Digital Robbery Scams Are on the Rise
Financial fraud has exploded in the past few years, with consumers reporting more than $12.5 billion in losses in 2024. President Donald Trump’s deregulatory agenda isn’t helping.
ACH fraud is becoming ever more common due to an increase in digital payments and phishing scams. (Spencer Platt / Getty Images)
It’s easy to get robbed these days. All a thief might need are the seventeen numbers found on your publicly available banking documents.
Just ask Scott Delman. For nearly a year and a half, someone used Delman’s banking information to deduct monthly car insurance payments from the theater producer’s bank account, according to financial documents he shared with the Lever. In total, the fraud cost him more than $4,300. So far, he’s yet to be reimbursed.
Delman has come to believe the matter will cost people huge amounts of money, and even poses a national security risk.
“Imagine if the Russians or Chinese focused on the ‘opportunity’ — they could raid American accounts and create a crisis of confidence which would devastate the banking industry,” he said.
Delman is just one of a growing number of victims of automated clearing house (ACH) fraud, a kind of digital robbery that involves scammers using a victim’s financial information — their bank account number and their bank’s routing number — to withdraw their money.
ACH fraud is becoming ever more common due to an increase in digital payments and phishing scams, in which fraudsters trick consumers into sending sensitive information, often by email. A report by the Federal Trade Commission (FTC) found that in 2024, there were more than 47,000 reports of bank transfer or payment fraud, which can include ACH fraud, totaling more than $2 billion, an increase of nearly 10,000 reports and nearly triple the monetary damages consumers lost in 2021.
Once these scams occur, there’s no guarantee that victims will be reimbursed. A patchwork of federal regulations, district court rulings, and private industry guidelines govern banks’ obligations for repaying targets of such fraud. The average consumer has roughly sixty days to report ACH fraud in order for financial institutions to fully refund them; many people, like Delman, don’t discover the theft in time.
Regulations are even less supportive for small businesses. Oftentimes, business- and corporate-account holders have just forty-eight hours to dispute potentially fraudulent charges. What’s more, a recent federal court ruling made it even harder for businesses to sue financial institutions for negligence, even when these institutions fail to undertake adequate fraud surveillance.
For many, suing banks over the matter isn’t even an option, because financial institutions have locked customers into arbitration agreements that force them into a corporate-friendly private justice system.
Banks themselves admit that ACH fraud is shockingly simple to pull off.
“All a scammer needs is your account number and routing number to initiate ACH transactions — transfers, withdrawals, and payments — as if they were their own account, all without your knowledge,” the Bank of Colorado wrote in a February blog post. “It could begin with a stolen check, a breach of your business’s network, or the installation of malware.”
Bank account fraud is nothing new; the Steven Spielberg film Catch Me If You Can chronicled how real-life scam artist Frank Abagnale Jr used bank account and routing numbers in the 1960s to allegedly steal millions. But the practice has reached dizzying new heights: Abagnale, now a security consultant, recently warned that check and automated clearing house fraud targeting businesses resulted in more than $2.8 billion in losses in 2024 alone.
Financial fraud has exploded in the past few years with consumers reporting more than $12.5 billion in losses in 2024, a 25 percent increase from the year before, according to the FTC. Additionally, the FBI found that fraudsters stole more than $16 billion from consumers in 2024, according to reports filed with the bureau.
A July Pew Research poll found that 73 percent of adults experienced some sort of online scam or potential financial attack, and most believed that the explosive growth in artificial intelligence will only make the scam and fraud attacks worse.
President Donald Trump’s deregulatory agenda isn’t helping, said Adam Rust, director of financial services for the consumer advocate group Consumer Federation of America.
“Unfortunately, this administration has gutted the agencies responsible for policing fraud and scams, and it appears that even the banks are realizing the systemic abandonment of financial protection infrastructure compromises their interests,” Rust told the Lever.
A Glitch in the Banking Matrix
Automated clearing house transactions include just about every modern digital money transfer, including direct paycheck deposits, Social Security payments, tax refunds from the Internal Revenue Service, and a number of other transactions. In 2024, more than $86 trillion moved through the network.
One of the more common ways scammers access sensitive banking information is through phishing scams asking potential victims to verify bank account information or other sensitive information. A similar process works for businesses, and fraudsters can take it a step further.
“They hack into a company’s email network to monitor communication patterns,” the Bank of Colorado noted in its February warning. “Once they have enough information, they impersonate the company and contact their clients to provide a new (fraudulent) bank account for payments. If the client follows through, they unknowingly send funds to the scammer instead of the legitimate vendor.”
According to a 2025 report by the Association of Financial Professionals, a banking industry group, once a fraudster enters a victim’s account, they tend to start with low-value withdrawals and gradually increase the amount until they are caught.
Sometimes, the scammers come from inside the banks themselves. In August, a vice president of a regional bank in Alabama was sentenced to sixty months in prison for a $2.3 million, ten-year-long scheme in which she conducted illegal ACH transfers to pay her own personal bills. On December 22, the FBI announced it broke up a $28 million fraud ring in which scammers committed unauthorized bank transfers, which can include ACH transfers, by tricking people into handing over their banking information.
The 47,000 fraud cases in 2024 by the FTC are likely an undercount. That’s because people often report the crimes to a variety of law enforcement agencies, including the FBI and local police, said Carla Sanchez-Adams, a senior attorney with the consumer-focused law group National Consumer Law Center. There is no central database to compile this information.
As these scams proliferate and increasingly rely on artificial intelligence to do so, regulators have had limited success stemming the tide — or guaranteeing that victims are made whole.
In 1978, Congress passed the Electronic Fund Transfer Act to provide a basic level of consumer protection for people sending electronic money transfers, a relatively new technology at the time. The law, which applies strictly to consumers, allows people sixty days in most cases to contest unauthorized withdrawals and places limits on how much money people would be liable for in such cases. (Banks aren’t required to reimburse consumers when they’re tricked into authorizing such withdrawals, and bank lobbyists have fought attempts to limit this exception.)
After the 2008 financial crisis, the Dodd-Frank Act transferred most rulemaking procedures related to the Electronic Fund Transfer Act from the Federal Reserve, a banking regulator, to the newly established Consumer Financial Protection Bureau to consolidate and expand enforcement of consumer financial protections. The bureau subsequently cracked down on payday lenders, forced increased transparency around credit card fees, and enacted other new consumer protections.
But under Trump, the Consumer Financial Protection Bureau has eliminated at least sixty-seven regulatory guidances since January, many of which will impact the Electronic Fund Transfer Act. That included a Biden-era proposed rule that would have expanded some of the Electronic Fund Transfer Act’s protections for consumers who own cryptocurrencies.
The American Bankers Association, a lobbying group for bankers that has routinely sued the Consumer Financial Protection Bureau, wants Trump to establish an Office of Scam and Fraud Prevention to allow agencies to better share information regarding frauds and scams. But such a department would be largely pointless, said Rust with the Consumer Federation of America, because it would lack any enforcement mechanisms.
“There is a need to improve information sharing, but creating a new office is not necessary,” he said.
Business and corporate bank accounts are governed by Uniform Commercial Code Article 4A, which can leave just a twenty-four-hour window for business and corporate account holders to contest unauthorized ACH transactions, since businesses are required to have heightened security measures to protect against fraud.
A private sector body called Nacha also sets rules and standards for financial institutions that use the automated clearing house network, and which allows business- and corporate-account holders forty-eight hours to contest unauthorized ACH transactions. In 2026, Nacha plans to strengthen its fraud detection rules by requiring member banks to monitor accounts for large withdrawal spikes and high-value transactions, among other actions.
“[Nacha is] not like the [Consumer Financial Protection Bureau], but they have been helpful on fraud prevention,” Rust said. “During the peak of online payday lending, Nacha’s rules helped to identify some of the lenders with the most abusive collections practices.”
However, Nacha’s board of directors include representatives from financial companies involved in some of the most prolific consumer fraud cases in US history, including Wells Fargo, JPMorgan Chase, Bank of America, Navy Federal Credit Union, and Evolve Bank & Trust.
Some smaller, regional banks have filed comments urging regulators to increase awareness of ACH fraud and other banking scams. These banks have called to extend business-account fraud reporting deadlines.
“The problem is that the discovery of an alteration or a counterfeit is not often discovered until the customer receives their bank statement, which could be up to thirty days after it is presented for payment,” one bank wrote to regulators in July.
Banks’ New Get-Out-of-Jail-Free Card
Nacha was among the business interests that supported a 2025 Fourth Circuit Court ruling weakening banks’ and other financial institutions’ fraud monitoring obligations.
That court case, called Studco Building Systems U.S. v. 1st Advantage Federal Credit Union, involved a metal fabrication company, called Studco, suing a credit union that processed fraudulent charges. In 2018, the metal fabrication company received an email from a steel company saying that the steel company was changing its bank account and that payments should be directed to the new account. But that email was from a fraudster.
The federal court for the Eastern District of Virginia ruled in the metal fabricator’s favor, awarding the company $560,000, plus attorneys’ fees and costs.
The court found that since the credit union failed to regularly check the fraud detection system it had in place to identify information mismatches like those employed by Studco’s scammer, the institution failed to act “in a commercially reasonable manner.”
However, the ruling was soon reversed by the Fourth Circuit Appeals Court, which found that the credit union was not liable because Studco failed to do its own due diligence on the matter.
The Appeals Court ruling “really lets the banks have more protections when these things happen,” said Jennifer Beckage, managing director of law firm Beckage Firm, who represented Studco in the lower court.
“What the court ended up doing here was saying that it was enough for the credit union to rely just on the account number, even if there was a difference in address and name,” she added. “Even if [the credit union] is getting alerts about potential fraud.”
The metal fabrication company appealed the Appeals Court decision to the US Supreme Court, but the high court declined to hear the case in October, letting the lower court decision stand.
In an amicus brief to the Fourth Circuit Appeals Court, Nacha stated that it would be too cumbersome for banks to have to constantly match names on accounts.
“Making beneficiary banks responsible for adjudicating the suspiciousness of a mismatch would massively delay payments,” the nonprofit wrote. “Alternatively, to avoid time-consuming and resource-intensive investigation, beneficiary banks might simply reject many legitimate payment orders because the cost of resolving discrepancies and the potential liability for a misjudgment would be untenable.”
Sanchez-Adams, the attorney for the National Consumer Law Center, said there is a need to better protect business account holders and enable them to sue for damages and legal costs after scams.
“I Learned That Crime Pays”
Robert Warren, co-owner of New Dawn Realty in Georgia, knows firsthand how easy it is to get ripped off through ACH scams — and how difficult it is to get your money back.
“It’s something that needs to be told to the masses, people are not aware of this epidemic of crime that goes on a daily basis in this country,” he told the Lever.
For Warren, the problems started in September 2023, when a scammer transferred $17,198.19 from his business account, according to documents Warren shared with the Lever. Warren reported the fraud to his bank two days later, but according to the bank, it was already too late to reimburse the payment.
“We are not able to reimburse you because too much time passed before you notified us . . . about the charge,” states a letter Wells Fargo sent to Warren.
But Warren refused to give up. After he reported the incident to his local police, Capital One records obtained by law enforcement showed that a woman who worked for a regional bank in a town north of Chicago received the funds.
Warren called the woman, and he says she told him that her account was also hacked. Warren prodded the woman, who did not respond to the Lever’s interview requests, into filing a police report.
Warren eventually called Capital One himself. The bank told him they couldn’t talk to him because he didn’t have an account with them, so he opened one.
“I just kept getting the run around: ‘We’re working on it. We have a case. It’ll take thirty days, sixty days, we’ll get back with you,’” Warren said.
So he started filing reports with the FBI and federal regulators, including the Federal Reserve, the Federal Trade Commission, the Small Business Administration, the Internal Revenue Service’s investigations unit, the Justice Department, the Secret Service, and Nacha, the industry group overseeing the ACH network.
Warren also called the Office of the Comptroller of the Currency (OCC), an obscure but important banking regulator that enforces certain consumer protection laws.
A week later, he got a call from Capital One and Wells Fargo saying that the OCC called them — and that Warren will be getting his money back.
Warren was able to recoup his money — $17,000 — just days before his birthday. But due to the patchwork of regulations and a lack of consumer support and information, it took him five months of diligent work.
Warren, and financial institutions, recommend that consumers and business account holders routinely monitor their accounts for suspicious activity. Consumers can block ACH transfers from their accounts. Business account holders can enroll in a fraud prevention tool called Positive Pay, which allows companies to issue only a certain amount of verified checks that can be cashed.
Through all his troubles, Warren learned other valuable lessons.
“I learned that crime pays. People say it doesn’t, but boy it pays out the ass,” he said. “And I learned that persistence pays off, too.”