Guide · ACH Fraud

ACH Fraud Red Flags: How to Spot ACH Payment Fraud Before It Hits Your Account (2026)

June 2026 AP Clerks Office Managers Small Business 9 min read

ACH payments are the backbone of small business banking — payroll, vendor payments, recurring bills. They're also increasingly targeted by fraudsters who know that ACH transactions can pull money directly from your account with little more than a routing number and account number. This guide covers 10 red flags that signal ACH fraud risk, how each attack works, and what to do before it's too late to reverse.

$1.7B
in ACH and business payment fraud losses reported in 2024
24hrs
typical window businesses have to reverse an unauthorized ACH debit
62%
of businesses experienced attempted or actual payment fraud in the past year

How ACH Fraud Actually Works

Unlike wire fraud where you're tricked into sending money, ACH fraud often involves money being pulled from your account without your authorization. Understanding the mechanism changes what you look for.

🏦
Unauthorized ACH debit

A fraudster obtains your routing and account numbers — from a check, a data breach, or phishing — and initiates an ACH debit against your account as if they were an authorized payee. Money leaves your account before you notice.

🔄
ACH redirect fraud

A legitimate ACH payment setup — to a vendor, employee, or service provider — is intercepted or manipulated, and the bank details are changed so payments go to a fraudster's account instead of the intended recipient.

🎭
Vendor impersonation via ACH

A fraudster impersonates an existing vendor and requests a change to ACH payment details, typically via email. Once updated in your system, all future ACH payments to that vendor go to the fraudster's account.

💸
Payroll ACH diversion

An attacker — either external via phishing or internal via a rogue employee — changes ACH direct deposit details for one or more employees so that payroll is redirected to a fraudulent account on the next pay run.

🧾
Fake ACH debit authorization

A fraudster creates a forged ACH authorization form — sometimes using a real company's branding — and submits it to a bank or payment processor to initiate recurring debits against a business account.

🔐
Account takeover → ACH fraud

An attacker gains access to your online banking or accounting software through phishing or credential theft, then uses that access to set up new ACH payees, change existing ones, or initiate unauthorized transfers directly.

What Makes ACH Fraud Different From Wire Fraud

The recovery window is the critical difference — and it's shorter than most people realize.

ACH vs. Wire — Key Differences
What changes about your fraud response depending on payment type

ACH Payment
Wire Transfer
Settles in 1–3 business days
Settles same day, often within hours
Can be reversed — if caught quickly
Effectively irrevocable once sent
Businesses: ~24hr dispute window from settlement
Recovery depends on bank cooperation and speed
Often initiated by the payee (money pulled)
Always initiated by the payer (money pushed)
Requires routing + account number only
Requires bank authorization each time
🔍 Fraud Analyst Perspective

The 24-hour reversal window for business ACH disputes is one of the most misunderstood facts in small business banking. Consumers get 60 days. Businesses get roughly one business day from when the transaction settles — which often means you need to catch and report unauthorized ACH debits the same day they appear. Checking your account daily, not weekly, is a real fraud control.

About to authorize a new ACH payee or payment? Run the routing number and vendor details through PaySentinel first — takes under a minute.
Check it now →

10 ACH Fraud Red Flags

Each of these signals is a reason to pause and verify before authorizing or processing the payment. Multiple flags together are a serious warning.

1
A request to update ACH banking details via email
Critical

Any request to change ACH payment details — routing number, account number, or bank name — arriving by email alone is a critical red flag. This is the most common entry point for ACH redirect fraud and vendor impersonation schemes.

What it looks like
"Please update our bank details for future ACH payments. New routing: 021000089, Account: 4471829301."
Banking change arrives via secure portal, signed authorization letter, or verbally confirmed via a known phone number.
Do this → Never update ACH details based on email alone. Call the vendor or employee at a number from your existing records — not the email — and require a signed bank authorization letter before making any changes to your system.
2
Routing number that fails ABA validation
Critical

Every legitimate US bank routing number must pass an ABA checksum formula. A routing number that fails this check is either fabricated, mistyped, or from a fraudulent source. This is one of the fastest mechanical checks you can run.

How to check
Routing number provided: 000000001 — fails ABA checksum, not a valid US routing number
PaySentinel validates ABA routing checksums automatically on every submission
Do this → Run any new routing number through an ABA validation check before entering it into your system. PaySentinel does this automatically — or you can check the Federal Reserve's routing directory manually.
3
Unrecognized ACH debit appearing on your statement
Critical

An ACH debit from a company name you don't recognize, or for an amount that doesn't match any authorized payment, is a direct indicator of unauthorized ACH fraud. Small test amounts ($0.50–$5.00) followed by larger debits are a particularly common pattern — fraudsters verify the account works before pulling larger amounts.

Pattern to watch for
Small unfamiliar debit ($1.00–$5.00) → followed days later by a large debit from the same company name
Do this → Review your bank statement daily, not weekly. Call your bank's fraud line immediately if you see any unrecognized ACH debit — even a small one. Ask them to return it as unauthorized and to add an ACH debit block on your account.
4
New ACH payee set up without dual authorization
High

If a new ACH payee — vendor, contractor, or employee — can be added to your payment system by a single person without a second approver, that's a process gap that ACH fraud exploits regularly. Rogue employees and external attackers who've compromised an account can add fraudulent payees if no dual-control exists.

Do this → Require dual authorization for any new ACH payee setup and for any changes to existing payee details. The person adding the payee should not be the same person who approves the first payment to them.
5
Payroll ACH detail change request close to a pay run
Critical

A request to change an employee's direct deposit details — especially arriving 1–3 days before a scheduled payroll run — is a high-risk signal. Fraudsters time these requests specifically to slip changes in just before the ACH batch is processed, leaving minimal time for verification.

What it looks like
"Hi, I recently switched banks — can you update my direct deposit before Friday's payroll?"
Do this → Require all direct deposit changes to be submitted in person, through your HR portal with MFA, or with a voice confirmation call. Urgency around the timing of a payroll run is a red flag, not a reason to rush the process.
6
ACH authorization form with inconsistent formatting or branding
High

Forged ACH authorization forms are a common tool in vendor impersonation fraud. Signs of a forged form include low-resolution logos, mismatched fonts, different formatting from prior documents from the same vendor, or a form that doesn't match the vendor's typical letterhead.

What to look for
Pixelated or stretched logo, different font from other vendor documents, no company letterhead, missing signature fields
Form matches prior documents from this vendor exactly, arrived through the same channel as previous authorizations
Do this → Compare any ACH authorization form against previous documents from the same vendor. Call the vendor directly to confirm they sent it before processing anything.
7
Routing number traced to a different bank than the vendor claims
High

If a vendor says "our account is at First National Bank" but the routing number they provided belongs to a completely different institution — especially a smaller bank, credit union, or fintech — that mismatch warrants immediate verification. Fraudsters often use personal accounts or money mule accounts at different institutions.

Example mismatch
Vendor claims: "Our account is at Chase." Routing number provided traces to: Chime Financial / Stride Bank.
Do this → Look up the routing number in the Federal Reserve's routing directory or use PaySentinel to verify which bank it actually belongs to. If it doesn't match what the vendor told you, call them before proceeding.
8
Multiple vendors changing banking details in a short window
High

Receiving banking change requests from two or more vendors in a short period — especially if they arrive by email, use similar language, or request the same type of change — can indicate a coordinated attack targeting your AP process, or that your vendor contact list has been compromised.

Do this → Treat the pattern itself as a red flag. Verify each vendor independently through a separate phone call. Notify your bank that you may be the target of a coordinated fraud attempt.
9
ACH payment request with no matching purchase order
Medium

An ACH payment request that can't be matched to an approved purchase order, signed contract, or recognized vendor relationship should be held until verified. Phantom vendor ACH fraud often relies on AP processes that pay first and ask questions later.

Do this → Hold the payment and contact the internal person who supposedly authorized the work. Get written confirmation before releasing any ACH payment to a vendor you can't match to a prior engagement.
10
Urgency pressure around an ACH authorization
High

Pressure to authorize or process an ACH payment quickly — "it needs to go out today," "we'll lose the contract if it's not processed by end of day" — is a consistent social engineering tactic used across every type of payment fraud. Legitimate ACH payments are planned in advance and don't require emergency processing.

Urgency language to watch for
"We need this processed today or we risk late fees." / "Please authorize ASAP — this is time sensitive."
Do this → Urgency is the signal to verify more carefully, not less. Tell the requester your standard process takes one to two business days. Any legitimate vendor will accept this. Anyone who won't is a red flag.
Setting up a new ACH payee or received a banking change request? Run the vendor details through PaySentinel before updating your system.
Check it now →

What to Do When You Spot a Red Flag

A red flag doesn't mean fraud is confirmed. It means you need to verify before acting. Here's the process:

If you've already processed a fraudulent ACH payment

Act the same day — ideally within hours.

Call your bank's fraud line immediately and ask them to return the ACH debit as unauthorized. Businesses typically have around 24 hours from settlement to dispute, so speed matters far more than with wire fraud. Then file a report at ic3.gov and consider filing a complaint with the CFPB. Document the transaction details, the contact who requested it, and your verification steps.

Building a Process That Prevents ACH Fraud

The most effective ACH fraud controls are procedural, not technical. These five steps close the most common gaps.

Frequently Asked Questions

Can ACH payments be reversed if fraud occurs?

ACH payments can be reversed, but the window for businesses is short — typically around 24 hours from the settlement date for unauthorized debits. This is far shorter than the 60-day window consumers have. If you discover ACH fraud, call your bank immediately. Don't wait to see if the transaction clears — act the same day you notice it.

What is the difference between ACH fraud and wire fraud?

Wire transfers settle in real time and are effectively irrevocable — once sent, recovery is extremely difficult and depends entirely on bank cooperation. ACH transactions process in batches over 1–3 business days, which creates a narrow window for reversal if fraud is caught quickly.

ACH fraud often involves money being pulled from your account without authorization, while wire fraud typically involves tricking you into pushing money voluntarily. Both require fast action if fraud is detected.

How do fraudsters get my routing and account numbers?

Your routing and account numbers appear on every check you write — meaning anyone you've paid by check has them. They're also obtained through data breaches, phishing attacks targeting your banking or accounting software login, intercepted mail, and in some cases through employees with access to financial records.

This exposure is why ACH debit blocking is such a useful control — it prevents your account details from being used to pull money even if they've been obtained.

What is ACH debit blocking and should my business use it?

ACH debit blocking (also called ACH positive pay or ACH filter) is a bank service that blocks all ACH debits from your account unless they match a pre-approved list of authorized companies and amounts. For small businesses that don't process many incoming ACH debits, it's one of the most effective fraud controls available.

Ask your bank about ACH debit block or ACH filter — many banks offer it at low or no cost and it can be set up in a single conversation with your business banker.

What should I do if I notice an unauthorized ACH debit?

Call your bank's fraud line immediately — do not wait for the transaction to fully settle. Ask them to return the ACH debit as unauthorized and add an ACH debit block to your account to prevent further debits from the same originator.

You'll typically need to complete a written dispute form. Businesses have a much shorter reversal window than consumers, so same-day action is critical. Also file a report at ic3.gov.

How PaySentinel Catches These Automatically

Most of the red flags above require manual research — calling vendors, checking routing numbers, reviewing bank statements. PaySentinel automates the pattern detection so you catch issues faster and more consistently.

Red flag PaySentinel detects? How
Routing number ABA validation ✓ Yes Runs ABA checksum on every routing number submitted — flags invalid numbers immediately
Routing number bank mismatch ✓ Yes Looks up which bank a routing number actually belongs to and flags mismatches with claimed bank
Routing number changed from prior submissions ✓ Yes Compares against vendor history in local memory — flags any change from previous analyses
Typosquat / lookalike email domain ✓ Yes Checks sender domain against known typosquat patterns
Urgency / pressure language ✓ Yes Detects urgency, secrecy, and pressure phrasing in submitted email text
Structuring amounts (near $10K) ✓ Yes Flags amounts in structuring range as a fraud signal
Forged authorization form Manual step Visual document inspection — compare against prior vendor documents yourself
Unauthorized ACH debit on statement Manual step Requires daily statement review — PaySentinel doesn't connect to your bank account
Dual authorization process gap Process control An internal policy control — PaySentinel supports it by documenting each check result
✓ How to use PaySentinel for ACH payment checks

Open the Vendor tab in the app. Enter the vendor name, their email address, and the routing number provided. PaySentinel validates the routing number, checks for typosquat domain signals, and compares against your vendor history — returning a risk score with specific findings in under a minute.

From the check to the decision

Every flag in this guide — invalid routing numbers, banking changes via email, urgency pressure, domain mismatches — is something PaySentinel checks when you paste in a vendor or payment request. It doesn't replace calling the vendor. It gives you a structured second opinion before you do, so you know exactly what questions to ask.

Check an ACH payment before it goes out

Paste in the vendor name, routing number, and email — PaySentinel validates the routing number, checks for fraud signals, and gives you a risk score in under a minute. Free for small businesses.

Check a payment free →