Corporate & Institutional
Gain new insights into Direct Deposit via ACH and Direct Payment via ACH and obtain new tools and resources. more >
Business meeting
Charter Schools are new, innovative public schools . . . more >
NACHA Fraud Alert -
Reverse Phishing & Keylogging Spyware

The NACHA Members Memo is for distribution to Participating Depository Financial Institution Members
March 14, 2007

Fraud Scenarios--Reverse Phishing and Keylogging

This edition of the NACHA Members Memo provides information about two scenarios that have resulted in fraud losses.

Case 1 - Corporate "Reverse Phishing": The following fraud scenario has been reported to NACHA. NACHA is calling it a case of "reverse phishing;" instead of e-mails attempting to fraudulently obtain corporate banking information, the perpetrator(s) sent e-mails fraudulently providing corporate banking information.

The Scenario:

  • A company received e-mails from two trading partners asking for changes to bank and account numbers used to receive ACH payments for invoices;
  • The company believed the requests to be legitimate, as the e-mails looked like those from the trading partners;
  • The company originated ACH credits to the new bank and account numbers for these trading partners;
  • The ACH credits went to newly opened accounts, and the funds were withdrawn;
  • Eventually, the company received phone calls from the trading partners about failure to pay;
  • The company investigated and discovered that the original e-mails supplying new payment instructions were fraudulent.


  • Originators should perform due diligence in accepting changes in payment instructions. For example, a widely used security procedure is a callback to a known individual at the trading partner.
  • ODFIs can alert their Originators to this type of fraud scheme.

Case 2 - Keylogging Spyware: The following fraud scenario has been reported to NACHA by several parties, and resulted in bank losses. The scenario takes advantage of compromised IT security, poor corporate treasury management practices, and weak authentication. The scenario is not specific to ACH payments; wire transfers were involved as well.

The Scenario:

  • A corporate treasury workstation or computer used to log on to online banking is infected with keylogging spyware;
  • The keylogging spyware records the company?s online banking credentials - User ID and Password ? when an employee signs in to online banking;
  • The keylogging spyware then sends this information to the perpetrator;
  • The perpetrator uses the company?s credentials to sign in to online banking on the corporate banking web site;
  • The perpetrator initiates outbound funds transfers out of the company?s corporate account(s), either via ACH credits or wire transfers;
  • The company does not employ any additional means to confirm the transactions and release funds, and the bank does not require additional authentication of the party initiating the transfers;
  • The perpetrator routes funds to deposit accounts at various financial institutions; these accounts were recently opened either by the perpetrator, or arranged to be opened through willing associates or unknowing individuals;
  • These accounts receive deposited good funds via ACH credits or wire transfers;
  • The account owners then wire funds overseas, and are non-recoverable by the company and its bank.



  • Originators should use best practices for treasury management and corporate banking, including authentication for authorizing transactions online and/or independent confirmation of outbound transfers;
  • Originators should reconcile their accounts daily;
  • Originators should use best practices for information technology security, covering the integrity of hardware, software and identity management.


  • ODFIs should use best practices for authenticating corporate customers and executing instructions for outbound funds transfers initiated online;
  • ODFIs should work with their Originators on best practices for corporate banking and IT security;
  • ODFIs can alert their Originators to this type of fraud scheme.

The content contained in The NACHA Members Memo was developed by NACHA.