ACH Fraud Red Flags: How to Spot ACH Payment Fraud Before It Hits Your Account (2026)
ACH payments are the backbone of small business banking — payroll, vendor payments, recurring bills. They're also increasingly targeted by fraudsters who know that ACH transactions can pull money directly from your account with little more than a routing number and account number. This guide covers 10 red flags that signal ACH fraud risk, how each attack works, and what to do before it's too late to reverse.
How ACH Fraud Actually Works
Unlike wire fraud where you're tricked into sending money, ACH fraud often involves money being pulled from your account without your authorization. Understanding the mechanism changes what you look for.
A fraudster obtains your routing and account numbers — from a check, a data breach, or phishing — and initiates an ACH debit against your account as if they were an authorized payee. Money leaves your account before you notice.
A legitimate ACH payment setup — to a vendor, employee, or service provider — is intercepted or manipulated, and the bank details are changed so payments go to a fraudster's account instead of the intended recipient.
A fraudster impersonates an existing vendor and requests a change to ACH payment details, typically via email. Once updated in your system, all future ACH payments to that vendor go to the fraudster's account.
An attacker — either external via phishing or internal via a rogue employee — changes ACH direct deposit details for one or more employees so that payroll is redirected to a fraudulent account on the next pay run.
A fraudster creates a forged ACH authorization form — sometimes using a real company's branding — and submits it to a bank or payment processor to initiate recurring debits against a business account.
An attacker gains access to your online banking or accounting software through phishing or credential theft, then uses that access to set up new ACH payees, change existing ones, or initiate unauthorized transfers directly.
What Makes ACH Fraud Different From Wire Fraud
The recovery window is the critical difference — and it's shorter than most people realize.
The 24-hour reversal window for business ACH disputes is one of the most misunderstood facts in small business banking. Consumers get 60 days. Businesses get roughly one business day from when the transaction settles — which often means you need to catch and report unauthorized ACH debits the same day they appear. Checking your account daily, not weekly, is a real fraud control.
10 ACH Fraud Red Flags
Each of these signals is a reason to pause and verify before authorizing or processing the payment. Multiple flags together are a serious warning.
Any request to change ACH payment details — routing number, account number, or bank name — arriving by email alone is a critical red flag. This is the most common entry point for ACH redirect fraud and vendor impersonation schemes.
Every legitimate US bank routing number must pass an ABA checksum formula. A routing number that fails this check is either fabricated, mistyped, or from a fraudulent source. This is one of the fastest mechanical checks you can run.
An ACH debit from a company name you don't recognize, or for an amount that doesn't match any authorized payment, is a direct indicator of unauthorized ACH fraud. Small test amounts ($0.50–$5.00) followed by larger debits are a particularly common pattern — fraudsters verify the account works before pulling larger amounts.
If a new ACH payee — vendor, contractor, or employee — can be added to your payment system by a single person without a second approver, that's a process gap that ACH fraud exploits regularly. Rogue employees and external attackers who've compromised an account can add fraudulent payees if no dual-control exists.
A request to change an employee's direct deposit details — especially arriving 1–3 days before a scheduled payroll run — is a high-risk signal. Fraudsters time these requests specifically to slip changes in just before the ACH batch is processed, leaving minimal time for verification.
Forged ACH authorization forms are a common tool in vendor impersonation fraud. Signs of a forged form include low-resolution logos, mismatched fonts, different formatting from prior documents from the same vendor, or a form that doesn't match the vendor's typical letterhead.
If a vendor says "our account is at First National Bank" but the routing number they provided belongs to a completely different institution — especially a smaller bank, credit union, or fintech — that mismatch warrants immediate verification. Fraudsters often use personal accounts or money mule accounts at different institutions.
Receiving banking change requests from two or more vendors in a short period — especially if they arrive by email, use similar language, or request the same type of change — can indicate a coordinated attack targeting your AP process, or that your vendor contact list has been compromised.
An ACH payment request that can't be matched to an approved purchase order, signed contract, or recognized vendor relationship should be held until verified. Phantom vendor ACH fraud often relies on AP processes that pay first and ask questions later.
Pressure to authorize or process an ACH payment quickly — "it needs to go out today," "we'll lose the contract if it's not processed by end of day" — is a consistent social engineering tactic used across every type of payment fraud. Legitimate ACH payments are planned in advance and don't require emergency processing.
What to Do When You Spot a Red Flag
A red flag doesn't mean fraud is confirmed. It means you need to verify before acting. Here's the process:
- Do not update banking details or authorize the payment — hold everything until verification is complete. It's always better to delay a legitimate payment than to authorize a fraudulent one.
- Do not reply to the email — contact the vendor or employee independently using a phone number from your existing records, not from the email or the document you received.
- Verify the routing number — confirm it passes ABA validation and matches the bank the vendor claims to use. PaySentinel does this automatically.
- Escalate if you can't verify — if you can't independently confirm the request is legitimate within your normal process, escalate to your manager before taking any action.
- Check your bank statements daily — if you're seeing unusual ACH activity, report it to your bank immediately. The reversal window for business accounts is short.
- Document everything — record what you found, who you spoke with to verify, and what was confirmed. This protects you and creates an audit trail.
Act the same day — ideally within hours.
Call your bank's fraud line immediately and ask them to return the ACH debit as unauthorized. Businesses typically have around 24 hours from settlement to dispute, so speed matters far more than with wire fraud. Then file a report at ic3.gov and consider filing a complaint with the CFPB. Document the transaction details, the contact who requested it, and your verification steps.
Building a Process That Prevents ACH Fraud
The most effective ACH fraud controls are procedural, not technical. These five steps close the most common gaps.
- Enable ACH debit blocking on your business account — ask your bank about ACH positive pay, ACH filter, or ACH debit block. This blocks unauthorized debits entirely unless they match a pre-approved list. Many banks offer it at low or no cost.
- Require dual authorization for all new payees and banking changes — no single person should be able to add a new ACH payee or modify banking details without a second approver independently verifying.
- Never update banking details from email alone — establish a policy that any routing or account number change requires a phone call to a verified number and a signed authorization letter, regardless of how the request arrives.
- Review bank statements daily — the 24-hour dispute window makes daily review a genuine fraud control, not just good practice. Set up transaction alerts through your bank for any ACH debit above a threshold.
- Run a fraud check on any new or changed ACH payee — verifying the routing number, vendor identity, and any associated email domain before the first payment takes under a minute with PaySentinel.
- Enable MFA on your banking and accounting software — account takeover is a primary entry point for ACH fraud. Multi-factor authentication makes it significantly harder for attackers who've obtained your password.
Frequently Asked Questions
ACH payments can be reversed, but the window for businesses is short — typically around 24 hours from the settlement date for unauthorized debits. This is far shorter than the 60-day window consumers have. If you discover ACH fraud, call your bank immediately. Don't wait to see if the transaction clears — act the same day you notice it.
Wire transfers settle in real time and are effectively irrevocable — once sent, recovery is extremely difficult and depends entirely on bank cooperation. ACH transactions process in batches over 1–3 business days, which creates a narrow window for reversal if fraud is caught quickly.
ACH fraud often involves money being pulled from your account without authorization, while wire fraud typically involves tricking you into pushing money voluntarily. Both require fast action if fraud is detected.
Your routing and account numbers appear on every check you write — meaning anyone you've paid by check has them. They're also obtained through data breaches, phishing attacks targeting your banking or accounting software login, intercepted mail, and in some cases through employees with access to financial records.
This exposure is why ACH debit blocking is such a useful control — it prevents your account details from being used to pull money even if they've been obtained.
ACH debit blocking (also called ACH positive pay or ACH filter) is a bank service that blocks all ACH debits from your account unless they match a pre-approved list of authorized companies and amounts. For small businesses that don't process many incoming ACH debits, it's one of the most effective fraud controls available.
Ask your bank about ACH debit block or ACH filter — many banks offer it at low or no cost and it can be set up in a single conversation with your business banker.
Call your bank's fraud line immediately — do not wait for the transaction to fully settle. Ask them to return the ACH debit as unauthorized and add an ACH debit block to your account to prevent further debits from the same originator.
You'll typically need to complete a written dispute form. Businesses have a much shorter reversal window than consumers, so same-day action is critical. Also file a report at ic3.gov.
How PaySentinel Catches These Automatically
Most of the red flags above require manual research — calling vendors, checking routing numbers, reviewing bank statements. PaySentinel automates the pattern detection so you catch issues faster and more consistently.
| Red flag | PaySentinel detects? | How |
|---|---|---|
| Routing number ABA validation | ✓ Yes | Runs ABA checksum on every routing number submitted — flags invalid numbers immediately |
| Routing number bank mismatch | ✓ Yes | Looks up which bank a routing number actually belongs to and flags mismatches with claimed bank |
| Routing number changed from prior submissions | ✓ Yes | Compares against vendor history in local memory — flags any change from previous analyses |
| Typosquat / lookalike email domain | ✓ Yes | Checks sender domain against known typosquat patterns |
| Urgency / pressure language | ✓ Yes | Detects urgency, secrecy, and pressure phrasing in submitted email text |
| Structuring amounts (near $10K) | ✓ Yes | Flags amounts in structuring range as a fraud signal |
| Forged authorization form | Manual step | Visual document inspection — compare against prior vendor documents yourself |
| Unauthorized ACH debit on statement | Manual step | Requires daily statement review — PaySentinel doesn't connect to your bank account |
| Dual authorization process gap | Process control | An internal policy control — PaySentinel supports it by documenting each check result |
Open the Vendor tab in the app. Enter the vendor name, their email address, and the routing number provided. PaySentinel validates the routing number, checks for typosquat domain signals, and compares against your vendor history — returning a risk score with specific findings in under a minute.
Every flag in this guide — invalid routing numbers, banking changes via email, urgency pressure, domain mismatches — is something PaySentinel checks when you paste in a vendor or payment request. It doesn't replace calling the vendor. It gives you a structured second opinion before you do, so you know exactly what questions to ask.
Check an ACH payment before it goes out
Paste in the vendor name, routing number, and email — PaySentinel validates the routing number, checks for fraud signals, and gives you a risk score in under a minute. Free for small businesses.
Check a payment free →