If you run a small business in the U.S., the routing and account number printed on every check you write is also the key someone needs to pull money out of your account. ACH fraud is one of the most common ways small businesses lose money to payment fraud, and the rules that protect your personal account do not protect your business account. Understanding how ACH fraud works, your actual recovery window, and which bank controls reduce your risk is the foundation of a defense that holds up.

What is ACH fraud and why are small businesses targets?

ACH stands for Automated Clearing House, the bank-to-bank network that moves payroll, vendor payments, and bill pay in the United States. Every business checking account has an ACH routing number and an account number, and any party with both can attempt to move money in or out.

ACH fraud is what happens when someone uses your account and routing number to pull money from your account, or uses stolen banking credentials to push money out, without your authorization. It does not require a hacked computer or a stolen card. In many cases the attacker only needs a photo of one of your checks.

Small businesses get hit harder than enterprises for three reasons. First, account numbers are public by design and appear on every check, invoice, and W-9 you send. Second, most small operators do not have segregated duties, dual-approval workflows, or treasury controls that mid-market companies use. Third, owners reconcile monthly instead of daily, so a fraudulent debit can settle and the funds can be moved out of the receiving account before anyone notices.

What are the most common types of ACH fraud?

Unauthorized ACH debits. An attacker submits a debit against your account through a payment processor using only your routing and account number. These often appear as small "test" pulls before a larger one.

[Business Email Compromise](/business-banking-security/scams) (BEC). A scammer impersonates one of your vendors, usually by spoofing or compromising their email, and sends new payment instructions. You update the ACH details in your accounts payable system and the next invoice is paid to the attacker.

Payroll diversion. A fake email purporting to be from an employee asks HR or the owner to update direct deposit details. The next payroll run lands in the attacker's account.

Fake invoice schemes. You receive an invoice that looks like a routine vendor bill but with new ACH routing instructions, often for a recurring service you actually use.

Insider fraud. A bookkeeper, contractor, or employee with banking access initiates ACH transfers to themselves or a shell vendor. This is the hardest to detect because the activity looks authorized.

Account takeover. A phishing email captures your online banking password, and the attacker logs in and sends ACH credits out to mule accounts.

How does ACH fraud actually happen? A walkthrough

A common unauthorized ACH debit usually follows four steps:

1. The attacker gets your numbers. A check you mailed to a vendor was photographed by a mailbox thief. Or your account number was exposed in a data breach at a service provider. Or a customer screenshotted an invoice that had your bank details printed at the bottom.
2. They submit an ACH debit. Using a payment processor account they opened with stolen or synthetic identity, they originate a debit against your account. ACH originators are required to obtain authorization, but the receiving bank generally does not verify that authorization before posting each debit.
3. The debit settles in 1–2 business days. ACH is not instant, but it is fast enough that most business owners do not see the pull until after it has cleared.
4. Funds are moved out of the receiving account. The attacker withdraws, transfers, or converts the funds within hours of receipt. By the time you call your bank, the money is gone from the destination.

How long does a business have to return an unauthorized ACH debit?

The key difference is that consumer and business accounts have different dispute rights.

Consumer accounts are protected by Regulation E, which gives individuals up to 60 days from the statement date to dispute an unauthorized electronic transfer. Regulation E protections do not extend to business bank accounts, unlike consumer accounts, meaning your business checking account does not have those rights.

Instead, business accounts fall under Nacha operating rules and your deposit agreement with your bank. Under Nacha rules, a non-consumer account generally has 2 banking days from the settlement date to return an unauthorized ACH debit, subject to your deposit agreement. After that window closes, your ability to recover the funds depends on the goodwill of the originating bank and the cooperation of the receiving institution. There is no statutory right to a refund.

That is why prevention matters more than dispute. By the time you spot a fraudulent ACH on your monthly statement, the window has almost certainly closed.

How to prevent ACH fraud at your small business

These habits do not require paid treasury services, though alert settings, MFA options, and user permissions vary by bank.

• Turn on transaction alerts for every debit and credit. Do not set a minimum threshold. Attackers test with small amounts first.
• Reconcile daily, not monthly. Spend a few minutes each morning reviewing the prior day's debits and credits in your banking app.
• Separate receivables from payables. Keep the account number printed on your invoices different from the account that pays vendors and payroll. Separating receivables and payables into different accounts limits exposure when account numbers are leaked on invoices or checks.
• Use unique passwords and multi-factor authentication. Every banking login, every email account tied to banking, every accounting system. Use an authenticator app, not SMS, where available.
• Verify vendor payment changes by phone. When a vendor emails new ACH instructions, call them back at a number you already have on file. Verifying vendor payment changes by phone using a previously known number is the single most effective defense against Business Email Compromise.
• Review banking access quarterly. Remove former bookkeepers, contractors, and employees the day they leave.

What bank-level ACH fraud controls should small businesses ask about?

Some controls require your bank to offer them. If you are evaluating a business bank, ask which of these are available:

• ACH debit blocks. Refuse all incoming ACH debits unless the originator is on a pre-approved list.
• ACH positive pay. Review each incoming ACH debit and approve or return it before it posts.
• Dual approval on outgoing payments. Require two users to sign off on ACH credits or wires above a set amount.
• Real-time push notifications. Not end-of-day email summaries. Push notifications the second a transaction hits.
• Device and IP recognition. The bank flags or blocks logins from new devices or unfamiliar locations.

Larger commercial banks often offer ACH positive pay as a paid treasury service; pricing varies by bank and account type. Some fintech business accounts do not offer positive pay; instead, they may offer real-time alerts and tools for separating account activity.

How Novo helps protect your business account

Novo is a fintech that provides small-business banking solutions, with controls designed for operators who do their own reconciliation. Banking services are provided by Novo's partner bank, Middlesex Federal Savings, F.A., Member FDIC. Novo offers real-time transaction notifications, in-app card lock, a $0 monthly fee, and FDIC insurance up to $250,000 through its partner bank. That means account activity surfaces in the app rather than at month-end, and you can freeze the Novo Business Debit Mastercard from the app. Novo also lets you open multiple accounts, which can help you separate the account number you print on invoices from the one that pays vendors and payroll.

Eligible Novo deposits are FDIC-insured up to $250,000 through Novo's partner bank, Middlesex Federal Savings, Member FDIC. FDIC insurance covers bank failure, not theft or fraud losses.

Novo does not accept cash deposits, which matters for cash-heavy businesses evaluating fraud-segregation strategies. If your business takes meaningful cash, you will need a separate plan for those deposits, often a relationship with a local bank or a third-party cash deposit network.

What to do if you spot an unauthorized ACH

Move on the same business day. The Nacha return window is strict.

1. Call your bank immediately. Ask to file a return for an unauthorized ACH debit. Do not wait for a callback. Stay on the line until you have a confirmation number.
2. File a written statement of unauthorized debit. Your bank will provide an affidavit form. Sign and return it the same day. Banks generally cannot process the return without it.
3. Change passwords and revoke access. Reset your online banking password, your business email password, and your accounting software password. Revoke any user permissions you cannot vouch for.
4. Notify affected vendors and payroll providers. If the fraud touched a vendor portal or payroll system, tell them the same day so they can lock their side.
5. Report the incident. File a report at the FBI's Internet Crime Complaint Center (ic3.gov) and notify your state attorney general's office, especially in BEC cases. These reports feed law enforcement pattern analysis and are sometimes required by cyber insurance policies.

One reminder on insurance coverage. FDIC insurance covers bank failure, not theft or fraud losses. If money is pulled from your account fraudulently, FDIC does not reimburse you. Your recourse is the Nacha return process, your bank's goodwill, and any commercial crime or cyber insurance you carry.

What should be on an ACH fraud prevention checklist?

Use this checklist to set up a basic ACH fraud prevention routine.

• [ ] Daily reconciliation habit set up (a few minutes, every morning)
• [ ] Real-time alerts enabled on all transactions, no dollar minimum
• [ ] MFA on every banking login and every email account tied to banking
• [ ] Vendor payment change requests verified by phone to a known number
• [ ] Receivables account number separated from payables account
• [ ] Banking user access reviewed in the last 90 days
• [ ] ACH debit blocks or positive pay turned on if your bank offers them
• [ ] IC3 and bank fraud line phone numbers saved in your contacts
• [ ] Cyber or commercial crime insurance reviewed for ACH fraud coverage

Frequently Asked Questions

Is my business account protected the same way as a personal account? No. Regulation E protections apply to consumer accounts and give individuals up to 60 days to dispute. Business accounts are governed by Nacha rules and your deposit agreement, with a much shorter return window.

How long do I have to dispute an unauthorized ACH debit as a business? Generally 2 banking days from the settlement date under Nacha rules. After that, recovery is not guaranteed.

Can I block all ACH debits on my account? Many banks offer ACH debit blocks or ACH positive pay. Ask yours. Availability and pricing vary, and some fintech accounts do not offer it as a formal product.

Does FDIC insurance cover fraud? No. FDIC insurance covers losses from bank failure up to the coverage limit. It does not cover funds stolen from your account by a third party.

What is the difference between ACH fraud and wire fraud? ACH transactions can be returned within a short window if unauthorized. Wires are typically final once sent and settled, which is why BEC attackers prefer wires for large dollar amounts.

Do I need ACH positive pay if I get real-time alerts? Real-time alerts can help you spot fraud sooner, which improves your chance of returning an unauthorized debit within the Nacha window. Positive pay is stronger because it blocks the debit before it posts. If your bank offers positive pay at a reasonable price and you process significant volume, use both.

Can I get my money back if I miss the 2-day window? Sometimes. Your bank can attempt a goodwill return, and the receiving bank may cooperate if the funds are still there. There is no guarantee, and most attackers move the money within hours.

Disclosures

Novo Platform Inc. ("Novo") is a fintech, not a bank. Banking services provided by Middlesex Federal Savings, F.A., Member FDIC. The Novo Debit Card is issued by Middlesex Federal Savings pursuant to licenses from Mastercard International Incorporated. Mastercard is a registered trademark of Mastercard International Incorporated and can be used everywhere Mastercard is accepted. Eligibility subject to final Novo determination.

Deposits are insured for up to $250,000 through our partner bank, Middlesex Federal Savings, Member FDIC.

Novo Platform Inc. ("Novo") strives to provide accurate information but cannot guarantee that this content is correct, complete, or up-to-date. This page is for informational purposes only and is not financial or legal advice nor an endorsement of any third-party products or services. All products and services are presented without warranty. Novo Platform Inc. does not provide any financial or legal advice, and you should consult your own financial, legal, or tax advisors.