How to Secure Your ACH Transfer Settings

Securing your ACH transfer settings requires a multi-layered approach that combines access restrictions, verification protocols, and real-time monitoring...

Securing your ACH transfer settings requires a multi-layered approach that combines access restrictions, verification protocols, and real-time monitoring to prevent unauthorized payments. The foundation of ACH security rests on three core actions: enabling multi-factor authentication (MFA) to prevent unauthorized login attempts, limiting who can modify banking information to just one or two employees, and requiring dual authorization for significant transactions. For example, when an employee initiates a payroll ACH batch, a second authorized person should review and approve it before processing—a simple step that stops fraudsters who have compromised a single employee’s credentials. The threat is far from theoretical.

According to the 2025 AFP® Payments Fraud and Control Survey, 79% of organizations experienced payments fraud attacks or attempts in 2024, while 38% specifically dealt with ACH debit fraud. Nearly one in three financial institutions reported ACH fraud attempts, with 11% suffering actual losses. The risk has intensified as Business Email Compromise (BEC) attacks—where criminals impersonate vendors or executives to redirect payments—surged from 44% of cyber incidents in 2023 to 73% in 2024. These attacks often target the weakest link: the person or process that authorizes ACH changes. This guide walks through the essential settings, controls, and verification methods you need to implement across your banking systems and processes to significantly reduce the risk of ACH fraud and unauthorized transfers.

Table of Contents

What Are the Most Critical ACH Transfer Settings to Protect?

Your ACH transfer settings encompass everything from login credentials to payee account information, and controlling access to these settings is your first line of defense. The most critical settings include the ability to add or modify vendor banking details, create new employee direct deposit accounts, initiate ACH batches, and approve transactions. Each of these settings should be restricted to as few people as possible—ideally limiting edit access to no more than two employees who have been specifically trained on fraud prevention. One practical example illustrates why this matters: a common fraud scheme involves a compromised employee email account. A fraudster logs in using the stolen password and immediately changes a vendor’s banking information to an account they control, then initiates a payment.

If that employee had broad ACH editing permissions, the damage could be substantial. By contrast, organizations that restrict ACH setting changes to two specific people and require those people to verify changes by calling the vendor using a previously known phone number catch these fraudulent modifications in seconds. Your bank’s online platform typically allows you to configure user roles and permissions. Set the most restrictive permissions available: never grant “edit all ACH settings” access unless absolutely necessary. Instead, create separate roles—one person can initiate transfers, another must approve them. Some organizations take this further and have a third person monthly review all ACH batches and settings changes.

What Are the Most Critical ACH Transfer Settings to Protect?

Why Multi-Factor Authentication Is Non-Negotiable for ACH Access

Multi-factor authentication (MFA) adds a mandatory second layer of verification beyond your password—typically a code sent to your phone or generated by an authenticator app. For ACH access, MFA is not optional security theater; it is the most effective control against account takeover. When a fraudster obtains an employee’s password through phishing or a data breach, they cannot access the ACH system without also intercepting or possessing the second factor. The limitation of MFA is that it requires discipline and cannot be bypassed during an outage without consequence. Some employees resist MFA because it slows down the login process or because they misplace their phones. However, this friction is the security feature, not a bug.

A banking environment where an employee can change a vendor’s payment instructions with nothing more than a password is essentially undefended against sophisticated BEC attacks. MFA eliminates that risk entirely. Implement MFA on every account that can access or modify ACH settings. This includes your main online banking login and any payroll management portals or accounting software integrations that process ACH transactions. Many banks default MFA to SMS (text message), which is better than nothing but inferior to app-based authenticators like Google Authenticator or Authy. If your bank allows it, use app-based MFA; if only SMS is available, still use it rather than nothing.

ACH Fraud Risk by Type (2024 Organizations Affected)ACH Debit Fraud38%ACH Credit Fraud20%Other Payment Fraud21%No Fraud Incidents21%Source: 2025 AFP® Payments Fraud and Control Survey

The Phone Verification Requirement Every Organization Must Deploy

After implementing access controls and MFA, add one more human verification step: require a phone call using a previously known number whenever ACH settings change. This is the control that stops BEC attacks cold. Here is how it works in practice: when someone needs to change a vendor’s banking information in your system, the process automatically sends a notification to a secondary authorized person, who calls the vendor directly using a phone number from a contract or previous correspondence—not a number provided by email. This requirement has proven effective because it exploits a crucial gap in most BEC attacks. Fraudsters can send convincing emails spoofing vendors or executives, but they cannot realistically intercept an outbound phone call from your organization to a vendor they are impersonating.

A $50,000 ACH fraud was prevented at a mid-sized business when the accounts payable team called a “vendor” who had sent a wire change request via email—the person who answered had no knowledge of the request, revealing the fraud immediately. The operational downside is that this process takes time and slows transaction velocity. When a legitimate vendor needs an urgent payment, this verification call can introduce a delay of hours or even a day. The alternative is operating without this check and accepting occasional fraud as a cost of doing business. According to the Washington State Auditor’s Office, restricting ACH payee edit access to one or two people and verifying all changes by phone is the gold standard for mid-market organizations.

The Phone Verification Requirement Every Organization Must Deploy

Implementing Dual Authorization for High-Value ACH Transfers

Dual authorization requires two separate, authenticated people to approve any ACH transfer above a specified threshold—say $10,000 or higher. This is not the same as access restrictions. You might limit editing ACH settings to two people, but you can require that both of those people electronically approve any single large transfer. The mechanics depend on your bank’s platform. Some banks allow you to set a threshold, and any transfer above that amount automatically routes to a secondary approval queue.

The second authorizer logs in with their own credentials and MFA, reviews the transfer details, and must explicitly approve before the transfer processes. This creates an audit trail and ensures that a single compromised account cannot unilaterally move large sums. One limitation to understand: dual authorization slows down your payment velocity and is primarily useful for large, infrequent transfers. For organizations that run hundreds of small ACH transfers daily, requiring dual approval on all of them becomes operationally impractical. Instead, set a reasonable threshold—perhaps $50,000 or the equivalent of two weeks of routine payroll—and require dual approval only above that amount. Smaller transfers can still have restrictions and MFA, but not the dual authorization step.

Real-Time Monitoring and Deviation Detection Systems

Real-time monitoring is the early-warning system for ACH fraud. Set up alerts that flag transactions deviating from your typical patterns: an unusually large payroll, a payment to a new vendor, an ACH batch initiated at an odd time, or a frequency change. These alerts should reach a senior manager within minutes, not hours or the next morning. Modern banking platforms and accounting integrations can implement this through automated rules. For example, you might set a rule that flags any payroll ACH exceeding 110% of the prior month’s total, any vendor payment over $25,000, or any ACH initiated between midnight and 6 a.m.

These flags do not block the transaction automatically—overaggressive automation will create false alarms and alert fatigue—but they do notify someone who can quickly verify whether the transaction is legitimate. The challenge with real-time monitoring is configuration and maintenance. If your rules are too strict, every other ACH gets flagged and your team stops reading alerts. If they are too loose, fraudulent transactions slip through. Additionally, well-planned fraud can stay under thresholds—a sophisticated fraudster might steal from multiple smaller ACH transfers rather than one large one, avoiding your single-transaction alerts. Monitoring is a critical layer but not a complete solution; it must be combined with the other controls discussed here.

Vendor Onboarding and Identity Verification

Before a vendor ever receives their first ACH payment, verify their identity thoroughly. This is where many organizations slip. A common approach is to accept an invoice emailed from someone claiming to be a vendor, then add their banking details to the system. A sophisticated BEC attack targets this exact moment: a fraudster sends what appears to be a vendor invoice or banking update request, and the accounts payable team adds the fake account. Strong vendor onboarding requires checking multiple data sources. For legitimate business vendors, verify their federal tax identification number (TIN) against IRS records and cross-reference the legal business name.

Request banking information only through verified channels—ideally a vendor portal you control, or a phone call you initiate to a number from a contract. The example: A large manufacturing company was targeted by a fraudster who sent an email that appeared to come from a long-standing component supplier. The email announced a “banking information change” due to a merger. The accounts payable team received this, but because the organization required all vendor changes to be verified via phone call to a number in the vendor master file, someone called the supplier directly. The supplier had no knowledge of the banking change, and the fraud was prevented. Had the company simply updated the banking information based on the email, they would have transferred six figures to the fraudster’s account.

NACHA Rule Changes and Future ACH Security Improvements

In October 2024, NACHA (the ACH network operator) implemented new fraud prevention rules that expanded the use of Return Reason Code R17, allowing Receiving Depository Financial Institutions (RDFIs) to return suspicious ACH entries that appear to be fraudulent. This rule gives financial institutions more authority to reject entries they suspect are the result of account compromise or fraud, even if the originating bank processed the entry correctly. What this means for your organization is that you cannot rely solely on your bank’s ACH submission process as a gatekeeper.

RDFIs now have a second-layer review authority, but this still requires that your organization implement the preventative controls discussed here—restricted access, MFA, phone verification, and dual authorization. The future of ACH security involves both the network level protections (like the new NACHA rule) and organization-level controls. Your ACH security posture must evolve continuously as fraudsters adapt their techniques and as regulatory requirements tighten.

Conclusion

Securing your ACH transfer settings is not a single action but an interconnected system of controls, each protecting against different fraud vectors. Start with the foundation: enable MFA on all accounts with ACH access, restrict edit permissions to your two most trustworthy employees, and require that those employees verify any setting change by calling the vendor or employee directly using a known phone number. Layer in dual authorization for large transfers, real-time monitoring for deviations from normal activity, and thorough vendor identity verification during onboarding.

The investment in these controls—whether time, cost, or operational friction—is far smaller than the cost of a single significant ACH fraud. With 79% of organizations experiencing payment fraud attacks in 2024 and ACH fraud accounting for 38% of those incidents, the question is not whether you need these controls, but whether you implement them now or discover the hard way that you should have. Each control is straightforward to set up, and most are available through your existing bank platform or accounting software. Start today.


You Might Also Like