Honeybadger Solutions LLC

Check & ACH Fraud Investigation for Businesses

Altered check and unauthorized ACH debits being intercepted by a positive-pay filter at a secured business bank account in navy and gold

Businesses do not get consumer-fraud protections, and the reporting clock is brutally short. Reg E shields consumers, not commercial accounts; unauthorized ACH debits on a business account must usually be returned by the next banking day, and forged or altered checks must be reported to the bank promptly — often within 30 days of the statement, with a hard one-year cutoff under the UCC. Move fast, preserve the items, and force the loss onto the bank or depositary bank that took the fraudulent instrument.

Check and ACH fraud is the quiet, industrial-scale cousin of the headline-grabbing wire heist. It does not lock a screen or demand a ransom. It arrives as a check that cleared for the wrong amount, an endorsement that is not your vendor’s, or a debit from an originator no one at the company authorized. For a business, the danger is not only the dollars — it is that the rules governing these instruments are older, stricter, and far less forgiving than most executives assume. The consumer protections people take for granted simply do not apply, and the deadlines that decide who absorbs the loss are measured in days, not months. This guide is written for the CFO, controller, general counsel, or principal who has just found a fraudulent item on a corporate account and needs to understand — precisely and in order — what to do, who is on the hook, and how a professional investigation both recovers money and shifts liability where it belongs.

How is check and ACH fraud different from wire fraud?

Wire fraud is a race against liquidity: the money is pushed out and you fight to freeze it before it moves. Check and ACH fraud is different in two decisive ways. First, the loss-allocation rules are governed largely by the Uniform Commercial Code (UCC) Articles 3 and 4 for checks and by the private NACHA Operating Rules plus your account agreement for ACH — not by the consumer statutes. Second, because banks warrant the instruments they present and collect, a great deal of check and ACH fraud loss can be pushed back onto a bank in the chain, provided you act inside the deadlines and can prove the item was not properly payable.

The single most important thing a business owner must internalize is this: Regulation E, the consumer electronic-fund-transfer protection, does not cover commercial accounts. The 60-day cushion, the limited-liability tiers, the presumption in the customer’s favor — those are consumer rights. A business operates under the UCC, NACHA, and whatever the fine print of its treasury-services agreement says. That agreement frequently shifts risk to the customer if the business declined an offered fraud-control service such as positive pay. Understanding that framework is not academic; it is the difference between recovering the money and eating it.

What are the main types of check and ACH fraud hitting businesses?

The schemes fall into a handful of recurring patterns. Recognizing which one you are facing determines both the investigative approach and which party in the payment chain bears the loss.

SchemeHow it worksWho typically bears the loss
Forged drawer’s signatureA counterfeit or stolen check bears a signature you never madePayor (your) bank — item is not properly payable, subject to your negligence
Check alteration / check washingA genuine check is chemically washed or edited to change payee or amountPayor bank / depositary bank via breach of warranty
Forged or missing endorsementA check is deposited by someone other than the true payeeDepositary (collecting) bank — conversion and warranty claims
Counterfeit business checksFraudsters replicate your check stock, MICR line, and logoPayor bank, subject to reasonable-care defenses
Unauthorized ACH debitA debit pulls funds using your routing/account number with no authorizationRecoverable via prompt ACH return — but the business window is ~1 banking day
Business email compromise / vendor redirectAltered payment instructions divert a legitimate ACH or check to the fraudsterUsually the business — the payment was authorized, just misdirected

Two patterns deserve special emphasis. Check washing — where mailed checks are stolen, the ink chemically lifted, and the payee and amount rewritten — has surged as organized rings target business mail and blue collection boxes; the FBI and financial regulators have flagged a sharp rise in mail-theft-driven check fraud. And vendor-redirect fraud, where a spoofed or compromised email changes a real supplier’s banking details, is dangerous precisely because you authorized the payment. That authorization means the bank’s warranties do not save you, which is why this category collapses into the same discipline as business email compromise and demands a forensic reconstruction of how the instructions were altered.

Who bears the loss under the UCC, NACHA, Reg CC and Reg E?

Loss allocation is the heart of every check and ACH fraud matter, and it turns on four bodies of rules. Getting them right is what converts a loss into a recovery.

UCC Articles 3 & 4 (checks). A bank may only charge your account for items that are “properly payable.” A forged drawer’s signature or an altered check is generally not properly payable, so the payor bank must ordinarily re-credit the account. Where an endorsement is forged, the depositary bank that took the item is typically liable through breach of the transfer and presentment warranties, and the true payee has a conversion claim. Those bank-favorable defenses erode, however, if your own negligence — sloppy check stock, poor controls, a bookkeeper left unsupervised — substantially contributed to the fraud (UCC 3-406), or if you failed to review statements and report promptly (UCC 4-406).

NACHA Operating Rules (ACH). ACH is where businesses get ambushed. A consumer can dispute an unauthorized ACH debit for up to 60 days. A business account (corporate CCD/CTX entries) generally must identify and return an unauthorized debit by the opening of business on the banking day following settlement — effectively about 24 hours. Miss that window and the return right is gone; recovery then depends on the originator’s willingness or a fraud claim, which is far weaker. This asymmetry is the single strongest argument for ACH debit blocks and ACH positive pay.

Regulation CC (funds availability and check collection). Reg CC governs how quickly deposited funds must be made available, the expeditious return of unpaid checks, and — importantly since 2018 — the remote-deposit-capture indemnity that assigns liability when the same check is deposited twice (once by image, once as paper). It shapes the timelines and warranties around returned and duplicated items rather than fraud loss directly, but it frequently determines whether a returned counterfeit comes back in time.

Regulation E (consumer EFT protection). Included here to be clear about what it is not: Reg E protects consumers, not businesses. Do not build your response around protections your commercial account does not have.

Forensic document examination of a business check revealing an altered payee and lifted signature against faint bank-record ledgers in navy and gold

What are the deadlines to report check and ACH fraud?

Because the deadlines are short and unforgiving, they deserve to be seen side by side. Treat every figure below as a general framework governed by your specific account agreement and applicable law — confirm the exact windows with counsel and your bank the day you discover fraud.

SituationRule setPractical reporting window
Unauthorized ACH debit on a business accountNACHA Operating Rules~Opening of the next banking day after settlement
Unauthorized ACH debit on a consumer accountNACHA / Reg EUp to 60 days
Forged signature or alteration (report to bank)UCC 4-406Promptly; ~30 days to preserve “same wrongdoer” claims
Repeated forgeries by the same wrongdoerUCC 4-406Losses after ~30 days may shift to the customer
Absolute outer limit to report unauthorized signature/alterationUCC 4-406(f)~1 year regardless of care
Conversion claim (forged endorsement)UCC 3-420 / 4-111~3 years statute of limitations

The takeaway is stark. ACH fraud on a business account is effectively a one-day problem — you must be reconciling daily to catch it. Check fraud gives you a little more room, but the “same wrongdoer” rule means that if a dishonest insider or a serial forger hits you repeatedly, only the early items are protected once roughly 30 days pass without you flagging the first one. The one-year cutoff is absolute: fail to report an unauthorized signature or alteration within about a year of the statement and the claim is gone, no matter how careful you were otherwise.

How is check and ACH fraud actually investigated?

A defensible investigation runs on two tracks at once: preserving and analyzing the instruments, and reconstructing the money and the intrusion behind them. Elite practice does not treat these as sequential.

Forensic document examination. For altered or forged checks, the front-and-back check images from the bank are evidence. Examiners look for the signatures of alteration — ink discontinuities and chemical lifting consistent with check washing, mismatched fonts or spacing in the payee or amount, indented writing, and inconsistencies in the MICR line that betray a counterfeit. Signature comparison against known exemplars tests a forged drawer’s signature. On the reverse, endorsement analysis establishes whether the true payee ever received the funds or whether a forged or missing endorsement routed the check to a fraudulent depositary.

Banking-record and money-flow reconstruction. A financial investigation assembles the account statements, ACH originator information, deposit records, and positive-pay logs into a coherent timeline: which item cleared, on what date, presented by which depositary bank, into whose account. Where an unauthorized ACH originator is involved, the originating company identification and the ODFI (originating bank) are the thread that leads back to the perpetrator or the compromised vendor. This reconstruction is what supports the bank claim, the affidavit of forgery, and any referral to law enforcement.

Intrusion and insider reconstruction. When the fraud began with a compromised mailbox, a spoofed vendor, or a dishonest employee altering the accounts-payable file, digital forensics establishes how the payment instructions were changed and by whom — email headers, audit logs, accounting-system access, and the sequence of edits. Where an insider is suspected, background intelligence on beneficiaries and shell entities frequently exposes the infrastructure: reused addresses, ghost payees, and mule accounts tied to prior schemes.

How do businesses recover the money?

Recovery flows from the loss-allocation rules, executed in the right order and inside the deadlines.

For a forged or altered check, the first move is to notify your bank in writing that the item was not properly payable and to demand re-credit, supported by an affidavit of forgery. The payor bank, having re-credited you, then pursues the depositary bank through breach of the presentment and transfer warranties — the depositary bank warranted the item was good when it presented it. For a forged endorsement, the true payee (or you, having made the payee whole) has a conversion claim directly against the depositary bank that accepted the check over a bad endorsement. For an unauthorized ACH debit, the recovery is procedural and time-boxed: instruct your bank to return the entry within the business window using the correct return reason, and simultaneously invoke any ACH positive-pay exception process.

Two hard realities shape expectations. First, if you declined an offered fraud-control service such as positive pay, your account agreement may shift the loss to you even for items that would otherwise fall on the bank — courts have upheld this repeatedly. Second, authorized-but-misdirected payments (vendor redirect / BEC) are the hardest to recover, because no bank warranty was breached; recovery there mirrors wire-fraud practice — a fast IC3 filing, a bank recall attempt, and money-flow tracing — and success depends on speed. In every case, a clean evidentiary record accelerates the bank’s cooperation and preserves the civil and criminal options for whatever the banking process does not return.

What controls prevent check and ACH fraud?

The organizations that lose the least are the ones that made themselves hard targets before the fraud ever landed. The following framework reflects what elite treasury and security practice actually deploys — in priority order.

  1. Positive Pay on every check-writing account. Upload your issued-check file so the bank matches check number, amount, and (with payee positive pay) payee name against each presented item, flagging exceptions for your pay/return decision. This is the single most effective check-fraud control.
  2. ACH debit block or ACH positive pay. Block all ACH debits by default and whitelist only authorized originators, or route every ACH debit through an exception queue. Given the ~1-day business return window, this is the only reliable defense against unauthorized debits.
  3. Daily reconciliation. Reconcile accounts every banking day, not monthly. The NACHA and UCC clocks make monthly review far too slow to preserve your rights.
  4. Segregation of duties and dual controls. No single person should initiate, approve, and reconcile payments. Require dual authorization for wires and ACH batches above a threshold.
  5. Out-of-band verification of banking-detail changes. Any change to a vendor’s payment instructions is verified by a callback to a known number — never a number or link in the request email. This defeats the vendor-redirect scheme.
  6. Dedicated, isolated disbursement accounts. Pay from accounts that hold minimal balances and are firewalled from operating and payroll accounts, limiting blast radius.
  7. Secure check stock and reduce paper. Use high-security check stock with tamper-evident features, lock unused stock, and migrate to electronic payments with controls where possible. Mail checks from inside the post office, not open collection boxes.
  8. Payee positive pay plus reverse positive pay as a backstop. Layer detection so an exception is never a single point of failure.

These controls do more than stop fraud — they preserve your legal position. When a bank offers positive pay and you adopt it, the risk of a matched-but-fraudulent item stays with the bank; when you decline it, the agreement may hand you the loss. Controls are both prevention and liability strategy.

How does Honeybadger handle check and ACH fraud matters?

Honeybadger Solutions treats a fraudulent check or unauthorized debit as a two-front operation under one accountable command: preserve and analyze the instruments while reconstructing the money and the intrusion behind them, against deadlines measured in days. Our in-house digital forensics, financial-investigation, cybersecurity, and background-intelligence capabilities mean the same team that performs the forensic document examination also maps the ACH originator, reconstructs how a vendor’s instructions were altered, and builds the affidavit and money-flow record your bank, insurer, and counsel will demand.

Because these disciplines are delivered in-house and nationwide, a check-and-ACH matter never fragments across disconnected vendors who each see only a slice of it. We help clients act inside the NACHA and UCC windows, document the loss to a defensible standard, and design the positive-pay and ACH-block controls that stop the next attempt. From Arizona home command — with offices in Casa Grande, Phoenix, and Oro Valley — we serve CFOs, controllers, general counsel, and principals across the United States, and we would far rather take the call the morning fraud is discovered than a month later when the reporting clock has already run.

Frequently asked questions

Does Reg E protect my business account against fraud?

No. Regulation E protects consumer accounts, not commercial ones. A business relies on UCC Articles 3 and 4 for checks, the NACHA Operating Rules and its account agreement for ACH, and Reg CC for funds availability and returns. The consumer 60-day dispute window and limited-liability tiers do not apply, which is why business reporting deadlines are far shorter and why fraud controls like positive pay matter so much.

How long do I have to report an unauthorized ACH debit on a business account?

Very little time. Under the NACHA rules, a business generally must return an unauthorized corporate ACH debit by the opening of business on the banking day following settlement — roughly one day. That is why daily reconciliation and an ACH debit block or ACH positive pay are essential; unlike a consumer, a business has no 60-day cushion, and missing the window usually forfeits the automatic return right.

Who is liable for a forged or altered business check?

Generally the bank, because a forged signature or altered check is not “properly payable,” so the payor bank must re-credit and then pursue the depositary bank through breach of warranty. But liability can shift to the business if its negligence contributed, if it failed to review statements and report within the UCC deadlines, or if it declined an offered fraud-control service such as positive pay. Prompt reporting and good controls keep the loss where it belongs.

Can we recover funds if a vendor’s payment details were changed by a fraudster?

This is the hardest category, because the payment was authorized — just misdirected — so bank warranties do not apply. Recovery mirrors wire-fraud practice: notify the bank immediately to attempt a recall or ACH return, file with the FBI’s IC3, and trace the money before it moves. Prevention is far more reliable: verify every change to banking details by callback to a known number, never a contact in the request itself.

About Honeybadger Solutions

Honeybadger Solutions is an Arizona-licensed security and investigations firm delivering intelligence-led forensics, financial investigations, and cyber services to businesses, general counsel, and organizations nationwide and internationally. Digital forensics, cybersecurity, financial investigations, and background intelligence are handled in-house, so a check-tampering, forged-endorsement, or unauthorized-ACH matter is preserved, investigated, and remediated under a single accountable chain of command — inside the deadlines and to a defensible standard.

Offices: Casa Grande (HQ), Phoenix, and Oro Valley, Arizona.
Phone: 602-725-2818
Confidential consultation: if you have found a fraudulent check or unauthorized debit, call our command team now — the reporting clock is already running.