Bank impersonation scams — what they are and how to protect your business

A phone call, text or email that looks like it’s coming from your bank can trigger an understandable sense of urgency, especially when the message claims there’s suspicious activity on your account. Fraudsters rely on that urgency to get business owners and employees to share credentials, click on links or send money quickly.

Why businesses are targeted

Businesses often have higher daily transaction limits, multiple users with account access and time-sensitive payments (payroll, vendor invoices and taxes). That combination gives scammers more ways to succeed—and a single mistake can lead to a fast, high-dollar loss.

How these scams work

1. They spoof trust signals. Caller ID may display your bank’s name, the email may use familiar branding or a text may appear in an existing message thread.
2. They create urgency. You’re told there’s fraud, an account hold or a wire that must be stopped “right now.”
3. They ask for something your bank wouldn’t. This might be online banking credentials, a one-time passcode, remote access to a device or approval of a “test” transaction.
4. They redirect funds. Common outcomes include sending a wire or ACH to a “safe account,” adding a new payee, changing contact details or taking over the account and moving money.

Common red flags

• You’re asked to share a password, PIN or security code (including one-time passcodes).
• You’re instructed to click a link to “verify” information or “unlock” your account.
• You’re pressured to move money to a new account to “protect it.”
• The caller asks you to keep the matter confidential or bypass normal approvals.
• The message contains minor inconsistencies (odd wording, unusual sender address, unfamiliar callback number or unexpected attachment).
• You’re asked to install software, share your screen or grant remote access.

Practical safeguards to protect your business

• Use a “hang up and call back” rule. If you receive an unexpected fraud alert, end the call/text/email and contact your bank using a trusted number (e.g., the number on your statement, debit card or your bank’s official website).
• Never share credentials or security codes. Columbia Bank will not ask for your username/password or one-time passcodes if they call you.
• Use dual approval and out-of-band verification. Confirm new payment instructions for accounts payable events via a second channel (for example, call a known contact using a number from your records, not the email signature).
• Limit entitlements. Give employees the minimum access needed (view-only vs. initiate or approve). Review access regularly.
• Set alerts and limits. Enable alerts for new payees, password changes, logins from new devices and outgoing wires or ACH transactions. Align transaction limits to business needs.
• Train staff with real examples. Include administrative and anyone who can receive calls or texts about account issues. A two-minute pause to verify the request can prevent a major loss.

What to do if you receive a suspicious message or responded to one

1. Stop the interaction. Hang up. Don’t click links.
2. Contact your bank immediately using a trusted number.
3. Change credentials from a clean device. Update passwords and confirm that contact details like phone number and email addresses were not changed.
4. Review pending and recent transactions. Wires and ACH transactions may be recoverable only within a short window.
5. Document what happened. Save emails, screenshots, phone numbers and timestamps. This helps your bank and any investigation.
6. Notify internal stakeholders. Alert accounting and payables teams so no one unknowingly follows up with the scammer.

If you receive a suspicious call, text or email or believe you may have been a victim of fraud, contact us immediately at 866-563-1010.