Pacific Mercantile Bank is committed to providing you with the tools, services and guidance needed to reduce your fraud risk and help your company succeed. Click on a fraud type below to learn more about how they work and what to look out for.
Educate employees to identify suspicious activity, especially those involved with the day-to-day processes. Encourage verification of all requests and instruct employees to take additional steps to confirm “urgent” or “confidential” requests by using a different channel from the channel used to make the request. For example, an email request should be followed up with a telephone call to the requestor.
Implement best practices in your Accounts Payable (AP) department that minimize risk and losses due to forged vendor invoice fraud, imposter fraud or AP fraud.
Our Business Online Banking platform gives you the tools you need to protect your business from payment fraud.
With our Business Online Banking platform, you can set security controls that help prevent payment fraud.
Segregate duties such as:
Set limits at various levels:
Setup text message and/or email alerts:
Pacific Mercantile Bank’s Positive Pay service compares clearing checks with a listing of issued checks you provide. If there are any clearing checks that do not match your listing, they are marked for your review before they are paid. Positive Pay also validates the check number and amount.
Positive Payee is the same as Positive Pay with the addition of validating the payee against your listing.
Reverse Positive Pay does not require a listing of issued checks. Rather, this service requires your company to approve all checks before they are paid.
Pacific Mercantile Bank’s ACH Positive Pay service compares incoming ACH transaction to a set of rules setup by your company. If the incoming transaction does not meet these rules, you are given the opportunity to review the transaction. If you approve the transaction, it will clear. If you do not approve the transaction, it will be returned.
Pacific Mercantile Bank’s Out-of-Band Authentication service helps reduce the risk of online banking fraud by requiring users to verify their identity via text message or a phone call at login when high-risk activities are being performed.
Imposter fraud, known by many names including business email compromise and CEO Fraud, is a disturbing trend has grown at epidemic rates since it was first recognized by the FBI several years ago.
This type of fraud can manifest itself in a variety of methods. It often begins with a call, text message, or email. The scammer pretends to be someone you trust to convince you to send them money or share personal information.
Scammers may ask you to transfer money from your business bank, wire money using a company like Western Union or MoneyGram, put money on a gift card, or send cryptocurrency, because they know these types of payments can be hard to reverse. Scammers call, email, or text and may claim to be:
Following are the most common forms of Imposter Fraud.
The thief uses phishing or other means to install malware on an executive’s computer and gain access to the executive’s email account. Once they have this access, the thief takes time to understand the organization’s relationships and the ebb and flow of routine wire transfer requests. They search the email account for words like “invoice”, “deposit”, or “president” to learn about the processes for wire transfers, money movement, and vendor relationships.
Once they have learned the organization’s standard practices, they use the compromised email account to create a money transfer request. The fraudsters continually monitor the email account and reroute emails questioning the wire transfer. The real executive is unaware of the request email and any email responses from employees.
In this case, the fraudster uses publicly available information to learn about the organization’s executives and activities. They typically send emails to executives in an effort to receive out-of-office replies, attempting to understand when an executive will be unavailable or traveling.
They then create a domain that looks similar to the victim company domain. A few examples of false domain names they create: replacing the letter l with the number 1 (example.com becomes examp1e.com); dropping the last letter of a domain (example.com becomes example.co); or adding an extra letter to a domain name that is difficult to spot (progress.com becomes progresss.com).
The thief uses the look-alike email address and information they have gathered on the business to make money movement requests of company employees.
Fraudsters may also target an organization’s vendor relationships. To forge a vendor invoice request, the fraudster may compromise an email address from the vendor, or from an individual within the organization’s finance department. The thief attempts to obtain sample invoices and gain insight into the relationship between the vendor and the organization, including typical invoice and payment patterns.
With that information in hand, the fraudster either uses a compromised email account or look-alike domain email account to submit an invoice with altered payment information. The invoice payment is routed to the fraudster’s account rather than the vendor.
Thieves may also craft an elaborate story when sending a compromised or look-alike email. Often the story involves events that must be kept confidential such as an upcoming acquisition or large purchase. The requests are extremely urgent in nature requiring the target employee to act immediately. The combination of extreme urgency and high confidentiality persuades the employee to act quickly and secretively, sometimes conflicting with or bypassing company safeguards and practices.↑ Back to top
Criminals are constantly trying to steal consumers’ personal data using fake emails, websites, phone calls, and even text messages. They use a variety of ways to try to trick people into providing Social Security numbers, bank account numbers, and other valuable information. In many cases, their goal is to steal money from you.
Scammers use Social Engineering to get the information needed from their victims to commit online fraud such as:
Once they have the account details you provided the scammer goes online and steals your money.↑ Back to top
The most common forms of payment fraud focus on Checks, Corporate Credit Cards, Wire Transfers, and ACH Debits. Fraudsters will always take the course of least resistance, which is also the case for payment fraud.
ACH fraud involves the criminal accessing a business’ online banking credentials and creating false ACH origination files. Typically, fraudsters access a business user’s credentials through malware installed on the user’s PC or through an accomplice operating within the business. Infiltrating a business computer through installed malware requires a great deal of sophistication on the part of the fraudster. Malware is installed on the business computer most often when an unsuspecting employee clicks on a link in a socially engineered email or navigates to a malicious website.
Check fraud involves a criminal altering an existing check or creating a counterfeit check based on stolen bank information. Altering an existing valid check is done by chemically “washing” the check and altering the information to benefit the criminal. Creating a new counterfeit check is typically done using common desktop publishing tools. Once altered or created, the check is then introduced into the banking system or exchanged for other monetary instruments or products and services.
Credit Card Fraud can manifest in a variety of ways, from thieves combing through corporate dumpsters in search of discarded billing information to high-tech hacking of account information from compromised retailers. Common methods also include a dishonest clerk taking a photo of a credit card and using that photo to purchase items online or create another account, or a fraudster using Social Engineering to lure an unsuspecting employee into providing account information.
Wire fraud occurs in much the same way as ACH fraud. The fraudster steals online credentials and creates wire transfers via the business’ online banking system. Recently fraudsters have focused their efforts on Whaling to perform wire fraud, which is when fraudsters target a specific individual – usually an executive – and pose as that person via email. The fraudster sends emails to employees at the business that appear to come from the individual being targeted. The email urgently requests that funds be wired from the business’ accounts to an outside account.
Wire fraud differs from ACH fraud in that the funds are transferred to the fraudster in real time. With no delay in the transaction, it is very rare that your financial institution can retrieve the funds once they have been wired out. Often the fraudster removes the funds from the receiving financial institution before the original transaction is even recognized.↑ Back to top
Malicious software that is intended to damage or disable computers and computer systems.
Ransomware is a form of malware targeting both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and/or systems. Frequently delivered through Spear Phishing, ransomware results in the rapid encryption of sensitive files on a corporate network. When the victim organization determines they are no longer able to access their data, the cyber perpetrator demands the payment of a ransom, typically in virtual currency such as Bitcoin, at which time the fraudster will provide an avenue to the victim to regain access to their data.
A leak or spill of data which is released from a secure location to an untrusted environment. Data breaches can occur at the personal and corporate levels and involve sensitive, protected, or confidential information that is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.
An interruption of an authorized user's access to any system or network, typically caused with malicious intent. This is achieved when an attacker floods the network or servers of the victim with a wave of Internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all. Considered one of the least sophisticated of the cyberattacks, it is one of the most disruptive and powerful that can render websites/digital services inoperable for hours or even weeks.↑ Back to top