ACH Scam
This following article describes an interesting account attack using the ACH network that could allow unauthorized debits of one’s checking account:
Scammers Randomly Target Checking Accounts. The scam runs something like this: the criminal sets up a business account, and knowing the r/t and account number structure of the given bank, starts with an arbitrary account number and automates the following: (1) tries to deposit 1 cent and then (2) increments the account number by one. When any of the deposits clear, the criminal knows they have a valid account number and can then set up a debit. Ideally the debit will be for some small, reasonable and innocent looking amount (e.g. like $110.17) and occur near the beginning of the month (so that if it is spotted by a bank account holder, it will occur at the end of the month when they get their statement)
My understanding is that the small deposit is what authenticates the company to make a debit. I believe that a company can also send a pre-notification with no dollar amount through the ACH network to ping an account. A legit company would do this, for example, to verify the account number you gave them for pre-authorized debit is valid. I suppose this would also authenticate the company to make withdrawals (please feel free to correct me).
Besides a seemingly weak authentication, what “protects” the consumer is regulation: Federal law (Federal Regulation E) protects you from unauthorized debits from your checking or savings account. You have the right to stop or reverse a payment you believe you did not authorize or was made in error.
As far as I know, you have 60 days to notify your bank of such an error.
However, this is all rather inconvenient for the consumer isn’t it? It is up to you to find the error and make the proper notifications within a specified period. That being said, I guess this is to be expected and that there will always be a trade off between convenience and security.
