Skip to content

ACH Phishing Emails – All Tricks, No Treats!

Here at Box Lake, our engineers have seen an increase in reports of targeted ACH Fraud phishing emails over the past few months. Take a look at some real examples below and consider our tips for not falling victim to these convincing scams.

We have encountered two main types of ACH fraud emails:

Type 1: The criminals are trying to convince your business to change an account and routing number to pay the criminals instead of the correct recipient of an invoice.

Type 2: The criminals are trying to gain access to your account and routing numbers in order to initiate a payment.

In both of these scenarios, the cybercriminals are hoping for a human error or lapse of judgment in order for their ACH fraud attempt to be successful.  These scams do not require a massive data breach or elaborate ransomware attack, all they need to do is trick one person.


The example below is an example of Type 1, the cybercriminal poses as an internal user (who happens to be the CEO of the company) emailing a financial controller.  They have the name of the CEO correct, but the email address is wrong. In the email, the criminal posing as the CEO gives the financial controller specific instructions to pay the bill and set up ACH for the invoice. There are no obvious indicators that this is a phishing email other than the email address the message was sent from and the fact that the payment is fake.

In the digital age, it’s not difficult to find out the names and titles of people working for a company that has any sort of online presence and this criminal did their research to learn who to email and who the email should appear to be from.

The example email below is an example of Type 2.  This email looks pretty legit and indicates payment is ready to be paid to the email recipient. In this example, the scammer is hoping you provide your payment details so that they can then take those credentials and initiate a fraudulent payment.

In this scenario, the recipient did not recognize this as a payment they should be receiving and forwarded the email to Box Lake to confirm it was indeed fake so we could add the sender to a blacklist.

Regardless of the cybersecurity and email filtering measures your business has in place, there is no real way to guarantee these targeted ACH Fraud emails will not find their way into your employee’s inboxes.  Employees should be trained on spotting a fake email and taught to always get confirmation before changing any payment information.

October is Cyber Security Awareness month and a great time to review the security measures your company has in place.  Box Lake Networks always offers free consultations and recommendations on what security should be implemented for your business and your budget. If you have questions about cybersecurity or a disaster recovery plan please contact us.  

Back To Top