“Banks have had customers call saying they received a text message appearing to be from their bank asking if a transaction is authorized or not,” says ISAO Director Alvin Mills.

The customer then receives a phone call from someone impersonating bank fraud department personnel. When the customer confirms specific information that the scammer already has, the scammer then asks the customer for their debit card information under the guise of further confirmation.

After obtaining the customer card information, the scammers add it to a digital wallet and go in person to local grocery stores to make purchases of money orders.

All someone needs are the routing number and account number to wreak havoc.  Check fraud can occur in a variety of ways:

Counterfeit – Entirely fake checks that mimic real ones, using forged MICR line data.

Forged Endorsement – Signing someone else’s name on a check without their authorization, either to cash the check or to make purchases.

Altered Check – Altering legitimate checks, typically by changing the payee’s name or the amount, to redirect funds to the fraudster.

Check Washing – Using chemicals to erase the ink on a check, allowing the fraudster to rewrite the details (payee, amount).

Stolen Checks – Stealing checks from mailboxes, businesses, or individuals and then using them for fraudulent transactions.

Mail Fraud is on the rise.  Fraudsters intercept checks during the mailing process, whether stolen from the mail or intercepted at the point of delivery.  The Postal Inspection Service reported an 87% increase in these reports between 2019 and 2022.  From March 2023 to August 2024, customers in Houston submitted 42,551 inquiries to USPS.  Of those, more than 7,000 were specifically related to stolen or tampered mail.

Vendor – Update Payment Info
Fraudsters can gain access your email account and review prior messages from vendors. They will mimic greetings, salutations, and other phrasing. Sometimes they create a fake domain or spoofed email or simply insert themselves into an existing thread. They will send an email to you notifying of updated payment instructions. Customers may mistakenly believe this is the legitimate vendor and send the payment for an invoice to the “new” instructions, sending money to the fraudster instead of the actual vendor. Best practice is to call a number you have on file (not a number within the body of the email) to verify the legitimacy of the instructions.

Executive Impersonation
Another example is when the fraudster sends an email or text to an employee asking them to send a payment or buy gift cards. The excuse is usually that the executive is in a meeting, traveling, or some other reason as to why they are sending this rush request and cannot be reached by phone. Again, employees should always call the executive at a known number to verify the request. It’s important to create and enforce policies requiring a callback.

The moral of the story? Verify, verify, verify.

While banking online, we encourage you to follow these best practices:

• Monitor your account with real-time alerts to help detect potentially fraudulent activity. See what’s available for your account online by visiting—SELF SERVICE for Personal/Business online banking and ADMINISTRATION-COMMUNICATIONS for Treasury Management online banking.
• Install and configure a quality software security suite, and keep it updated. Be sure that the product contains multiple protection methods, including anti-virus, anti-spyware, and web protection. Keep in mind that most products are subscriptions and need to be kept valid. While important, don’t rely on anti-virus security software as the sole protection for your computer.
• Keep your contact information up to date so we can reach you if we detect anything unusual on your account.
• Log in safely with your unique fingerprint or face recognition. Set up Touch ID or Face ID in the mobile app if available on your device.
• Refresh your password regularly. We recommend using a mix of numbers, letters (upper and lower case), and special characters. Personal information like your name or birthdate should be avoided.
• Opt to receive paperless bank statements to keep your information safe behind a secure login.
• Never access online banking (or any privileged or sensitive computer system) from a public computer at a hotel/motel, library, coffee shop, or other public wireless access points.
• If you are using a public computer, use Enhanced Login Security one-time access codes when logging into your account. If you’re using a private computer, register your computer as private.
• Never share user IDs, passwords, PIN numbers, etc. Don’t leave them in unsecured areas.
• Don’t use the same password on any other website or software. Your login credentials should always be unique.
• Avoid saving passwords to your computer.
• Contact us right away at 713-497-1515 (Houston) or 254-445-2213 (Dublin) if you suspect someone has used your debit card or account number without your permission.

There are steps that must be taken to guarantee the security of your mobile banking transactions.

The following advice can help you keep your mobile banking safe:

Use Strong Passwords
For your mobile banking app, use a strong, one-time password that combines letters, numbers, and special characters. Personal information like your name or birthdate should be avoided.

Enable two-factor authentication
Two-factor authentication increases the security of your mobile banking account by requiring a second form of identification before logging in, such as a code delivered to your phone. Hackers will find it far more challenging to access your account as a result.

Download from a Trusted Source Only
Only download mobile banking applications from reputable stores, like the App Store or Google Play Store. Avoid downloading apps from unofficial sources since they can be infected with malware and jeopardize your security.

Keep Your Operating System Up to Date
Security fixes that are included in routine software upgrades help keep your device and mobile banking app secure. To benefit from these security updates, make sure your operating system is up to date.

Use a Secure Wi-Fi Network
Use a secure Wi-Fi network to use your mobile banking app. Public Wi-Fi networks are frequently unprotected, which allows hackers to utilize them to steal private data.

Be Wary of Public Wi-Fi
When using public Wi-Fi, exercise caution when it comes to the data you provide and the websites you access. On public Wi-Fi networks, stay away from logging onto critical information like your mobile banking account.

Keep Your Device Secure
When not in use, keep your mobile device safe by locking it with a password or PIN and storing it in a secure location.

Watch for Suspicious Behavior
Keep an eye out for any unusual activity on your account and report any unauthorized transactions rig.

Don’t Share Sensitive Information
Never discuss sensitive details over the phone or by email, such as your password or account information.

Use a Mobile Security App
A mobile security app offers a supplementary defense against malware, viruses, and other security concerns.

By following these tips, you can keep yourself safe from potential scams:

• Don’t click on anything in an unsolicited email or text message asking you to update or verify account information.
• Never send funds to a merchant until you can confirm that the request to change a payment destination is legitimate, like a statement from them or a verified customer service phone number.
• Don’t rely only on caller ID to confirm someone’s identity, as scammers can compromise that too.
• Look up the company’s phone number through a legitimate source like a statement provided by the company, and don’t use the number a potential scammer is providing.
• Take your time. A legitimate Bank of Houston associate will never pressure you to immediately decide. They’ll provide you with all the necessary information and specific time frames to make your decision.
• When in doubt, hang up the phone and call your Bank of Houston service team directly. You may call us at the number listed on our website or bank statement.

Recognize when you’re being phished via email
Scrutinize all email correspondence regarding wiring funds.

Ask yourself the questions below:

• Who is requesting funds?
• Why are they requesting funds?
• Does the email match exactly?

Minimize wire payments
If a supplier makes a wire transfer request for services, the best practice is to ask to pay via ACH or with a credit card, as those methods offer you more protection against fraud scams.

Confirm wire payments over the phone
Always verify the authenticity of each wire transfer request. Call the person or company using a number you have previously called — not one from the current wire transfer request — to verbally verify it.

Be highly suspicious of a change in wiring instructions
Implement a call-back verification process when setting up payment instructions for a new vendor/supplier or making changes to payment instructions for an existing vendor/supplier.

Be wary of foreign banks
Unless your vendor is foreign, it is highly unusual for vendors to use a foreign bank to collect payments for domestic services.

In addition, it is a good idea to implement internal controls, such as dual control (2 people authorization) and segregation of duties (i.e. one person receives the request for funds, a second person authorizes the release of funds).

The company should implement a cybersecurity policy and review it often.

If your account is a target of wire transfer fraud, immediately contact us at:
Houston Office: 713-497-1515
Dublin Office: 254-445-2213