permission of the recipient.

Can ACH payments be disputed?

Yes, but it may not be as easy as a credit card dispute. A bank transfer dispute (called an ACH return) is subject to the strict operating rules of NACHA (the National Automated Clearing House Association).

Am I protected if I pay by bank transfer?

Yes. When making ACH payments, customers are protected through the Electronic Fund Transfer Act. That means they can request a return in any situation if they can show that the payment was unauthorized or fraudulent.

What are the risks of ACH transfer?

The biggest risk is criminal fraud. But, there is growing concern surrounding first-party fraud; that is, buyers leveraging the ACH system for personal gain.

Can a bank transfer be traced?

Yes. Each ACH transfer is assigned a unique number which can be used to trace a transfer through each step of the process, and if necessary, post-transaction as well..