Request Verification
The purpose of Initial verification is to verify that the request is legitimate. There are two initial verifications that you MUST make to proceed with the ACH request. By default, assume any request to change financial information is fraudulent until proven valid (Zero Trust.)
1) Email Confirmation: Upon receiving a request, first confirm that the email matches the customer’s email on file. Be wary of slight variations in email addresses, which can be a common trick used by imposters. Example: Customer@customeremail.com has been changed to Customer@customersemail.com (we’ve added an s).
2) Call Back Verification: Make a call to the customer using the phone number on file (not any number provided in the email request) to verify the request. This step is crucial to ensure the request is legitimate and is the most important.
Or:
Visual Verification: Make a video call to the customer using the contact information you have on file to verify the request. This is a more robust method of verification as you have visual verification of their identity. You can record the conversation for a digital record of the transaction.
Or:
In Person Verification: If possible, have the requester physically come to your office to confirm the request. This method is the most secure method of verification.
Secondary Verification
Secondary Verification improves confidence that the request is legitimate. Creating a secondary verification is an optional way to implement additional security.
Security Questions: Ask the customer security questions that only the genuine customer would know. This can include previous transaction details, account creation date, or other personal information not publicly available.
Documentation
Document each change in ACH information as it allows you to keep a list of “known good” accounts and creates a history of behavior for the account. Documentation can also serve as a third verification when it includes PII.
Request Form: Have a standardized form for ACH information changes that requires detailed information (such as a copy of the requester’s driver’s license or state ID) and a signature.
Record Keeping: Keep records of all communications and forms related to the change request.
Internal Approval Process
Approval Process: Implement an internal approval process where more than one staff member reviews and signs off on the change. Implement Separation of Duties so that the Request Verification and Request Approval is performed by two different people. During this process, Approvers need to confirm that the initial verification, secondary verification, and documentation have been completed.
Monitoring
Monitoring allows you to quickly respond to fraudulent activity and increases your chance of thwarting an attack in progress.
Transaction Monitoring: Closely monitor transactions for a period following the change to detect any unusual activity.
Follow-Up: A follow-up call or email shortly after the wire was sent to ensure the intended customer received payment. If the customer did not receive payment, follow the steps in the Incident Response Plan For Cyber Attacks, Phishing, And Fraud.
Review, Update, and Train
Policy Review: Regularly review and update the verification process to address new fraud tactics and streamline the customer experience.
Training: Regularly train staff on new fraud tactics and the importance of following verification protocols.
By following these steps, your accounting department can significantly reduce the risk of ACH fraud. It is important to balance security with customer convenience, ensuring that legitimate requests are processed efficiently while fraudulent attempts are thwarted.
