Ask an Accountant

By: Timothy Showers, Manager McKonly & Asbury

Ask an Accountant: How to Tame Your Fraudster

Electronic (ACH) payments are a convenient and often necessary means of conducting business with vendors. Unfortunately, while ACH transfers offer greater efficiency and liquidity as compared to traditional checks, they also bear increased vulnerability to fraud attempts (the proverbial double-edged sword). In our public accounting practice, we have seen small businesses targeted for ACH fraud with growing frequency and sophistication in recent months. As ACH fraud attempts intensify, so must our vigilance for detection and prevention.

A Far Too Familiar Story

In a sophisticated ACH fraud scheme, a fraudster will hack your vendor’s e-mail account and infiltrate an existing legitimate email chain. Having assumed the vendor’s identity, the hacker will notify you of a “change in ACH routing information.” You are familiar with the sender, so you have no reason for suspicion, and you re-route this month’s invoice payment accordingly. The fraud is not detected until the following month, when your real vendor contact reaches out to you regarding the past due invoice. By then, the fraudulent bank account has been closed and the fraudster is long gone with the cash.
The bad news is that any organization – regardless of location, size, or industry – can be targeted by a scheme like the one described above. The good news is that you can significantly mitigate your risk of asset loss by taking a few key steps in the areas of education, process controls, and insurance.


A well-educated workforce is one of the best defenses against cybersecurity theft. A regular regimen of cybersecurity training and simulated phishing emails is a worthwhile investment for any organization. If your company does not have the resources to administer trainings and phishing simulations internally, there are many reputable third-party service providers that specialize in this area.

Process Controls

Establish a vendor master file that contains the verified routing and contact information for each of your vendors. Within the master file, it is critical that you include a verified phone number for each vendor contact. In the event you receive an ACH routing change request from a vendor, make it your policy to independently confirm that change by calling the verified contact phone number in the master file.
A robust vendor master file can also fortify your business against internal fraud risk when it is used in conjunction with a proper segregation of duties. For example, an individual who has the ability to edit the vendor master file should not also be able to process vendor payments. By dividing these key responsibilities, you can thus mitigate the risk of fraudulent payments being intentionally initiated as well.


In today’s high-risk environment, cybersecurity insurance is also a worthy consideration. This step will more than pay for itself in the unfortunate event your organization is victim to a significant ACH theft. Clarify with your insurance carrier what types of events your current policy does (and does not) cover. Then, adjust your policy accordingly to avoid any preventable surprises in the future.

Please contact McKonly & Asbury if you have questions about the information outlined above, our seasoned and experienced construction professionals are here to help. You can also learn more about our Construction Practice by visiting our website:

Posted April 3, 2023