We have seen a large increase lately in fraud attempts to get businesses to send money via wire and ACH, and want to remind you of controls and diligence you should be using to protect your business from fraud. Often, once a business acts on fraudulent instructions to send money, it is difficult or impossible to get it back resulting in significant losses to the business. Please read the following carefully and make sure your team is aware of this type of activity, and that you have the proper controls in place to protect your business. Some examples of recent activity include:

Scenario # 1:
CEO of ACME R US is out of town on a family vacation. The controller receives an email asking if they are available to help with an urgent matter. Of course the controller responds quickly, asking how they can help. The CEO explains that a vendor of theirs never received payment and they are refusing to ship the parts they ordered unless they wire money today (wire instructions attached). Please send $57,735.32 immediately and provide me confirmation as soon as it is sent so I can inform our vendor, the CEO emailed. Without question, the controller does exactly what was requested.

The next day, the real CEO calls the office to simply check in. During their conversation, the controller asks if the wire got there in time and if the parts shipped. Perplexed, the CEO ask, “What wire and to whom”. Shortly after this call the bank gets a call. The fraudsters simply sent an email from outside the organization to the controller making it look as if it was an internal email.

Scenario #2:
The controller of ACME R US received an email from one of their suppliers. The email stated that they are changing banks and to please change their accounts payable information to the new account and routing number of the new bank effective immediately. Seems fairly routine, so the controller made the modification. A month later, ACME R US received a phone call about not paying their last invoice totaling $107, 861.35. Through conversation with the supplier, it was discovered that their email account had been compromised and the fraudster was sending fraudulent communications directly from their email account to customers like ACME R US.

What do both of these scenarios have in common? They both where orchestrated via email. Both times, the email communication was all that was necessary to take action. They both indicated a sense of urgency or immediate action required. They both lost thousands of dollars.

Take action and consider implementing these controls:

1. DO NOT automatically trust or act solely on an email communication asking you to make changes to payment instructions from vendors, business partners, or internal management, even if it looks legitimate. To protect your company, procedures should be reviewed to ensure they include a validation step outside of email utilizing already known contact information, such as a verification phone call. For internal management email requests, you may want to require an actual signature as an added security measure. Think about all the things you do simply based on trusting an email. What risk are you taking if the email is not legitimate?

2. Utilize Dual Control options for authorizing ACH and wire payments within online banking, and make sure the staff reviewing those are trained properly to look for potential fraud or unusual activity. Another set of trained eyes can be an effective, if not foolproof, way to safeguard against fraud.

3. Utilize Multi-Factor Authentication if you access your office remotely, use Office 365, Outlook Web Access, or some other cloud based email, ensure you utilize multi-factor authentication. If your credentials are compromised, the fraudsters can access your email account from anywhere. They monitor who you speak with and learn how you do business. Then they plan their attack and start communicating as you. They delete every sent and received communication to help hide their tracks. Please use multi-factor authentication whenever possible. It is as easy as receiving a 6 digit temporary access code that you key in every time you login with your username and password.

4. Train Your Staff about the risks of automatically trusting email as legitimate. Phishing emails can compromise your systems with malware or ransomware. Spear phishing emails hope to get your staff to take action and usually turns into money lost.

5. Contact The Bank Immediately if you believe you are a victim of fraud or have sent funds based on fraudulent instructions. We can best assist you if you call us first. (1-800-453-8700 option 2)

6. Secure Your Environment by ensuring your computer systems and network are routinely patched to help avoid vulnerabilities, and seek outside review or support regularly to make sure your internal controls are up to industry standards to avoid intrusion or takeover attempts.

If you have questions or concerns please contact us at (1-800-453-8700 option 2).

Like me, I hope you have fond memories of your grandparents.  When invited to grandma’s house for lunch, I could always count on having something on the table she knew I liked.  Grandparents are very special and we need to care for them as much as they care for us. 

Unfortunately our grandparents, parents and older adults are the target of many types of scams received over the phone or via an email.  These scams attempt to deceive with promises of goods, services, financial benefits or the need to send money to pay taxes, fees or to help someone they love.  Their stories are contrived for one purpose and one purpose only, to get money.  Below is just one example of these schemes.

Scammers place a call to an older person and when they answer, the scammer will say something along the lines of: “Hi Grandma, do you know who this is?” When the unsuspecting grandparent guesses the name of the grandchild the scammer most sounds like, the scammer has established a fake identity without having done a lick of background research.

Once “in,” the fake grandchild will usually ask for money to solve some unexpected financial problem (overdue rent, payment for car repairs, etc.), to be paid via Western Union or MoneyGram, which don’t always require identification to collect. At the same time, the scam artist will beg the grandparent “please don’t tell my parents, they would kill me.”

One of the best ways to protect our loved ones from these types of tactics is to talk with them about it.  Building awareness is the first step.  If they are willing, another step might be helping them with paying bills and balancing their bank accounts.

If you have been or know someone who has been a victim; don’t be afraid to talk about it with someone you trust. You are not alone, and there are people who can help. Doing nothing could only make it worse. Keep handy the phone numbers and resources you can turn to, including the local police, your bank (if money has been taken from your accounts), and Adult Protective Services at 1-855-444-3911.  Call anytime day or night to report suspected abuse of vulnerable adults.


Have you ever received one of these bogus tech support calls?  The fraudster calls claiming to be from technical support at Microsoft, Apple, or other well-known companies. They say that they’ve detected viruses or malware on your computer to trick you into paying for software you don’t need or worse yet, convince you to give them remote access to your computer to fix the problem.

These fraudsters take advantage of your concerns about viruses and other threats.  They know most computer users have heard over and over that it’s important to install and maintain security software.  But the purpose behind this elaborate scam isn’t to protect you and your computer; it’s to make money.

Once they have gained your trust, they may:

  • Ask you to give them remote access to your computer and then make changes to your settings that could leave your computer vulnerable.
  • Try to enroll you in worthless computer maintenance or warranty program.
  • Ask for credit card information so they can bill you for phony services – or services you could get elsewhere for free.
  • Trick you into installing malware that could steal sensitive data, like user names and passwords to online financial sites, your email account, and more.
  • Direct you to websites and ask you to enter your credit card number and other personal information.

Regardless of the tactics they use, they have one purpose; it’s to make money.

If you get one of these calls, HANG UP!  Microsoft, Apple or any other company will not call you proactively in this way. The caller will likely try to create a sense of urgency or use high-pressure tactics to get you to do what they want; Just Hang Up!

If you believe you may have been a victim of one of these scam calls, don’t panic.  Instead:

  • Unplug your computer from the internet.
  • Take your computer to a local reputable business that specializes in fixing computers; let them know what happened.
  • Once your computer has been repaired, or via another computer/device, change your passwords on all online financial and email sites you use and any other passwords you gave out.
  • If you paid for bogus services with a credit card, call your credit card provider and ask to reverse the charges.  Check your statements for any other charge’s you didn’t make, and ask to reverse those too.

Check back for more information on the next Mercantile Bank Security Minute.