ACH & Wire Fraud

ACH (automated clearing house) transactions and wire transfers are two forms of electronic funds transfers (EFTs) and the fastest ways to send cash to another business, individual, or other recipient. Although ACH and wire transfers can be for any amount, ACH transactions generally include online bill payments and other scheduled transfers of smaller amounts of money, while wire transfers can involve larger sums transferred between domestic and international banks.

Government officials have repeatedly warned banks and businesses to the growing and costly trend of funds transfer fraud, in which cyber-criminals employ phishing emails, compromised websites, malware, and other tools to steal bank login credentials, then transfer money out of the victim’s bank account and into the thieves’ account—often, at a bank halfway around the world, where the funds cannot be recovered. Criminals target small-to-medium-sized businesses because they are less likely to have the strongest information security safeguards, officials say. Bloomberg Business reports that cyber-criminals steal as much as $1 billion a year this way.

The most frequent scenarios include:


According to government officials, an increasing number of fraudulent electronic funds transfers are committed by computer hackers, usually located outside the U.S. One common method is known as a “corporate account takeover” by law enforcement; this type of crime is also called a business email compromise (BEC) or invoice scam. In a typical scenario, an employee at a company—such as an accounts payable staff member—receives an email that appears to come from a legitimate sender, such as a vendor or the company’s bank. The email contains an attachment, which appears to be important, so the employee opens the email and clicks on the attachment.

However, this is really a phishing email sent by a hacker, and the attachment now downloads a malicious program—known as financial malware—onto the company’s computer system. By tracking employees’ keystrokes, malware may collect sensitive financial information about the company such as  online banking accounts, usernames, and passwords. In another scenario, financial malware is used to trick an employee into revealing the company’s wire transfer or ACH authorization token. Using this information, the hackers can illegally transfer funds out of the victim company’s accounts, often in a matter of minutes or less.

Man-in-the-Middle Attacks

Another sophisticated electronic funds transfer fraud is a “man in the middle” (MITM) attack. Hackers use malware to gain access to a corporate email account, and then monitor the victim company’s payment requests and related communications. Posing as a trusted vendor, the cyber-criminals send a request for payment, instructing the company to wire the money to a bank account that appears to be legitimate but is really under the criminals’ control. By the time the fraud has been detected, the money has often been collected and the thieves have disappeared.


ACH transaction and wire transfer security is critical. The best defense against potential fraud is to implement a strong information security program for your business.

Other precautions may include:

  • Input security tokens only when releasing an ACH or wire transaction, never at sign-in.
  • Remember: City National Bank will never initiate a communication to request entry of security tokens.
  • Install and maintain appropriate anti-malware/antivirus software on computers.
  • Place dual controls – one user ID and password to approve a wire transfer, and another user ID and password to release the same transfer – or even triple controls on your accounts.

If you have questions about cyber-security, please contact your Relationship Manager.