INFO icon

Important Information about Coronavirus (COVID-19) LEARN MOREBranch Status

OC Register: Top Workplaces 2018, 2019
dollar sign overa blue shield

PMB Fraud Resource Center

Pacific Mercantile Bank is committed to providing you with the tools, services and guidance needed to reduce your fraud risk and help your company succeed. Click on a fraud type below to learn more about how they work and what to look out for.

Notify your PMB Relationship Manager immediately if you suspect fraudulent activity on your account.

Best Practices to Protect your Company from Fraud


  • Employee Education

      Educate employees to identify suspicious activity, especially those involved with the day-to-day processes. Encourage verification of all requests and instruct employees to take additional steps to confirm “urgent” or “confidential” requests by using a different channel from the channel used to make the request. For example, an email request should be followed up with a telephone call to the requestor.

  • Accounts Payable Controls

      Implement best practices in your Accounts Payable (AP) department that minimize risk and losses due to forged vendor invoice fraud, imposter fraud or AP fraud.

      • Employ 3-way matching – match each invoice to a purchase order and receipt of goods
      • Separate duties so that more than one employee is handling billing, payment processing and check signing
      • Structure approval requirements based on transaction amount
  • Email Best Practices
      • Be suspicious of any unsolicited email requesting personal information
      • Do not click on links or open attachments from an unsolicited email
      • If familiar with the company that is emailing you, confirm the email domain was not altered in any way
      • Confirm “urgent” or “confidential” requests through a different channel, even if you are familiar with the email sender
      • Install anti-virus software and keep it up to date
      • Secure your network. If using Wi-Fi, ensure WPA or WPA2 encryption is utilized
      • Pacific Mercantile Bank will never ask for personal information via email. This includes account information, usernames and passwords, or any personally identifying information such as Social Security Number or Driver’s License number
  • Online Banking Best Practices
      • Check account activity regularly
      • Keep your PIN and passwords secret
      • Change passwords frequently
      • Do not use public computers for online banking and avoid conducting transactions using public Wi-Fi

How Pacific Mercantile Bank Protects Your Business from Fraud

Our Business Online Banking platform gives you the tools you need to protect your business from payment fraud.

Robust Security Controls

With our Business Online Banking platform, you can set security controls that help prevent payment fraud.

Segregate duties such as:

  • Wire or ACH Transfer Creator: Access to use templates for wire and ACH creation, but cannot change templates or approve wires they create.
  • Template Creator: Access to create wire and ACH templates, but cannot create or approve payments or the templates they create.
  • Approver: Access to approve templates and payments they did not create.

Set limits at various levels:

  • User Limits: Limits the amount of the payment a user can create.
  • ACH Limits: Limits the amount that can be sent via ACH.
  • Wire Limits: Limits the amount that can be sent for wire transfers.
  • Approval alerts: Occur when a payment has been created and is awaiting approval.

Setup text message and/or email alerts:

  • Transaction Alerts: Occur when a specific type of transaction is sent over a certain dollar threshold.
  • Approval alerts: Occur when a payment has been created and is awaiting approval.

Check Fraud Prevention

Pacific Mercantile Bank’s Positive Pay service compares clearing checks with a listing of issued checks you provide. If there are any clearing checks that do not match your listing, they are marked for your review before they are paid. Positive Pay also validates the check number and amount.

Positive Payee is the same as Positive Pay with the addition of validating the payee against your listing.

Reverse Positive Pay does not require a listing of issued checks. Rather, this service requires your company to approve all checks before they are paid.

ACH Fraud Prevention

Pacific Mercantile Bank’s ACH Positive Pay service compares incoming ACH transaction to a set of rules setup by your company. If the incoming transaction does not meet these rules, you are given the opportunity to review the transaction. If you approve the transaction, it will clear. If you do not approve the transaction, it will be returned.

Wire Fraud Prevention

Pacific Mercantile Bank’s Out-of-Band Authentication service helps reduce the risk of online banking fraud by requiring users to verify their identity via text message or a phone call at login when high-risk activities are being performed.

↑ Back to top

Imposter Fraud

Imposter fraud, known by many names including business email compromise and CEO Fraud, is a disturbing trend has grown at epidemic rates since it was first recognized by the FBI several years ago.

This type of fraud can manifest itself in a variety of methods. It often begins with a call, text message, or email. The scammer pretends to be someone you trust to convince you to send them money or share personal information.

Scammers may ask you to transfer money from your business bank, wire money using a company like Western Union or MoneyGram, put money on a gift card, or send cryptocurrency, because they know these types of payments can be hard to reverse. Scammers call, email, or text and may claim to be:

  • From Social Security, claiming that COVID-19-related office closures mean your benefits have been suspended.
  • From your bank, claiming they need to verify personal information before they can send you a new debit or credit card.

Following are the most common forms of Imposter Fraud.

Email Account Takeover

The thief uses phishing or other means to install malware on an executive’s computer and gain access to the executive’s email account. Once they have this access, the thief takes time to understand the organization’s relationships and the ebb and flow of routine wire transfer requests. They search the email account for words like “invoice”, “deposit”, or “president” to learn about the processes for wire transfers, money movement, and vendor relationships.

Once they have learned the organization’s standard practices, they use the compromised email account to create a money transfer request. The fraudsters continually monitor the email account and reroute emails questioning the wire transfer. The real executive is unaware of the request email and any email responses from employees.

Look-Alike Domain

In this case, the fraudster uses publicly available information to learn about the organization’s executives and activities. They typically send emails to executives in an effort to receive out-of-office replies, attempting to understand when an executive will be unavailable or traveling.

They then create a domain that looks similar to the victim company domain. A few examples of false domain names they create: replacing the letter l with the number 1 ( becomes; dropping the last letter of a domain ( becomes; or adding an extra letter to a domain name that is difficult to spot ( becomes

The thief uses the look-alike email address and information they have gathered on the business to make money movement requests of company employees.

Forged Vendor Invoice

Fraudsters may also target an organization’s vendor relationships. To forge a vendor invoice request, the fraudster may compromise an email address from the vendor, or from an individual within the organization’s finance department. The thief attempts to obtain sample invoices and gain insight into the relationship between the vendor and the organization, including typical invoice and payment patterns.

With that information in hand, the fraudster either uses a compromised email account or look-alike domain email account to submit an invoice with altered payment information. The invoice payment is routed to the fraudster’s account rather than the vendor.

Forged Vendor Invoice

Thieves may also craft an elaborate story when sending a compromised or look-alike email. Often the story involves events that must be kept confidential such as an upcoming acquisition or large purchase. The requests are extremely urgent in nature requiring the target employee to act immediately. The combination of extreme urgency and high confidentiality persuades the employee to act quickly and secretively, sometimes conflicting with or bypassing company safeguards and practices.

↑ Back to top

Online Fraud

Criminals are constantly trying to steal consumers’ personal data using fake emails, websites, phone calls, and even text messages. They use a variety of ways to try to trick people into providing Social Security numbers, bank account numbers, and other valuable information. In many cases, their goal is to steal money from you.

Scammers use Social Engineering to get the information needed from their victims to commit online fraud such as:

  • Phishing - Phishing is a term for scams commonly used when a criminal uses email to ask you to provide personal financial information. The sender pretends to be from a bank, a retail store, or government agency and makes the email appear legitimate. Criminals often try to threaten, even frighten people by stating “you’re a victim of fraud” or some other urgent-sounding message to trick you into providing information without thinking.
  • Smishing - Smishing (SMS Phishing) is similar to phishing, but instead of using email, the criminal uses text messaging to reach you. Same idea as phishing, they pretend they are from an organization you might know and trust (such as a bank or the IRS) and try to get your personal information.
  • Vishing - Vishing (Voice Phishing) is when scammers use phone services such as a live phone call, a “robocall,” or a voicemail to try to trick you into providing personal information by sounding like a legitimate business or government official.

Once they have the account details you provided the scammer goes online and steals your money.

↑ Back to top

Payment Fraud

The most common forms of payment fraud focus on Checks, Corporate Credit Cards, Wire Transfers, and ACH Debits. Fraudsters will always take the course of least resistance, which is also the case for payment fraud.

ACH Fraud

ACH fraud involves the criminal accessing a business’ online banking credentials and creating false ACH origination files. Typically, fraudsters access a business user’s credentials through malware installed on the user’s PC or through an accomplice operating within the business. Infiltrating a business computer through installed malware requires a great deal of sophistication on the part of the fraudster. Malware is installed on the business computer most often when an unsuspecting employee clicks on a link in a socially engineered email or navigates to a malicious website.

Check Fraud

Check fraud involves a criminal altering an existing check or creating a counterfeit check based on stolen bank information. Altering an existing valid check is done by chemically “washing” the check and altering the information to benefit the criminal. Creating a new counterfeit check is typically done using common desktop publishing tools. Once altered or created, the check is then introduced into the banking system or exchanged for other monetary instruments or products and services.

Credit Card Fraud

Credit Card Fraud can manifest in a variety of ways, from thieves combing through corporate dumpsters in search of discarded billing information to high-tech hacking of account information from compromised retailers. Common methods also include a dishonest clerk taking a photo of a credit card and using that photo to purchase items online or create another account, or a fraudster using Social Engineering to lure an unsuspecting employee into providing account information.

Wire Fraud

Wire fraud occurs in much the same way as ACH fraud. The fraudster steals online credentials and creates wire transfers via the business’ online banking system. Recently fraudsters have focused their efforts on Whaling to perform wire fraud, which is when fraudsters target a specific individual – usually an executive – and pose as that person via email. The fraudster sends emails to employees at the business that appear to come from the individual being targeted. The email urgently requests that funds be wired from the business’ accounts to an outside account.

Wire fraud differs from ACH fraud in that the funds are transferred to the fraudster in real time. With no delay in the transaction, it is very rare that your financial institution can retrieve the funds once they have been wired out. Often the fraudster removes the funds from the receiving financial institution before the original transaction is even recognized.

↑ Back to top

Cyber Fraud


Malicious software that is intended to damage or disable computers and computer systems.


Ransomware is a form of malware targeting both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and/or systems. Frequently delivered through Spear Phishing, ransomware results in the rapid encryption of sensitive files on a corporate network. When the victim organization determines they are no longer able to access their data, the cyber perpetrator demands the payment of a ransom, typically in virtual currency such as Bitcoin, at which time the fraudster will provide an avenue to the victim to regain access to their data.

Data Breach

A leak or spill of data which is released from a secure location to an untrusted environment. Data breaches can occur at the personal and corporate levels and involve sensitive, protected, or confidential information that is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.

Denial of Service

An interruption of an authorized user's access to any system or network, typically caused with malicious intent. This is achieved when an attacker floods the network or servers of the victim with a wave of Internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all. Considered one of the least sophisticated of the cyberattacks, it is one of the most disruptive and powerful that can render websites/digital services inoperable for hours or even weeks.

↑ Back to top