Human behavior as a layer of defense in helping prevent ACH and wire fraud

When most people think of fraud, they think of cybercriminals writing sophisticated code or conducting a deep system breach—but that’s not always the case. Fraud can happen because a rushed team accepts a “quick” change to payment details or a caller who “sounds official” persuades someone to share a one‑time passcode.

For this reason, teaching the people in your organization anti-fraud habits is an important factor in helping to protect against losses, alongside having technical security tools in place. For instance, one of the most common wire/ACH scams right now is email compromise, which involves a bad actor intercepting an email chain or impersonating the legitimate business email, said Connor Crutchfield, manager of fraud prevention and detection at BOK Financial®. One primary strategy for helping to mitigate this scam is a simple phone call.

“If a payee contacts via email to have payment details changed, such as the account and routing number, calling a known contact to verify that the payment change is legitimate and the account and routing number are correct is a highly recommended step,” he explained. “Taking these steps can help mitigate the risk that the payments are being sent to an unauthorized beneficiary.”

Another common type of scam right now is account takeover. In this situation, a phone call or text appearing to come from a financial institution creates urgency, coaxing credentials or one‑time passcodes (OTPs) from one of your business’s employees. “Be on the lookout for possible scam phone calls or texts,” Crutchfield said. “Scammers are spoofing banks now to impersonate them and phish for online banking access.”

The most common scams and how to help avoid them

If you think you could easily spot these scams, you may want to think again. Cybercriminals may study your organization—who authorizes payments, when funds move, which vendors get paid at month‑end—and time their moves to those rhythms. They can use generative artificial intelligence (AI) tools to mirror writing styles, slipping into email threads and exploiting the pressure of deadlines. In that environment, small verification habits can have a significant impact on security outcomes.

For instance, to help mitigate the risk of email compromise, your organization should have a culture that encourages:

• Treating any change to account and routing numbers as high‑risk.
• Calling a known contact at a verified number (not the one in the email) and documenting the confirmation before moving funds.
• Maintaining a master directory of verified numbers and requiring a second person to confirm the callback. Make this step routine and auditable.

Safeguarding against account takeovers also involves proactive changes in behavior. These include:

• Hanging up and calling back using a published number, when your business receives a phone call or text appearing to come from a financial institution.
• Never giving out your online banking username and password and being careful providing OTPs over the phone or text.
• Limiting who in your organization can receive OTPs.
• Treating repeated OTP prompts in a short window as a red flag.
• Being wary of unusual phone calls. “If a phone call is taking a long time to resolve, this could be a bad actor stalling on the phone to attempt an account takeover,” Crutchfield said. “Also, if you find yourself providing OTPs multiple times it could be a sign that this is a scam phone call. Any sign of doubt can be a good sign to hang up and call the bank yourself.”

ACH vs. wire: different mechanics, same mandate

ACH fraud can be more difficult to detect than wire fraud attempts. ACH items settle in batches and can “linger” in the network, so unauthorized entries may blend into normal flows, especially when teams reconcile weekly instead of daily. Criminals exploit that delay by inserting fraudulent ACH files, adding themselves as bill‑pay recipients or modifying outbound details after compromising credentials with malware or keyloggers. Consequently, daily reconciliation is a highly recommended frontline defense against these attacks because it is designed to shorten the detection window to 24 hours.

The faster your team sees and responds to a fraudulent wire, the better the potential chance of a positive outcome. For international wires of $50,000 or more sent within the last 72 hours (based on current federal law enforcement guidelines), your financial institution can coordinate with the FBI’s Financial Fraud Kill Chain (FFKC) to attempt recovery—provided a SWIFT recall has been initiated and you can supply complete transaction details. Wires outside these parameters should still be reported to law enforcement, but the FFKC protocols may not apply. Having a rehearsed internal escalation path may improve the likelihood of a successful recovery effort.

What to do differently starting now

In addition to the safeguards listed earlier, making the following habits a part of your company’s culture can help protect your organization against these and other fraudulent attacks:

• Make verification a reflex: It is suggested that no funds move on changed instructions without an out‑of‑band callback to a known contact. Log who verified, when they did so and what they confirmed.
• Enforce dual control: Separate initiator and approver roles on all ACH and wire activity, whenever feasible. This separation breaks the single point of failure that social engineers target.
• Reconcile daily: Close the gap between fraud and discovery. Daily reconciliation across operating, trust and investment accounts is a key factor in improving potential recovery odds.
• Lock down your workstation: Consider initiating payments from a dedicated device—one that is not used for email or general web browsing—to help reduce malware exposure.
• Practice credential hygiene:
• Unique and complex passwords
• No shared logins
• No browser‑saved credentials
• Administrator rights restricted to those who need them for their job
• Patched OS and key applications
• Firewalls and commercial anti‑malware in place
• Escalate immediately: If anything feels off—especially around ACH batches or last‑minute wire changes—pause and contact your financial institution. Minutes matter.

Organizations often ask which tool will “solve” payment fraud. Tools help, but habits are vital—the 60‑second callback, the refusal to share an OTP over the phone, the insistence on dual approval even under deadline pressure. In a world where criminals study your processes, the most powerful response is a culture that prizes verification over urgency and empowers the people in your organization to say, “Let me call you right back."

Disclaimer: The information provided in this article is for general educational and informational purposes only and does not constitute legal, financial, or security advice. These suggested risk management strategies are intended to help mitigate the risk of fraud but do not guarantee protection against all fraudulent activity. Federal guidelines are subject to change without notice. In the event of a conflict between the suggestions in this article and the terms of your Combined Agreement for Business Accounts or other account or service contracts with BOK Financial®, the terms of your specific agreements and the security procedures described therein shall exclusively govern. BOK Financial® does not control the protocols of third-party agencies or law enforcement and cannot guarantee the recovery of funds.