Security Awareness and Tools

We provide a suite of security tools to help protect you and your company.

Protecting Email

Mark Jackson
Senior Vice President
Information Security Expert

Business Email Compromise (BEC)

Mark Jackson
Senior Vice President
Information Security Expert

Mastering the Perfect Password

Mark Jackson
Senior Vice President
Information Security Expert

Understanding the Threat of Public USB Charging

Mark Jackson
Senior Vice President
Information Security Expert

Phishing

Mark Jackson
Senior Vice President
Information Security Expert

Social Engineering

Mark Jackson
Senior Vice President
Information Security Expert

Mobile Security

Mark Jackson
Senior Vice President
Information Security Expert

Preventing Check Fraud

Mark Jackson
Senior Vice President
Information Security Expert

Security Awareness Series

Mark Jackson
Senior Vice President
Information Security Expert
Mark Jackson (former SVP Information Security Manager at CBC)

Recommended Tips and Tools:

California Bank of Commerce remains committed to the safety and security of your information. We invest heavily in systems, software, and networks to safeguard your data. As part of our ongoing security education series, Safe and Secure Banking, this issue focuses on the critical first line of defense: strong passwords.

According to the 2024 Verizon Data Breach Investigations Report (DBIR), stolen credentials continue to be a dominant initial access vector, used in 22% of all breaches. Furthermore, a study by Cybernews in May 2025 on over 19 billion newly exposed passwords revealed a deepening crisis, with 94% of passwords being reused or weak. These statistics powerfully underscore the ongoing importance of strong, unique passwords as your initial barrier against unauthorized access.

Here is what you need to create unbreakable passwords:

  • Length and Complexity: Aim for at least 12-16 characters, combining uppercase and lowercase letters, numbers, and symbols. The more diverse and longer your password, the harder it is to crack.
  • Avoid Personal Information: Do not use your name, birthday, address, pet names, or any details easily found online. Attackers often use publicly available information to guess passwords.
  • Uniqueness is Key: Do not reuse passwords across different accounts or services. As recent reports confirm, a single data breach can compromise multiple accounts if you use the same password everywhere. The IBM Cost of a Data Breach Report 2024 highlights that breaches involving stolen or compromised credentials took the longest to identify and contain (an average of 292 days), emphasizing the cascading risk of password reuse.

While strong, unique passwords remain a foundational element of your digital security, the evolving threat landscape in 2025 demands a multi-layered approach. Cybercriminals are more sophisticated than ever, leveraging AI to enhance their attacks, making it crucial to adopt advanced defenses.

Consider these essential security measures to fortify your accounts:

  • Multi-Factor Authentication (MFA) – Now a Prerequisite:

Enable MFA whenever available, especially for all sensitive accounts like banking, email, and social media. MFA adds an essential layer of security by requiring a second verification factor after entering your password. While SMS-based MFA is common, prioritize more secure, phishing-resistant methods such as:

    • Authenticator Apps: Apps like Google Authenticator or Microsoft Authenticator generate time-based codes on your device, which are more secure than SMS.
    • Hardware Security Keys (FIDO2/WebAuthn): These physical devices (like YubiKeys) offer the highest level of phishing resistance by directly verifying your identity cryptographically. Experts predict increased adoption of these in 2025.
    • Push Notifications: A notification to your trusted device for approval, offering a good balance of security and convenience.
    • Biometric Authentication: Utilizing fingerprint or facial recognition on your device, integrated with MFA, is becoming increasingly prevalent for both security and user experience.
  • Password Manager: Your Digital Vault:

Utilize a reputable password manager (e.g., LastPass, 1Password, Bitwarden) to generate and securely store long, complex, and unique passwords for every single account. These tools are indispensable for avoiding password reuse and can also:

    • Help you identify and update old, weak, or reused passwords.
    • Securely autofill credentials, reducing the risk of phishing.
    • Store other sensitive information like secure notes and credit card details.
    • The latest NIST guidelines (2025) strongly encourage the use of password managers.

New and Emerging Defenses to Adopt:

  • Passkeys: The Passwordless Future is Here:

Passkeys are rapidly gaining traction as a superior, passwordless authentication method. They replace traditional passwords with cryptographic key pairs, linked to your device, offering significantly enhanced security and user convenience.

    • Phishing Resistant: Passkeys are inherently resistant to phishing because they only work on the legitimate website or app they were created for.
    • Simpler Logins: No more memorizing or typing complex passwords – simply authenticate with a fingerprint, face scan, or PIN on your device.
    • Increased Adoption: Expect major banks and e-commerce platforms to widely embrace passkeys throughout 2025, with Windows-synced passkeys also being introduced. Actively look for and enable passkey options where available.
  • Embrace “Zero Trust” Principles:

While primarily an organizational strategy, the concept of “never trust, always verify” applies to individuals too. Assume any connection or request could be malicious until proven otherwise.

    • Continuous Verification: Always verify the authenticity of unexpected requests, especially those involving financial transactions or sensitive data, even if they appear to come from a known contact. Use out-of-band communication (e.g., a phone call to a known number, not one provided in an email).
    • Least Privilege: Limit the access permissions of apps and services on your devices to only what they absolutely need.
  • AI-Enhanced Threat Detection (Your Bank’s Role & Your Awareness):

Financial institutions are increasingly leveraging AI and machine learning for real-time threat detection, identifying anomalous behavior and preventing fraud. Be aware that cybercriminals are also using AI to craft more sophisticated phishing and deepfake attacks.

    • Stay Skeptical: AI can now generate highly convincing fake emails, voice calls, and even videos (deepfakes). If a request feels unusual, even if it sounds or looks like someone you know, verify it through an alternative, trusted channel.

By integrating these robust security practices, you are not just relying on a password; you’re building a comprehensive digital defense strategy to protect your financial well-being in the evolving cyber landscape of 2025 and beyond.

The reality of stolen credentials remains a stark reminder of the risks involved in our increasingly digital lives. While the 2021 cryptocurrency exchange breach highlighted a significant incident, the threat has continued to evolve and impact major players.

For instance, in February 2025, the Bybit cryptocurrency exchange suffered a record-breaking $1.4 billion ETH theft, largely attributed to attackers exploiting a private key leak – a direct consequence of compromised or poorly secured credentials within the system. More recently, in May 2025, Coinbase disclosed a data breach that exposed customer account balances, ID images, phone numbers, home addresses, and partially hidden bank details, prompting them to commit up to $400 million for remediation and reimbursements. These incidents, among many others, underscore that even with sophisticated security, the human element and the compromise of access credentials remain primary targets for cybercriminals.

Remember, stolen passwords and compromised access are a gateway for devastating cybercrime. Do not let a weak password or a single point of failure be the only obstacle protecting your accounts. Implement these best practices, leveraging the latest in security standards, to secure your information and financial well-being.

The threat of tax scams has become alarmingly sophisticated in 2025, driven by the pervasive use of Artificial Intelligence (AI) and persistent data breaches. Cybercriminals are now more adept than ever at impersonating authorities and exploiting vulnerabilities to defraud individuals and businesses.

Recent reports from the IRS and other cybersecurity entities paint a concerning picture:

  • Soaring Losses and AI Amplification: The IRS Criminal Investigation (CI) unit uncovered $9.1 billion in tax fraud and financial crimes in 2024, with nearly 2 million tax returns flagged for identity theft and fraud, amounting to $16.5 billion in fraudulent filings. Experts predict that AI-generated emails, deepfake phone calls, and advanced phishing attacks will accelerate this trend, making tax fraud a multi-billion dollar industry. AI tools are enabling scammers to create hyper-realistic phishing emails, text messages (smishing), and even convincing voice calls (vishing) that mimic legitimate tax authorities with uncanny accuracy.
  • Persistent Data Breaches as Fuel: Despite ongoing efforts, data breaches continue to compromise vast amounts of personal information, including Social Security numbers, dates of birth, and financial details. This stolen data serves as critical fodder for fraudsters, allowing them to craft highly personalized and believable tax scams. With this information, they can file fraudulent tax returns, set up fake online accounts in victims’ names, or use it to enhance their social engineering tactics.
  • IRS’s Budget and Staffing Challenges: While the IRS is actively integrating AI to enhance its own enforcement capabilities and identify non-compliance (as outlined in its FY 2025 budget, which includes a focus on AI initiatives), the agency continues to face significant challenges. Budget uncertainties and workforce reductions – including a projected nearly 60% reduction to IT and support staff from 2025 to 2026 if current trends continue – threaten to impede their modernization efforts and ability to respond to the sheer volume of evolving threats. This can inadvertently make taxpayers more vulnerable, as delays in service or processing can create opportunities for scammers to exploit.
  • Emerging Scams Highlighted by IRS’s “Dirty Dozen” for 2025: The IRS’s annual “Dirty Dozen” list for 2025 warns against a new wave of scams, including:
    • Fake Employee Retention Credit (ERC) Promoters: Fraudsters aggressively market bogus ERC claims to businesses, leading them to file fraudulent claims and face penalties.
    • IRS Online Account Setup Scams: Scammers pose as third parties offering to set up IRS Online Accounts, but instead steal tax IDs and banking information.
    • Bad Social Media Advice: Misinformation on platforms like TikTok encourages taxpayers to misuse tax documents or claim non-existent tax credits (like the “Self-Employment Tax Credit”), leading to audits and penalties.
    • New Client Scams/Spear Phishing Targeting Tax Pros: Highly targeted attacks on tax professionals aim to compromise their systems and steal client data, enabling further fraudulent filings.

These trends underscore that tax season, and indeed the entire year, presents a critical window for fraudsters. They are leveraging every available tool, from stolen data to cutting-edge AI, to exploit human trust and systemic vulnerabilities.

The cyber threat landscape is continuously evolving, with scammers leveraging advanced technologies and sophisticated social engineering tactics. While traditional scams persist, new and emerging threats in 2025 demand heightened vigilance, especially during tax season and periods of economic uncertainty.

  • Phishing Emails (More Sophisticated Than Ever):

Cybercriminals continue to impersonate trusted entities like the IRS, financial institutions, and even well-known businesses in highly convincing emails. These emails, often crafted with the aid of AI-powered language tools, are designed to appear legitimate, claiming tax refunds, urgent account issues, or outstanding balances. They contain malicious links that lead to fake login pages (credential harvesting) or attachments disguised as official documents (malware delivery). The key distinction in 2025 is their improved grammar, realistic branding, and hyper-personalization, making them harder to spot.

  • Smishing (SMS Phishing) & Vishing (Voice Phishing) – The Rise of AI Impersonation:

Similar to phishing emails, scammers use text messages (SMS) and phone calls to trick you.

    • Smishing: Messages might claim fake package deliveries, urgent bank alerts, or even “unpaid toll fines” (a growing trend in 2025, per Krebs on Security). They aim to lure you into clicking fraudulent links or revealing personal details on fake mobile-friendly websites.
    • Vishing: Scammers are increasingly using AI-generated voice deepfakes to impersonate IRS officials, bank representatives, executives, or even family members. These calls are highly convincing, pressuring victims into making fraudulent payments or divulging sensitive information. Always verify such requests through an independent, trusted channel, not a number provided in the suspicious communication.
  • Social Media Scams & Misinformation Campaigns:

Criminals extensively leverage social media platforms to spread misinformation about tax laws, offer “guaranteed refunds” or “non-existent tax credits” (like the bogus self-employment tax credit), and lure unsuspecting victims into fake websites or divulging personal information. They also promote “overstated withholding scams” encouraging individuals to submit false income information on tax forms. The IRS’s 2025 “Dirty Dozen” list continues to highlight “bad social media advice” as a major concern.

  • Fake Charities & Disaster Relief Scams:

Be wary of unsolicited calls, emails, texts, or social media posts from unknown organizations claiming to be charities, especially in the wake of natural disasters or global crises. Scammers exploit generosity to steal money and personal information for identity theft. Always research any charity using official resources (like the IRS Tax Exempt Organization Search tool) before donating.

  • Emerging AI-Driven Threats:

Beyond enhancing existing scams, AI is enabling new attack vectors:

    • Fake AI Tax Assistants: Bogus AI chatbots or online tools claim to offer tax support but are designed to harvest login credentials or redirect users to malicious sites.
    • Deepfake Video Calls: Attackers are using sophisticated deepfake technology to create convincing video calls, impersonating known individuals (e.g., a CFO or manager) to authorize fraudulent transactions. The Hong Kong finance worker tricked into a $25 million transfer via deepfake video call highlights this devastating potential.
    • QR Code Phishing (Quishing): Malicious QR codes delivered via email or print lead users to phishing pages disguised as tax portals or invoice platforms.
    • Cloud-Hosted Malicious Files: Links to files hosted on trusted cloud platforms (Google Drive, OneDrive) containing malware are increasingly used to bypass email security.

Remember: The IRS will never initiate contact with taxpayers by email, text message, social media, or phone calls regarding a bill or tax refund. They primarily use traditional mail. Always initiate contact with the IRS or your bank directly using official, verified contact information.

Beware of Wire Fraud Scams: Protecting Yourself in 2025

California Bank of Commerce remains committed to safeguarding your financial information. Today, we focus on a persistent threat: wire fraud. With increasingly sophisticated tactics, wire fraud continues to be a significant concern.

The sophistication of wire fraud scams continues to escalate, making them one of the most financially devastating threats for businesses and individuals in 2025. Cybercriminals are now leveraging advanced technologies like Artificial Intelligence (AI) to create hyper-realistic and highly effective attacks, exploiting vulnerabilities across various communication channels to steal millions.

Here are the common, and increasingly dangerous, tactics to be acutely aware of:

  • Business Email Compromise (BEC): The AI-Powered Impersonation Epidemic

BEC remains the costliest cybercrime, with global losses reaching billions annually (e.g., Fortra’s May 2025 report showing a 48% increase in BEC attack volume month-over-month, with average wire transfer requests increasing to nearly $100,000). Criminals impersonate executives (CEO fraud, which accounts for over 89% of BEC attacks in 2025, according to LastPass), trusted vendors, or business partners via email. The significant shift in 2025 is the widespread use of AI to craft these deceptions:

    • Hyper-Realistic Phishing: AI language models are used to generate emails with perfect grammar, natural tone, and contextual relevance, making them almost indistinguishable from legitimate communications. They can mimic an employee’s or executive’s specific writing style after analyzing their past messages.
    • Deepfake Impersonation (Vishing and Video BEC): Attackers are increasingly employing AI to create voice deepfakes for vishing calls, impersonating executives to pressure finance teams into urgent wire transfers. More alarmingly, deepfake video technology is emerging, enabling criminals to conduct fake video calls impersonating high-ranking officials to authorize massive fraudulent transactions, as seen in recent high-profile cases (e.g., the Hong Kong finance worker losing $25 million to a deepfake video call scam).
    • Sophisticated Social Engineering: AI helps attackers analyze publicly available information (from social media, company websites, data breaches) to create highly targeted and personalized scams that exploit human psychology, urgency, and trust.
  • Fake Invoice Scams: Supply Chain Exploitation and QR Code Attacks

Fraudsters send invoices that appear legitimate, requesting payments to unfamiliar accounts. These invoices might arrive via email or even through compromised online vendor portals. In 2025, these scams are more dangerous due to:

    • Supply Chain Exploitation: Attackers are compromising the email accounts of legitimate vendors or suppliers within a business’s supply chain. They then hijack existing email threads, inserting new fraudulent bank details for legitimate invoices or sending entirely fake invoices that appear to come from a trusted source.
    • QR Code Phishing (Quishing): Malicious QR codes embedded in seemingly legitimate invoices (both digital and physical) are leading users to sophisticated phishing pages designed to steal credentials or initiate fraudulent payments.
    • AI-Enhanced Document Forgery: AI tools enable the creation of highly convincing forged documents, including invoices, contracts, and payment change requests, that bypass traditional visual inspection.
  • Remote Desktop Access (RDA) & Remote Monitoring and Management (RMM) Scams:

Criminals gain unauthorized access to a victim’s computer or network through phishing, malware, or exploiting vulnerabilities in remote access software itself. In 2025, the threat has intensified:

    • Exploiting Vulnerabilities in Remote Access Tools: As highlighted by critical vulnerabilities in Windows Remote Desktop Services identified in early 2025 (CVE-2025-27480, CVE-2025-29966, etc.), attackers are constantly finding ways to gain remote code execution or unauthorized access through these essential business tools.
    • Malicious RMM Software: Scammers trick victims into installing legitimate Remote Monitoring and Management (RMM) software (e.g., AnyDesk, TeamViewer) under false pretenses (e.g., fake tech support). Once installed, they gain full control of the computer, manipulating financial data, initiating unauthorized wire transfers, or deploying ransomware.
    • “Island Hopping”: Gaining RDA access to one compromised system can be a stepping stone for attackers to move laterally within a network or even pivot to a connected business partner, amplifying the potential for wire fraud across interconnected entities.

The shift to remote and hybrid work models has further expanded the attack surface for these types of fraud, making robust security awareness and strict verification protocols more critical than ever.

While the threat of wire fraud has intensified with the advent of AI-powered scams, proactive and robust defense strategies are more effective than ever. Implementing a multi-layered approach, aligning with 2025 cybersecurity standards, is crucial for both individuals and businesses.

  • Rigorous Verification is Paramount (Beyond Basic Calls):

Always verify the legitimacy of any wire transfer request independently. Do not rely solely on email, text messages, or even a direct phone call to a number provided in a suspicious communication.

    • Out-of-Band Verification: This remains the gold standard. Contact the sender using a pre-established, known, and verified phone number (e.g., from your physical address book, official website, or previous legitimate invoices). Never use a number from the suspicious email or text itself.
    • Multi-Point Verification: For businesses, implement robust, multi-person verification for all wire transfer requests, especially for new recipients or changed bank details. This could involve one person initiating the request and a second, independent person verifying it via phone call to a trusted contact.
    • Secure Portals (Emerging Trend): Where possible, move sensitive communications, especially payment instructions, away from email and onto secure, encrypted portals provided by your bank or trusted vendors. This significantly reduces the risk of email compromise.
    • Behavioral Biometrics (Future-Proofing): Financial institutions are increasingly using AI-powered behavioral biometrics (analyzing unique user patterns like typing speed, mouse movements, and navigation) to detect anomalies in login and transaction behavior, flagging potential fraud even if credentials are stolen.
  • Beware of Urgency and Secrecy: The AI-Amplified Pressure:

Fraudulent requests almost always create a sense of extreme urgency or confidentiality to pressure victims into acting quickly without proper verification. In 2025, AI is making these tactics even more potent by crafting personalized, compelling narratives.

    • “CEO Fraud” Reinvented: Be highly suspicious of emails from “executives” demanding immediate, confidential wire transfers, especially if they claim to be in a meeting, traveling, or unable to speak directly. These are prime targets for AI-generated voice or video deepfakes designed to bypass suspicion.
    • Question Any Deviation from Protocol: Any request to bypass established internal procedures for payment approvals or data sharing is a major red flag.
  • Scrutinize Account Details and Geo-Indicators:

Exercise extreme caution with requests to transfer funds to unfamiliar accounts, especially those in unusual domestic or overseas locations.

    • Double-Check Every Character: Manually cross-reference the recipient’s name, account number, and routing number against previously verified records. Fraudsters often use subtle variations that are hard to spot at a glance.
    • Geographic Discrepancies: Be wary if the requested payment location or recipient’s bank account seems inconsistent with the sender’s known location or business operations.
  • Implement Advanced Multi-Factor Authentication (MFA): A Non-Negotiable Standard:

Enable MFA for all your financial accounts, email, and any critical business systems. This adds a crucial layer of security during login and transaction authorization.

    • Prioritize Phishing-Resistant MFA: While SMS-based MFA is better than nothing, it’s vulnerable to sim-swapping and SMS phishing. Prioritize stronger methods like:
      • Authenticator Apps: Generate time-based one-time passwords (TOTP).
      • Hardware Security Keys (FIDO2/WebAuthn): Offer the highest level of phishing resistance by requiring a physical key for authentication.
      • Biometric Authentication: (e.g., fingerprint, facial recognition) directly integrated with secure devices.
    • Adaptive MFA (Emerging): Your bank may use AI-driven adaptive MFA, which requests additional verification steps only when unusual activity is detected (e.g., login from a new device or location), balancing security and convenience.
  • Continuous Employee Education & Simulation: Building a Human Firewall:

For businesses, ongoing, interactive training is the most effective defense. Employees are the last line of defense against these social engineering attacks.

    • Regular, Targeted Training: Conduct frequent training sessions on the latest wire fraud tactics, including BEC, deepfake awareness, and “quishing” (QR code phishing).
    • Simulated Phishing/BEC Drills: Regularly test employee vigilance with realistic simulated phishing and BEC emails. Provide immediate feedback and retraining for those who fall for the simulations.
    • Clear Internal Protocols: Establish and enforce strict, documented procedures for all financial transactions, particularly wire transfers, including dual control requirements for payments over a certain threshold.
    • Zero Trust Principles: Foster a “never trust, always verify” culture. Assume any connection or request could be malicious until independently proven otherwise, both internally and externally.

By embracing these robust, continuously updated security practices, you can significantly enhance your resilience against the evolving threat of wire fraud and protect your financial well-being in the complex digital landscape of 2025.

By being acutely aware of these evolving tactics – especially those leveraging AI for enhanced realism and psychological manipulation – and by rigorously implementing the safeguards discussed, you can significantly reduce the risk of falling victim to devastating wire fraud scams. Remember, proactive vigilance is your strongest defense!

Reporting Suspicious Activity: Time is of the Essence

If you suspect wire fraud has occurred or you’ve been targeted, reporting it immediately is absolutely critical. Every minute counts when attempting to recover stolen funds.

  • Contact Your Bank Immediately: As soon as you realize a fraudulent wire transfer has been made or attempted, contact your bank. Provide them with all transaction details, including recipient bank information, amounts, and any associated communication. Banks often have specific fraud departments and can sometimes initiate a “recall” or “freeze” if caught quickly enough.
  • File a Complaint with the FBI’s Internet Crime Complaint Center (IC3): This is the central hub for reporting cyber-enabled crime.
    • Visit https://www.ic3.gov/.
    • File a complaint as soon as possible, providing every detail you have, no matter how small. This information helps the FBI track trends, initiate investigations, and potentially freeze stolen funds. The IC3’s 2024 annual report showed reported losses exceeding $16 billion, a 33% increase from 2023, highlighting the scale of the problem and the importance of every report.
    • Crucially, be aware of IC3 impersonation scams. The FBI warned in April 2025 that criminals are impersonating IC3 employees, claiming to have recovered funds as a ruse to “re-victimize” individuals. The IC3 will NEVER directly communicate with individuals via phone, email, social media, or public forums to recover funds, nor will they ask for payment to do so. If you are contacted by someone claiming to be from the IC3, verify independently with official contact channels.
  • Contact Local Law Enforcement: Depending on the nature and amount of the fraud, also report the incident to your local police department. They can provide a police report, which may be necessary for your bank or insurance claims.
  • Consider the FTC: For general fraud and identity theft, the Federal Trade Commission (FTC) is another valuable resource: https://reportfraud.ftc.gov/. Your reports help them detect patterns and bring cases against fraudsters.

A Recent Example (June 2025): The Growing Impact on Real Estate & Supply Chains

The threat of wire fraud continues to evolve, deeply impacting sectors like real estate. A June 2025 report from CertifID, “State of Wire Fraud 2025,” highlights that over 1 in 4 home buyers and sellers (26%) reported receiving suspicious or fraudulent communications during their closing process. Alarmingly, nearly 1 in 20 (4.7%) actually fell victim. This emphasizes how fraudsters are exploiting the high-value transactions and complex communications inherent in these processes. The report also found that after 24 hours, the recovery success rates for stolen funds go down significantly, underscoring the urgent need for immediate action. Impersonation of real estate agents (58% of victims) and title/settlement agents (41%) are increasingly prevalent.

Beyond real estate, supply chain finance remains a major target. Attackers in 2025 are increasingly compromising accounts of legitimate vendors and then subtly altering payment instructions for legitimate invoices, leading to massive financial losses for businesses.

By understanding the tactics, acting swiftly if targeted, and leveraging these reporting channels, you contribute to a stronger collective defense against the sophisticated and rapidly evolving landscape of wire fraud.

Check Fraud: A Resurgent Threat in 2025

California Bank of Commerce prioritizes the security of your financial information. Today, we revisit a persistent form of fraud: check fraud. While cybercrime dominates headlines, check fraud is experiencing a resurgence.

While the use of paper checks may be declining overall, check fraud remains a persistent and growing threat, with criminals employing increasingly sophisticated methods, often augmented by AI. Protecting yourself requires a diligent, multi-faceted approach that goes beyond traditional safeguards.

  • Elevated Check Security & Storage:
    • Secure Storage: Store blank and unused checks in a locked, secure location (e.g., a locked drawer or safe). Limit access to only essential personnel within businesses.
    • Enhanced Check Stock: For businesses, consider using checks with advanced security features, such as watermarks, micro-printing, chemical alteration protection, and security threads, which are harder for fraudsters to replicate even with AI tools.
    • Minimize Physical Inventory: Keep only the absolute minimum number of blank checks on hand.
    • Monitor Check Orders: Verify any new check orders placed on your account immediately with your bank.
  • Limit Personal & Sensitive Information:
    • Avoid Unnecessary Data: Never include sensitive personal information like your Social Security number, driver’s license number, or phone number on checks unless absolutely required. This information is a goldmine for identity thieves.
    • Consider ACH for Payroll/Vendor Payments: Whenever possible, transition away from checks for recurring payments like payroll or vendor payments to more secure electronic methods like ACH, which limit the exposure of sensitive banking details.
  • Proactive Account Monitoring & Reconciliation (AI-Assisted Vigilance):
    • Daily Review: Review your bank statements and online banking activity daily. This includes not only transactions but also images of cleared checks. Look for any alterations, suspicious payees, or unexpected amounts.
    • Utilize Bank Alerts: Set up alerts with your bank for large transactions, new payees, or any suspicious activity on your checking account. Many banks are now using AI-driven anomaly detection to flag unusual patterns that human eyes might miss.
    • Enhanced Reconciliation (Businesses): Businesses should perform daily, thorough bank reconciliations, ideally with a segregation of duties (i.e., the person reconciling is not the one writing checks). This is your last line of defense for catching altered or counterfeit checks before they cause significant loss.
  • Prompt Reporting of Missing Checks & Mail Issues:
    • Immediate Notification: Notify your bank immediately if you notice any missing checks from your checkbook or if a check you mailed doesn’t clear as expected.
    • Monitor Mail Delivery: With mail theft and check washing on the rise (e.g., the U.S. Postal Inspection Service’s ongoing efforts to combat this surge in 2025), promptly retrieve your mail from your mailbox.
    • USPS Informed Delivery: Sign up for the free USPS Informed Delivery service to receive daily email notifications of incoming mail. This can help you identify if a check you’re expecting goes missing or if suspicious mail arrives.
  • Secure Mail Practices:
    • Avoid Residential Mailboxes for Outgoing Checks: Do not leave outgoing checks in your residential mailbox for pickup, especially with the flag up. This is a common target for “mailbox fishing” and mail theft.
    • Use Secure Drop-Offs: Whenever mailing checks, use secure USPS blue collection boxes (not isolated ones), go inside a post office, or hand the mail directly to a mail carrier.
    • Consider Online Bill Pay or ACH for Personal Payments: For routine payments like utilities or credit cards, utilize your bank’s online bill pay service, which typically uses secure electronic transfers (ACH) instead of physical checks.
  • Embrace Digital Alternatives (The 2025 Standard):
    • Prioritize Electronic Payments: Whenever possible, utilize more secure and traceable payment methods. The trend in 2025 is a strong push towards fully electronic transactions (e.g., the U.S. government’s 2025 transition away from paper checks).
    • ACH Transfers: For business-to-business payments, ACH (Automated Clearing House) transfers offer a more secure and efficient alternative to checks.
    • Online Bill Pay: For consumer payments, leverage secure online bill pay services offered by your bank or directly by vendors.
    • Real-Time Payments (RTP/FedNow): For urgent payments, leverage real-time payment systems where available, as they offer instant settlement and robust fraud monitoring within secure banking systems.
  • Enhanced Internal Controls & Dual Authorization (For Businesses):
    • Strict Segregation of Duties: Ensure that no single person controls the entire check process, from creation to reconciliation.
    • Dual Authorization: Implement mandatory dual authorization processes for all checks above a certain threshold. This requires one person to prepare the check and a second, independent person to review and approve it (and sign, if physical checks are used) before it’s sent. This adds a critical human layer of verification against altered checks or internal embezzlement.
    • Regular Audits: Conduct unannounced internal audits of check-writing and payment processes to ensure compliance with established protocols.

By integrating these advanced, vigilance-driven strategies, you significantly fortify your defenses against the continually evolving threat of check fraud in 2025.

At California Bank of Commerce, we are relentlessly committed to safeguarding your financial well-being. While we deploy cutting-edge AI-driven systems and robust network defenses, the most sophisticated attacks in 2025 increasingly target a different vulnerability: trust. Imposter scams, particularly those involving phone calls, are escalating in sophistication and financial impact, often leveraging the latest in Artificial Intelligence to deceive even the most cautious individuals.

The Evolving Threat: Imposters Calling the Bank or Calling as the Bank

The landscape of phone-based fraud (often called “Vishing” or “Voice Phishing”) has transformed significantly. Scammers are no longer just making simple cold calls; they are employing advanced tactics to appear highly credible:

  • AI-Powered Voice Deepfakes: This is the most alarming emerging trend. Fraudsters are now using Generative AI to clone voices with startling accuracy. This means you might receive a call that sounds exactly like a trusted individual – your bank’s representative, a family member, a senior executive, or even a law enforcement official. According to Pindrop’s 2025 Voice Intelligence & Security Report, deepfake fraud could surge by an alarming 162% in 2025, with synthetic voice attacks at banks rising by 149% in 2024 alone. These “cloned” voices are used to pressure you into revealing information or initiating fraudulent transactions.
  • Sophisticated Caller ID Spoofing: Scammers routinely manipulate caller ID to display your bank’s legitimate phone number, a government agency, or even a local area code, making the call appear genuine. This bypasses a common initial verification step.
  • Pretexting and Advanced Social Engineering: Imposters are conducting extensive reconnaissance. They may already possess some of your personal information (gleaned from data breaches, social media, or other scams) and use it to build trust and create highly believable scenarios. They might claim:
    • “Suspicious activity detected on your account – we need to verify your details.”
    • “There’s an urgent security issue, and you need to transfer funds to a ‘safe’ account.” (A common tactic for “Pig Butchering” scams and other investment fraud).
    • “We’ve detected an unauthorized login; please provide your one-time passcode (OTP).”
    • “Your account has been locked, and we need your password to unlock it.”
    • They might even impersonate your bank’s fraud department after a text alert, creating a seamless, deceptive chain.
  • The “Internal Fraud” Ploy: A particularly insidious tactic involves a scammer calling you (the customer) claiming to be from your bank’s fraud department. They might say they’ve identified an “insider threat” or “employee fraud” and need your help to “catch the culprit” by moving your money to a “secure” account or providing authentication codes. This is designed to sow distrust and bypass your usual caution.

Protecting Yourself from Imposter Calls (Your 2025 Safeguards):

Your best defense against these evolving voice-based threats is informed skepticism and adherence to strict verification protocols.

  1. “Hang Up and Call Back” is Non-Negotiable: If you receive an unexpected call claiming to be from your bank, the IRS, a tech support company, or any other entity asking for sensitive information or urging immediate action, hang up immediately. Then, independently call your bank (or the organization) back using a verified phone number. This number should be:
    • From the back of your debit/credit card.
    • From your official bank statement.
    • Directly from our official website ([Your Bank’s Website Address, e.g., www.californiabankofcommerce.com]) that you’ve typed in yourself.
    • Never use a number provided by the suspicious caller.
  2. Verify, Verify, Verify (Out-of-Band is Key):
    • Confirm identity: If someone calls claiming to be from your bank’s fraud department, and it sounds urgent, state that you will call them back using the official number on your card. A legitimate representative will understand and encourage this step.
    • Ask for specific information only you would know (if you initiated the call): If you call us, we may ask you security questions to verify your identity. If someone calls you, they should be able to prove who they are without you giving them information.
  3. Your Bank Will NEVER Ask For This:
    • Your full password or PIN: We will never ask for your full password, PIN, or multi-factor authentication (MFA) codes over the phone, via email, or text. MFA codes are for your use to log in, not for us to verify you.
    • To transfer funds to a “safe” or “secure” account: This is a classic scam tactic. Your money is safest in your federally insured bank account.
    • Remote access to your computer for security issues (unless you initiated a tech support request): Be extremely wary of anyone asking you to download software like TeamViewer or AnyDesk.
    • Gift cards, cryptocurrency, or wire transfers as payment for “fees” or “debts”: These are nearly always signs of fraud.
  4. Strengthen Your Authentication with Phishing-Resistant MFA:
    • Enable Multi-Factor Authentication (MFA) on all your banking and email accounts.
    • Prioritize more secure MFA methods like authenticator apps (e.g., Google Authenticator, Microsoft Authenticator) or physical security keys (e.g., YubiKeys) over SMS text messages, as SMS can be vulnerable to SIM swapping.
  5. Be Skeptical of AI-Generated Content: Be aware that AI can generate highly convincing fake voices, images, and videos (deepfakes). If a voice on the phone sounds too perfect, or an unexpected call from a familiar voice makes an unusual request, err on the side of caution and verify through an alternative, trusted channel. If a video call seems suspicious, ask questions only the real person would know (e.g., a shared memory).

If You Suspect Imposter Fraud:

  • Hang up immediately.
  • Contact your bank directly using the official phone number on your card or website.
  • Report the incident to the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/. Your reports are vital in helping law enforcement track and combat these evolving scams.
  • Report to the Federal Trade Commission (FTC) at https://reportfraud.ftc.gov/.

By understanding these advanced imposter tactics and consistently applying these robust safeguards, you empower yourself to protect your identity and financial security in the dynamic digital environment of 2025.

By implementing these precautions and remaining alert, you can significantly reduce your risk of falling victim to check fraud. Report any suspected check fraud to your bank and the authorities immediately.

Remember: Even with the rise of digital transactions, check fraud remains a threat. Stay informed and protect your finances!

  • You can find more information on check fraud prevention on the Federal Trade Commission (FTC) website: https://www.ftc.gov/


Identity Theft: 
https://www.usa.gov/identity-theft
https://www.identitytheft.gov/
Steps to recover from Identity Theft

Credit Bureau Contacts

Contact the national credit bureaus to request fraud alerts, credit freezes (also known as security freezes), and opt outs from pre-screened credit offers.

Not all network intrusion is for your data – Sometimes it is for you computing power

Defending Against Illicit Cryptocurrency Mining Activity