Outbound ACH & Supplier Payment Fraud
- Inbound ACH (customer pays you) and outbound ACH (you pay suppliers) are completely different risks with different controls, different liability, and different recovery options
- Outbound fraud means your money leaves your account - recovery rates are under 30%, and after 24 hours your recall request becomes a polite ask, not a demand
- The #1 attack vector is BEC-driven vendor banking changes - someone convinces your AP team to update a vendor's bank details to a fraudster-controlled account
- Prevention is procedural, not technical: dual authorization, out-of-band verification for banking changes, segregation of duties, and regular vendor master file audits
On this page
Before reading this page, understand:
- ACH Operations - How ACH processing works (focused on inbound)
- ACH Fraud - Inbound ACH fraud and return codes
- BEC & Phishing - The #1 attack vector for outbound fraud
- Bank Transfers - ACH as a payment method
Most ACH content - including our ACH operations and ACH fraud pages - focuses on inbound payments: customers paying you. That's the right starting point for most merchants. But if you're also sending money out via ACH to suppliers, contractors, landlords, or payroll, you face a completely different set of risks. This page covers those outbound risks, where the money flows away from you and the recovery window is painfully short.
Inbound vs. Outbound ACH Risk
These two directions look similar on paper (both are ACH transactions) but the risk profiles are nothing alike.
| Factor | Inbound ACH (Customer Pays You) | Outbound ACH (You Pay Suppliers) |
|---|---|---|
| Direction | Money flows in | Money flows out |
| Who initiates | You (or your processor) as ODFI | You as originator via your ODFI |
| Primary fraud type | Unauthorized debits, return abuse | Payment redirection, insider theft |
| Your role when fraud hits | Victim (you lose the goods/service) | Liable party (your money is gone) |
| Recovery window | Returns come to you in 2-60 days | You have ~24 hours for a recall |
| Legal framework | Reg E (consumer), UCC (business) | Nacha rules, UCC Article 4A |
| Detection | R10/R29 return codes alert you | You discover it when vendor calls asking where payment is |
| Typical loss per incident | Transaction amount | $10K-$125K+ (often larger payments) |
The critical difference: with inbound fraud, the system tells you something went wrong (you get a return code). With outbound fraud, nobody tells you anything. The money leaves, the fraudster moves it, and you find out days or weeks later when your real vendor asks why they haven't been paid.
Attack Vectors
Vendor Banking Change Fraud
This is the #1 vector for outbound ACH fraud, and it's a subset of Business Email Compromise (BEC). We cover BEC in depth on the BEC & Phishing page - don't duplicate that reading here.
The short version: a fraudster impersonates one of your vendors (via compromised email or a spoofed domain) and requests that you update their banking details. Your AP team updates the vendor master file, and the next payment run sends money to the fraudster's account.
Why it works so well:
- Vendor banking changes are routine - they happen legitimately
- AP teams process dozens of invoices and aren't trained to be suspicious
- The fraudster only needs one successful change to capture the next payment
- Median loss per incident is $125,000 (FBI IC3 data)
For full BEC prevention controls, see BEC & Phishing.
Payee Account Number Manipulation
Someone changes the account or routing number in your accounts payable system - either directly or by modifying payment files before they reach your bank.
How it happens:
- External access: Attacker compromises your accounting software (QuickBooks, NetSuite, SAP) and edits vendor records
- Batch file tampering: If you upload ACH batch files (NACHA format), an attacker intercepts and modifies the file between creation and upload
- Man-in-the-middle: Attacker positions between your system and your bank's ACH portal
Detection signals:
- Vendor record changes that don't match a verified change request
- Routing numbers that don't match the vendor's known bank
- Multiple vendors suddenly updating to the same receiving bank
ACH Origination Abuse
If you're an ACH originator (meaning you send payment instructions through your ODFI), abuse of that origination capability is a serious risk.
Scenarios:
- Unauthorized debits originating from your ODFI account (someone uses your origination credentials to pull money from third-party accounts)
- Batch file manipulation - adding fraudulent entries to legitimate payment runs
- Credential theft for your bank's ACH origination portal
Your liability: As the originator, you're responsible for every transaction you send. If someone uses your origination access to create unauthorized debits, you bear the liability for returns and damages under Nacha rules.
Insider Threats
The AP clerk, bookkeeper, or controller who has access to your payment systems is uniquely positioned to steal.
Common schemes:
- Ghost vendors: Employee creates fictitious vendor records and routes payments to personal accounts
- Payment splitting: Employee sends legitimate vendor payment but adds a second, smaller payment to their own account in the same batch
- Check-to-ACH conversion: Employee converts a check payment to ACH and redirects it
- Overbilling collusion: Employee and vendor conspire to inflate invoices, splitting the excess
Why it goes undetected: The person committing the fraud is often the same person reconciling the accounts. Without segregation of duties, there's no second set of eyes.
Prevention Controls
Outbound ACH fraud prevention is almost entirely procedural. No fraud scoring algorithm will catch a legitimate-looking payment to a fraudster's account.
| Control | What It Prevents | Implementation |
|---|---|---|
| Dual authorization for new payees | Ghost vendors, BEC | Two people must approve any new vendor in the master file |
| Dual authorization for banking changes | BEC, account manipulation | Two people must approve any change to vendor bank details |
| Out-of-band verification | BEC | Call vendor at a known phone number (not from the email) to confirm banking changes |
| Micro-deposit or API verification | Wrong account, manipulation | Verify new bank details with test deposits or bank API before sending real payments |
| ACH Positive Pay | Unauthorized origination | Bank-side control that matches outbound ACH against your authorized payee list |
| Segregation of duties | Insider fraud | Person who enters payments is not the person who approves them |
| Vendor master file audits | Ghost vendors, stale records | Quarterly review of all vendor records - flag dormant vendors, duplicate tax IDs, PO box-only addresses |
| Payment threshold alerts | Large-dollar fraud | Automatic alerts for payments above a set threshold |
The Non-Negotiable Three
If you do nothing else, implement these three controls:
- Dual authorization on banking changes. No single person should be able to change where payments go. Period.
- Out-of-band verification for new bank details. Call the vendor at a number you already have on file. Never use contact info from the email requesting the change.
- Segregation of duties. The person who enters a payment should not be the person who approves it.
ACH Origination Compliance
If you originate outbound ACH payments, you have obligations under Nacha rules whether you realize it or not.
Originator Responsibilities
- Authorization: You must have proper authorization for every transaction you originate
- Return liability: You are liable for all returns on transactions you originate, including unauthorized returns
- Data accuracy: Account numbers, routing numbers, and amounts must be correct
- ODFI agreement: Your bank (the ODFI) has an agreement with you that spells out your responsibilities - read it
Entry Class Codes That Matter
| SEC Code | Name | Use Case |
|---|---|---|
| CCD | Corporate Credit or Debit | Business-to-business payments (vendor, supplier) |
| PPD | Prearranged Payment and Deposit | Payroll, employee reimbursements |
| CTX | Corporate Trade Exchange | B2B with addenda records (remittance data) |
Why it matters: Using the wrong SEC code creates compliance exposure. CCD transactions between businesses have different return rules than PPD transactions to employees. Unauthorized CCD returns must be made by the next business day. Unauthorized PPD returns (if to a consumer-status account) get the longer Reg E window.
Unauthorized Return Exposure
If a transaction you originated comes back as unauthorized (R29 for corporate, R10 for consumer), you're on the hook:
- You must accept the return
- Your ODFI may charge you fees
- Repeated unauthorized returns can get your origination privileges suspended
If Outbound ACH Goes Wrong
The First 24 Hours Are Everything
ACH recall requests work on a tight timeline. Here's what you need to know:
Within 24 hours of settlement:
- Contact your bank immediately and request an ACH recall (indemnified recall request)
- Your ODFI sends a recall request to the RDFI (receiving bank)
- The RDFI must respond within 10 banking days, but returning the funds is voluntary (not mandatory)
After 24 hours:
- Your recall request becomes a "request" not a "demand" - the receiving bank can decline
- If the fraudster has already moved the money, there's nothing to return
- Recovery rates drop to under 10% after 72 hours
Response Checklist
Immediate (first hour):
[ ] Call your bank - phone, not email
[ ] Request ACH recall with transaction details
[ ] Freeze any pending payments to the same account
[ ] Preserve all evidence (emails, change requests, approvals)
Within 24 hours:
[ ] File FBI IC3 report at ic3.gov
[ ] Notify your bank's fraud department formally
[ ] Notify your cyber insurance carrier (if applicable)
[ ] Begin internal investigation - who approved, what process was followed
Within 1 week:
[ ] Complete internal investigation
[ ] Identify control failures
[ ] Implement corrective controls
[ ] Consider SAR filing if amount exceeds $5,000
Recovery Odds
| Timeline | Recovery Likelihood |
|---|---|
| Caught before settlement | High - payment can be reversed |
| Within 24 hours of settlement | Medium - recall request has teeth |
| 24-72 hours after settlement | Low - funds likely moved |
| After 72 hours | Very low - legal action is your remaining option |
The honest reality: most outbound ACH fraud is discovered days or weeks later, when the real vendor calls asking where their payment is. By then, the money is gone.
Next Steps
Setting up outbound ACH controls?
- Implement dual authorization for vendor banking changes - this is your highest-ROI control
- Establish out-of-band verification procedures - BEC prevention framework
- Ask your bank about ACH Positive Pay - matches outbound payments against your approved payee list
Already sending outbound ACH and worried about gaps?
- Audit your vendor master file - look for dormant vendors, duplicate tax IDs, PO box-only addresses
- Review who has access to change vendor bank details - segregation of duties matters
- Check your ACH origination agreement with your bank - understand your liability
Dealing with a suspected outbound fraud incident?
- Call your bank immediately to request a recall - every hour matters
- File with FBI IC3 at ic3.gov - even if you think recovery is unlikely
- Review the BEC response playbook for detailed steps
Related Pages
- ACH Operations - Inbound ACH processing and return management
- ACH Fraud - Inbound ACH fraud, return codes, and verification tools
- BEC & Phishing - The #1 attack vector for outbound payment fraud
- Bank Transfers - ACH, wire, and RTP as payment methods
- ACH Return Codes - Complete return code reference
- Business Banking ATO - When attackers compromise your banking credentials directly
- Payout Strategy - Managing outbound payment timing and risk
- Vendor Management - Operational controls for vendor relationships