(This article originally appeared in Entrepreneur)
I can steal $50,000 from your bank account tomorrow. I know how because it happened to a client of mine, and it’s easier than you think. And yes, this is a very true story.
My client is a nonprofit organization, not that that matters. The company issues paper checks and also makes and receives payments through automated clearing house (ACH) transfers. I bet your business does the same. But then one day my client looked at her bank account and found that $50,000 was missing. It was paid to a supplier she had never heard of. And by the time she figured out what happened, the money was gone.
Think this can’t happen to you? Oh yes it can. Because here’s how it happened to her.
More than 80% of businesses still use paper checks and although she’s doing her best to make more online payments, my client is one of them. Someone (she doesn’t know who) received a paper check from her business that was written anytime during the past 20 years. That paper check — like all paper checks — had the bank’s routing number and my client’s bank account number printed on it. Go ahead and look at your checks. Those numbers are at the bottom.
The criminal set up a fake company with a bank account at another bank and configured it to accept ACH payments. He (or she) then simply made an ACH request to my client’s bank using the routing and account numbers from her check. Boom. Money transferred.
What? You don’t believe that? Well, try it yourself. Ask for a friend’s check. Then go to a site that will allow you to pay via ACH transfer. The IRS allows this for estimated tax payments. So do many states. So do many other private corporations and educational institutions. Ask for a $1 payment to be made from your friend’s checking account and use the routing and account numbers from the check. Go ahead. See what happens. You now owe that friend a dollar.
Let’s get back to my client. She frantically called the bank’s fraud department, and they are “investigating.” Because she’s diligent and caught the problem early she’s probably going to get her money back from the bank. If more time had elapsed this could’ve been a bigger headache.
But why did this even happen? Because banks have this big flaw in their payment systems, namely allowing anyone to make an ACH request and then honor it unless given a reason not to. The good news is that my client discovered — through conversations with the bank’s fraud department — that her bank offers a service that will alert her of any ACH payment request in advance so that she can give her authorization to release it. That service costs $55 per month.
The takeaway? First of all, make it a point to stop using paper checks. Also, call your bank right now and find out if it’s possible for any stranger who has a copy of any past checks to initiate an ACH transfer just by using your routing and account numbers found on the check. Then find out what additional service the bank provides to control this. Go ahead and grumble, but pay for it. And keep checking your bank accounts a few times a week online just to make sure no other funny business happens.
That’s what my client is now doing. Talk about learning things the hard way.