Educate yourself and your employees with fraud awareness
Business identity theft happens when criminals pose as owners, officers or employees of a business to illegally get cash, credit, and loans, leaving the victimized business with the debts.
Fraud and identity theft can be very disruptive. If we identify potential fraudulent activity, our Fraud team will contact you to resolve the issue.
What is business identity theft
Business identity theft happens when criminals pose as owners, officers or employees of a business to illegally get cash, credit, and loans, leaving the victimized business with the debts. Identity thieves can steal a business' identity by gaining access to their bank accounts and credit cards or by stealing sensitive information such as the Tax Identification Number (TIN), Employer Identification Number (EIN) or the owners' Social Security Number (SSN). Criminals then use the stolen information to open lines of credit with financial institutions or retailers to purchase commercial electronics, home improvement materials, gift cards, and other items that can be bought and exchanged for cash or sold with relative ease.
Business identity thieves are often employees or former employees with direct access to financial information. Victims of business identity theft often don't find out about the crime until significant losses accumulate, or someone discovers discrepancies on the books. Because of the hidden nature of the transactions, businesses can potentially lose large amounts of money.
Business Identity Theft
Protect Your Business
Business identity theft takes many forms. Examples include a variety of schemes involving the fraudulent use of business' information, including:
- Establishing temporary office space and/or merchant accounts in a business's name.
- Ordering merchandise or services with stolen credit card information or with bogus bank account details in the business' name.
- Scamming employees or phishing to get to a business' banking or credit information.
- Going through a business' trash and recycling bins for account numbers and other sensitive data.
- Filing bogus documents with the Secretary of State's office to change the business' registered address or the names of directors, officers or managers of the company, which can later help thieves, open lines of credit with financial institutions and retailers.
Ways to prevent and detect
- Update your business filings as soon as any of your business contact information changes. Check your business' filings with the Secretary of State's office at least once a year.
- Notify your local law enforcement authorities of any unauthorized changes and update your Secretary of State business filings with the correct information.
- Monitor your accounts and bills. If an unexpected bill, charge, credit card, or account appears on a statement or a regular bill doesn't arrive, contact the billing company.
- Monitor your business' credit profile with major credit bureaus.
- Protect your sensitive business information as carefully as you do your personal information.
- Secure paper documents in locked cabinets and electronic records in password protected files.
- Establish business data security policies and limit employee access to sensitive business and client information and assets.
- If you must provide sensitive business information over a website or via email, ensure the transmission is secure.
- Shred sensitive business records and financial statements before discarding them.
- Use computer virus protection software.
Business Email Compromise (BEC)
Also known as email account compromise (EAC) , BEC is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business – both personal and professional.
In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:
- A vendor your company regularly deals with sends an invoice with an updated mailing address.
- A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email the out right away.
- A homebuyer receives a message from his title company with instructions on how to wire his down payment.
Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands – or even hundreds of thousands – of dollars were sent to criminals instead.
How BEC occurs
- Spoof an email account or website. Slight variations on legitimate addresses (firstname.lastname@example.org vs. email@example.com) fool victims into thinking fake accounts are authentic.
- Send spearphishing emails. These messages look like they're from a trusted sender to trick victims into revealing confidential information. That information lets criminal's access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
- Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don't question payment requests. Malware also lets criminals gain undetected access to a victim's data, including passwords and financial account information.
Wire transfer fraud
Wire transfer fraud continues to be a challenge for banks and their customers. Wire transfers are an increasingly popular choice with criminals because of their speed and immediate availability of funds. Once the transaction is completed it is difficult, if not impossible, to recover the funds.
Businesses need to be especially aware of the risks associated with wire transfers. Criminals have identified opportunities to exploit vulnerabilities with internal business controls around wire processing and email requests.
Common "red flags" of Wire Transfer Fraud include:
- An overt sense of urgency or confidentiality conveyed in the request
- Wire transfer request contains new or modified payment instructions for known entities or individuals
- A wire request received from an individual at the business who does not normally make these requests
- Suspicious solicitation by email, phone, fax, by mail or from an online acquaintance or business
Reduce your risk of becoming a victim by:
- Confirming the request with the sender verbally at a telephone number that can be verified (not what is provided to you)
- Verify the request is legitimate through a reliable source
- Research the request further if you have any hesitation
- Ask questions
- If you still have concerns, do not send the wire transfer
What do you do if you believe you fell victim to a wire fraud scam?
- Contact Bank of the West immediately (1-800-488-2265, TTY 1-800-659-5495) and request a wire recall due to fraud
- File a report with the Internet Crime Complaint Center at https://bec.ic3.gov/
- Save all of the emails involved with the transaction
Criminals have devised counterfeit check schemes targeting attorneys. Scammers will use the names of real companies and create fake email addresses to show a connection to the real company. Scammers will email, fax, or call the law firm requesting legal services in connection with a settlement.
How it works
If the attorney responds, the scam begins and the attorney will eventually receive a fraudulent settlement check (either a fake cashier's or business check). The attorney is asked to deposit the settlement check, keep a retainer fee and wire the remainder of the settlement to the client's (scammer's) overseas account. The original settlement check is later returned as unpaid and the attorney is left responsible for the funds wired out of their bank account.
Be suspicious of a solicitation that offers a relatively large fee for minimal work and is outside your usual practice. Scrutinize unsolicited emails and calls from anyone requesting services with whom you've had no prior dealings, particularly if the offer comes from outside the U.S.
Educate your staff to be cautious of these types of schemes. If you accept payment by check, ask for a check from a local bank, or a bank with a local branch. Then, visit the branch and have the bank verify that the check is valid. If a visit isn't possible, call the issuing bank and verify that the check is valid. You can obtain the issuing bank's valid phone number online or via directory assistance. Monitor your bank accounts and ensure that settlement check(s) you deposit clear the banking system and you get the funds as expected before you send money to clients.
Solutions to safeguard
Consider these guidelines when developing a fraud prevention program:
- Monitor account activity and statements. Reconcile and monitor account activity frequently to identify suspicious transactions. Protect access by going paperless and sign up for Online statements
- Protect all accounting documents by securing check stock, signature equipment, invoices and critical account information
- Use only approved vendor listings. Routinely check the list of approved vendors. Be wary of unknown vendors, vendor names that are similar to other vendors, vendors with no physical address or phone number and a vendor's address that matches an employee's address
- Centralize payroll check distribution. By centralizing payroll, management can help eliminate "ghost" employees; including fictitious persons on the payroll, employees still on the payroll that no longer work for the company, or friends and relatives of an employee
- Implement dual controls. Institute dual control for high risk self-administration services. For example, the person writing the check should not be the person reconciling accounts and transactions
- Conduct employee background checks. Verify educational and employment history, as well as references, to ensure no previous history of fraud or other illegal activity exists. For employees that will manage company assets, it is especially important to conduct credit checks, if authorized by the candidate
- Create a fraud policy. Design, publish and implement a fraud policy that establishes expected employee conduct, prohibited actions, how fraud can be reported and the punishment for non-compliance
- Conduct routine and unannounced checks on high risk areas of your business, including the financial and inventory departments for vulnerabilities and possible fraudulent activities
- Train employees in fraud prevention. Employees serve as the eyes and ears of a company and by ensuring that your staff is knowledgeable about basic fraud prevention techniques, you'll establish a first line of anti-fraud defense
- Ensure employees take vacations. Employees undertaking fraudulent activity may not take time off because they are fearful of someone catching on to their indiscretions. Ensure all employees take vacations so no one in the organization has physical in-person control over their area of responsibility each and every day of the year
- Contact your business insurance provider and review your business insurance policy to determine if it provides coverage for employee dishonesty
If you notice suspicious activity on your Bank of the West accounts, call us at 1-800-488-2265. TTY 1-800-659-5495.
FBI-tips to protect your business
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
- Don't click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company's phone number on your own (don't use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
- Be especially wary if the requestor is pressing you to act quickly.
If you or your company fall victim to a BEC scam, it's important to act quickly:
- Contact your financial institution immediately and request that they contact the financial institution where the transfer was sent. Next, contact your local FBI field office to report the crime.
- Also file a complaint with the FBI's Internet Crime Complaint Center (IC3).
Payment fraud protection
Protect your company by considering the following fraud tools and security tips.
- Use Positive Pay. Help protect your company from theft and fraud by keeping control of your disbursement process. Positive Pay regularly compares checks presented for payment to your issued-check files to find serial numbers and dollar amounts that don't match
- Use check stock with high security features. Security check features include: watermarks, heat sensitive ink, fluorescent fibers, micro printing, warning bands and chemical wash box
- Establish tight controls over check stock. Keep an inventory and conduct audits. Shred outdated checks and statements
- Ensure separation of duties. Check writers shouldn't reconcile accounts. Delegate separate individuals for invoicing, collecting and posting funds to Accounts Receivable. Conduct periodic reviews
- Use an ACH debit block/filter to specify which companies are authorized to post ACH debits to your accounts. Automatically block companies that aren't authorized. Set dollar limits or block all ACH debits
- ACH transaction review. Review and confirm ACH debit and credit transactions that post to your account. Determine if the transition is authorized and return any transactions that are not. Filter transactions you want to review by setting review thresholds based on debits, credits, company ID and dollar amounts.
- Initiate ACH and wire payments under dual control, with one person originating the transaction and another approving it before it's sent
Know how your business works
- Understand your organization's specific fraud risks. Conduct a thorough audit of your organization's particular vulnerabilities to design and implement internal safeguards and fraud prevention programs. Commercial online banking customers should perform risk assessment evaluations periodically
- Protect access credentials. Never give out passwords, IDs or other authorization credentials. If you receive an email, call, or text claiming to be from your financial institution, asking for your credentials, it is likely a "phishing" attempt. Don't respond to it
- Update security software. Update anti-virus and anti-spyware software and firewalls regularly
- Implement dual control. Institute dual custody for all online payment services (ACH, wire transfer, foreign exchange) and self-administration services (checks). Accounts should be reconciled daily to spot suspicious activity. The employee reconciling the account should not be a signer on, or have access to, the business account
- Protect all accounting documents. Lock away check stock, signature equipment, invoices and critical account information
Know your employees & vendors
- Conduct employee background checks. Verify education and employment, as well as references, to ensure no previous history of fraud or other illegal activity exists. For employees that will manage assets, it is especially important to conduct credit checks, if authorized by the candidate
- Train employees in fraud prevention. Employees serve as the watchdogs of an organization and by ensuring that the staff is knowledgeable about basic fraud prevention techniques, they can be a first line of defense
- Use "approved vendor" listings. This can help protect you from billing schemes and dealing with phony invoices. Management should routinely check the list of approved vendors and beware of unknown vendors, vendor names that are similar to other known vendors, vendors with no physical address or phone number or if a vendor's address that matches an employee's address
- Centralize payroll check distribution. By centralizing payroll, management can get rid of "ghost" employees, including fake employees on the payroll, former employees kept on the payroll, or friends and relatives of an employee
- Create a fraud policy. Design, publish and initiate a policy that states expected employee conduct, prohibited actions, how fraud can be reported and the punishment for non-compliance
- Conduct routine and unannounced checks on high risk areas. Check the financial and inventory departments for vulnerabilities and possible fraud
If you notice suspicious activity on your Bank of the West accounts, call us at 1-800-488-2265. TTY 1-800-659-5495.
If you suspect ID theft
Report any issues
Speak to the fraud prevention department at each credit reporting agency. Compare the Employer Identification Number (EIN) of the hijacked business to the EIN of your business. Report any discrepancy to the credit reporting agencies.
- Dun & Bradstreet: 1-800-234-3867
- Equifax: 1-800-525-6285
- Experian: 1-888-397-3742
- TransUnion: 1-800-680-7289
File a police report
Call your local law enforcement agency and file a report involving business identity theft.
Contact creditors and billing companies
Notify them that your business was the victim of identity theft. Contact creditors where the fraudulent accounts were opened, and request copies of all documents used to open or access the account(s).
File a Statement of Correction with your state's Secretary of State
Send information in the Statement of Correction that your business was the victim of identity theft.
Keep detailed records
Document all contacts, take notes, ask for names of individuals, departments, phone extensions, and record the date you speak with each person. Keep detailed records of your actions to have a paper trail. This will be useful if your credit needs to be repaired.
Make sure creditors and credit reporting agencies receive everything they have requested. Call or send a letter for confirmation.
Review accounts and credit report
Monitor your business' credit profile with credit reporting agencies. Continue to review all charges and transactions on your business account statements and online. Immediately report any discrepancies.
For more information on business identity theft:
National Association of Secretaries of State (NASS) Business Identity Theft Task Force
National business identity theft
Contact us to report:
Fraud or suspicious activity
Lost or stolen credit cards
Suspicious Bank of the West emails
Tell us where you live
Choose your state of legal residence. We can then give you information about the products and services available in your area.
Note: Bank of the West has branches only in the states listed in the drop-down. At this time, we only open accounts for individuals and businesses in these states.