A recent fraud case out of Norfolk, Virginia is the kind of story that makes every business owner stop and ask, “How in the world did nobody notice?”
According to federal prosecutors, a romance scam allegedly drained more than $1.2 million from a City of Norfolk corporate bank account through hundreds of unauthorized transactions between August 2019 and July 2020. The alleged fraudster did not just convince people to send money. He reportedly used victims to pull money from the city’s account through ACH debits.
And while this happened to a city, the lesson is not just for government offices.
This could happen to a business.
A law firm.
A nonprofit.
A medical practice.
A construction company.
A family-owned business where “we trust everyone” has quietly replaced actual financial controls.
And that is where the real danger lives.
The Fraud Wasn’t One Big Obvious Hit
When people picture fraud, they imagine one giant suspicious transfer. A $500,000 wire to a foreign bank account. A fake vendor invoice with a strange email address. Something dramatic.
But a lot of fraud does not work that way.
It works like a slow leak.
A $5,000 ACH here.
Another $3,800 there.
A few payments that look like routine withdrawals.
Then more.
Then more.
Individually, those transactions may not scream “fraud.” But together? They can drain an account.
That is how businesses get caught. Not because nobody cares. Not because everyone is incompetent. But because no one is looking at the right things in the right way, consistently.
Why Businesses Miss Fraudulent Payments
Most business owners think their bank would catch it.
That is outdated thinking.
Your bank may flag unusual activity, but your bank does not know your business like you do. It does not know that you never pay vendors by ACH. It does not know that a certain payee name makes no sense. It does not know that $5,000 is normal for payroll taxes but very abnormal for some mystery debit.
That is your job.
And if you are not reviewing the bank activity regularly, fraud can sit there in plain sight.
Here are the common reasons businesses miss it:
The bank account is reconciled too late.
If the books are reconciled once a month, or worse, several months behind, you are not managing cash. You are reading history.
The review is too high-level.
Looking at the ending bank balance is not enough. A business can have plenty of cash and still be leaking money.
ACH debits are treated like background noise.
Many businesses focus on checks and wires, but ACH fraud can be just as damaging.
No one owns the question, “Does this transaction make sense?”
A bookkeeper may code the transaction. An owner may glance at the bank balance. A manager may assume it is accounting’s problem. That gap is where fraud gets comfortable.
There are no alerts or limits.
If nobody gets notified when money leaves the account, the business is relying on luck. Luck is not a control.
What Could Have Prevented It?
No system is perfect. But businesses can make fraud much harder to pull off and much easier to catch early.
1. Review bank activity weekly, not just monthly
Monthly reconciliations matter, but they are not enough.
A weekly review of cash activity gives you a fighting chance. You are not trying to do a full audit every Friday. You are asking simple questions:
Does this withdrawal make sense?
Do I recognize this vendor?
Was this payment approved?
Is this normal for our business?
For high-risk accounts, daily review may be appropriate. Especially trust accounts, operating accounts with heavy ACH activity, or accounts tied to payroll.
2. Use ACH debit blocks or ACH filters
This is one of the biggest practical takeaways.
Many banks offer ACH debit blocks or ACH filters. A debit block stops unauthorized ACH debits from hitting the account. A filter allows only approved companies to debit the account.
In plain English, it is like telling the bank, “Only these people are allowed to pull money from my account.”
If your business does not regularly allow vendors to pull ACH payments, why leave the door wide open?
3. Turn on bank alerts
Set alerts for:
Transactions over a certain dollar amount
ACH debits
Wire transfers
Low balance warnings
New payees
International transactions, if available
A $5,000 transaction may not seem huge in a busy business. But if you receive an alert every time one leaves the account, you have a chance to stop the bleeding before it becomes a crisis.
4. Separate the person entering transactions from the person reviewing them
This is basic internal control, but it is often skipped in small businesses.
The person doing the bookkeeping should not be the only person reviewing the bank activity. The business owner or a designated manager needs to review reports, bank statements, and unusual transactions.
That does not mean the owner has to become an accountant.
It means the owner needs a simple, consistent review process.
Think of it like checking the locks before closing the office. You do not need to be a locksmith. You just need to know the doors are secured.
5. Reconcile every account, every month
Every bank account.
Every credit card.
Every loan account.
Every trust account, if you are a law firm.
No exceptions.
Reconciliation is not just bookkeeping busywork. It is one of the most basic fraud detection tools a business has.
If your reconciliations are behind, your fraud detection is behind.
6. Investigate “miscellaneous” and “uncategorized” transactions immediately
Fraud loves vague categories.
If transactions sit in “Ask My Accountant,” “Uncategorized Expense,” “Miscellaneous,” or “Suspense” for months, the business is basically creating a junk drawer for financial risk.
Every transaction should have a clear purpose, a clear source, and supporting documentation.
If nobody can explain it, that is not an accounting problem. That is a control problem.
The Real Lesson: Fraud Prevention Is Not Paranoia
Business owners sometimes resist controls because they feel like red tape.
But controls are not about mistrusting people. They are about protecting the business, the employees, the clients, and the owner’s peace of mind.
You lock your office door, right?
Not because everyone is a thief.
Because unlocked doors create unnecessary risk.
Financial controls work the same way.
And here is the hard truth: if a business has weak controls, fraud does not have to be sophisticated. It just has to be patient.
What Business Owners Should Do This Week
Do not overcomplicate this. Start here:
Pull the last 90 days of bank activity.
Filter for ACH debits.
Look for unfamiliar names, repeated amounts, or payments that were not clearly approved.
Ask your bank about ACH debit blocks or filters.
Set transaction alerts.
Make sure every account is reconciled through last month.
That is the next right step.
Because fraud prevention is not about perfection. It is about catching problems while they are still small enough to fix.
