Steve Endow had a rough couple of and he details the experience in: My Experience with ACH Fraud: My bank account was empty in 3 days
I don’t completely agree with Steve’s final conclusions. There are some things you can do to reduce ACH fraud risk including using variations on positive pay. However, I totally get that it might not be cost effective for smaller businesses. Also to Steve’s point, banks are swapping risk for efficiency and that ROI calculation may increase some types of fraud.
For example, a small business owner I know was recently told that his large bank doesn’t support 2 signatures required on checking accounts for amounts over a certain threshold. I’m still convinced that isn’t true, but 2 signatures increases liability to the bank. If they miss a fraudulent check with only 1 signature it’s their fault, so I suspect they want to discourage it. It’s also ineffecient from their point of view. A human has to look at it. It cheaper to let stuff go through and pay out for fraud, or have an algorithm that occasionally blocks legitimate transactions than to have a person actually do reviews up front.