February 26, 2024

Protecting your Business from Fraud with Positive Pay


Even though evolving payment options means that fewer checks are being written, check fraud remains a threat to businesses. Positive Pay is one of the best fraud detection tools and River City Bank offers two options: Check Positive Pay and ACH Positive Pay.

ACH Positive Pay. ACH Positive Pay is a security feature that prevents unauthorized electronic debits from posting to your accounts. Whenever there are debits from new or unrecognized sources, they are highlighted as exceptions for your review. You can either add these new companies to your list of authorized debtors or return the transactions within the Commercial Cash Management platform.

Check Positive Pay. Check Positive Pay matches the check number and dollar amount of each check presented for payment against an approved list of authorized checks issued by your company. Both components of the check must match exactly to be paid. If there isn't a match, the check is flagged as an exception and a list will be emailed for authorization before payment will be made. A payee match is automatically added to enhance your check-positive pay review process.

At River City Bank, your account security is our priority. If you would like to learn more about Positive Pay, please contact our Cash Management Team at (916) 567-2660 or email at [email protected]

September 14, 2023

Bank CEO: Why Cyberattacks Keep Me Awake at Night

Conceptual photo collage of cyber security

By Steve Fleming, President and CEO, River City Bank

Conceptual photo collage of cyber security

Cybersecurity keeps me awake at night, and it should worry you as well. As the CEO of River City Bank, I know it’s not a question of whether we will be targeted by hackers. Cybercriminals are attacking all our businesses daily—at an increasing rate. As the bad guys get more sophisticated, businesses—both large and small—are vulnerable. Cybercriminals view large business as a big pot of gold for them to steal, and small or medium-size business as an easy target. McKinsey & Co. estimates that cyberattacks will cause $10.5 trillion a year in damages by 2025, a whopping 300% increase from 2015.

No one is immune to the risk. The news earlier this year that San Bernardino County paid a $1.1 million ransom to hackers who installed malware on the sheriff’s office computer systems is a wake-up call to everyone. The county had cyber insurance, which covered half the bill. It’s likely that many local businesses haven’t purchased such insurance, even though experts say it’s a best practice to guard against losses.

Closer to home, the news of the Oakland ransomware attack keeps getting worse, with non-public personal  information from current and former employees now surfacing on the dark web. Ransomware, a major threat for businesses of all sizes, now accounts for 24% of data breaches, according to the Verizon 2023 Data Breach Investigations Report. In a ransomware attack, the criminals pierce security systems and install code or software that can shut down your business or hold it hostage until you pay up. To make matters worse, stolen information can be sold on the dark web—even after ransom is paid.

All it takes to find yourself in a big mess is someone at your company clicking on the wrong link or attachment in an email. Last year, sophisticated scammers lured five Sacramento County employees into handing over their official log-in information, a breach that exposed more than 2,000 sensitive health records. This was just one incident of phishing attacks last year as the tactic reached record levels, with more than 4.7 million attacks being recorded.

The Responsibility Is in Our Hands

At the end of the day, the buck starts and stops with the CEO. We’re the final risk manager, and regardless of whether we run a bank, construction company, law firm, farm, nonprofit charitable organization, or public agency, this is one of the biggest risks we face. Ignoring cyber risk is a critical error that will likely result in a painful and expensive outcome.

Let’s face it: We do our best to manage and control our businesses, but cybercriminals know they can penetrate our information security defenses through our vendors (particularly those in the software supply chain), our customers, and our employees when they let down their guard.

We need to think about what’s at stake. A cyberattack can cost us time, focus, and money, but it also can lead to lost customers, a damaged reputation, and even regulatory scrutiny. In its 2023 report, IBM estimated the average cost of a data breach at $4.45 million. In the U.S., it’s twice that. And the average time to identify and contain the breach was 277 days. Who has that time to spare?

No wonder this issue keeps me up at night—it represents a risk for the business that I run, but also a risk for all our clients.

At River City Bank we instill a business culture that teaches our staff to be hypervigilant about cybersecurity, while recognizing that mistakes can, and will, happen. In fact, the Verizon report found that 19% of data breaches were due to “internal actors,” meaning our own people or contractors, either intentionally or through error.

If your business does not conduct regular cyber training for your staff, you’re putting your company in danger. Educated workers are less likely to click on a suspicious link or use a password that is easy to hack, and, thus, mistakenly put your life’s work in someone else’s hands.

Every business, no matter the size, needs to understand cybersecurity best practices and use them to minimize losses if an attack happens. Have a business continuity plan in place, and make sure your critical data is backed up and encrypted. Build defensible space throughout your IT network to limit the damage from malware that has taken advantage of a vulnerability in your network. These suggestions, as well as other ways to safeguard your company, are why we developed this cybersecurity overview for our customers.

Last, when all else fails, don’t forget about the benefits of cyber-risk insurance coverage. The cost of this insurance is rising due to the success of the cybercriminals. But ask yourself if you can afford a massive loss from a cyberattack.

Since September ’08, Steve Fleming has been President & Chief Executive Officer of River City Bank, the largest and most profitable bank based in Sacramento. With over 40 years of banking experience, immediately before joining River City Bank, he was the Founder and CEO of Presidio Bank in San Francisco. Steve also worked for over 20 years at Bank of America in a variety of progressively more senior roles, including as Head of Credit Administration for its Europe, Middle East, and Africa division.

September 6, 2023

Avoiding a Cyber-Attack


Cyber-attacks are a growing and significant concern for small and medium-sized businesses (SMBs). Despite the common misconception that hackers only target behemoths, SMBs make increasingly attractive prey. In fact, certain types of attacks, like phishing, are much more commonly aimed at SMBs. It is critical to both (1) institute best practices to minimize the chance of experiencing a cyber-incident, and (2) take measures now to minimize the potential damage in the event a cyber-incident does occur.

“Fifty percent of SMBs have been the victims of a cyber-attack and over 60% of those attacked go out of business.”

Dr. Jane LeClair
Chief Operating OfficerNational Cybersecuity Institute

Avoiding a Cyber-Attack

Cyber-attacks are a permanent and persistent threat to your organization, and there is no way to entirely remove that risk. However, by implementing cybersecurity controls, you can minimize the probability of a successful cyber-attack.

  • Keep your software, applications, web browsers, and operating systems up-to-date. Set updates to occur automatically. Do not use software that is no longer supported by the vendor.
  • Know where your important data is located. Secure your physical and electronic files. Ensure important files and systems are encrypted and regularly backed up. Perform periodic back up data recovery tests.
  • Require strong passwords, or passphrases which are longer and more complex than passwords, on all your applications and devices. Use a password manager to securely store all passwords.
  • Have formal policies and procedures for safeguarding data and systems.
  • Use Multi-Factor Authentication (MFA) wherever possible. MFA reduces risks associated with compromised passwords.
  • Enforce strong security standards before employees or vendors connect to your network.
  • Create a culture of security. Conduct employee information security awareness training consistently. Training should include common attacks and tactics used by cyber-criminals (such as social engineering, phishing, etc.). Refer to the FTC factsheets on Phishing, Ransomware, Business Email Imposters, and Tech Support Scams for additional information on training topics.
  • Know your vendors. Your vendors are ultimately your responsibility, and software supply chain risk is often an overlooked area of cyber risk. Review your software vendor contracts to understand what the vendor will be responsible for in the event that your business is affected by a cyber- incident, such as a supply chain attack. This also includes confirming your vendor’s own processes for overseeing subcontractors and managing risks. In addition, periodically conduct risk assessments for third-party relationships.

37% of companies hit by ransomware had fewer than 100 employees.

Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.

In 2020 alone, there were over 700,000 attacks against small businesses, totaling $2.8 billion in damages.

80% of all hacking incidents involve compromised credentials or passwords.

95% of cybersecurity incidents at SMBs cost between $826 and $653,587.

Limit the Damage of a Cyber-Attack

It is not a matter of if you will experience a cyber-incident, but when. Even with best practices to minimize the probability of a cyber-incident occurring, the risks are increasing and are difficult to avoid. It is important to take steps now to prepare and minimize the potential impact of a cyber-incident.

  • Defensible Space. Implement layered defenses to increase prevention, detection, and response capabilities. Consider building a “Zero Trust” security framework that requires all users to be authenticated and authorized before access to any applications/data is granted.
  • Cyber Insurance. Cyber insurance is one option that can minimize incurred costs in the event of a cyber incident. Review your cyber insurance to understand the policy coverage. Refer to the FTC Cyber Insurance factsheet for additional information cyber insurance.
  • Business Continuity Plan/Disaster Recovery (BCP/DR). Have a plan, and test it. Having a BCP/DR process in place prior to a cyber incident is crucial for a successful and expeditious recovery. Consider having incident response services (e.g. law firm, forensic specialist, ransomware negotiator, etc.) on retainer in the event of a cyber incident. Refer to the FCC Cybersecurity Planner and FTC Data breach Response Documents for additional information on BCP/DR preparation.

The FTC offers factsheets which provide additional information on the topics reviewed.

  • FTC Vendor Security factsheet has additional information on vendor security.
  • FTC Cybersecurity Basics factsheet and the FCC Cybersecurity Planner offers additional information on cybersecurity controls.
  • FCC Cybersecurity Planner and FTC Data Breach Response documents provide information for Business Continuity and Disaster Recovery preparation.
  • FTC Cyber Insurance factsheet has more details on cyber insurance.

Links to these factsheets can be found below:

June 29, 2023

How to Protect Yourself from Automated Clearing House (ACH) Fraud

Conceptual illustration of automated clearing house fraud
Conceptual illustration of automated clearing house fraud

ACH fraud occurs when unauthorized transactions are electronically posted to your account. It is on an exponential rise and starts with just two things: Your business checking account number and a routing number. These two pieces of information are all cybercriminals need to attempt a fraudulent ACH transaction.

According to the Association for Financial Professionals’ (AFP) latest Payments Fraud and Control Survey Report, fraud perpetrators are targeting ACH payment methods more frequently than check and wire transfers. As ACH transactions are typically considered safer and more difficult to compromise, the increased focus on ACH transactions suggests that fraudsters are acquiring more sophisticated techniques when targeting organizations.

Fortunately, there are steps you can take to guard against ACH fraud:

  1. Monitoring your bank account regularly for unauthorized transactions is one of the best ways to notice potential ACH fraud. Set up account alerts to immediately notify you of any suspicious activity. If you see a fraudulent transaction, report it to your Bank immediately.
  2. Use ACH Positive Pay. For businesses, this is a service allowing users to review unexpected incoming debits before they’re cleared to post in the bank account.
  3. Use a secure payment gateway. A secure payment gateway is one of the best ways to prevent ACH fraud. It will encrypt your account information and protect it from unauthorized access.
  4. Install anti-virus and malware software and keep it up to date. Staying safe online is an ongoing effort, and one of the simplest yet most effective ways to do so is to remain vigilant and keep your devices updated with the latest software. These software updates frequently come with software patches that fix security gaps and prevent a potential hacking effort across multiple logged-in devices. These patches keep one’s device secure and protect it from software holes that give hackers easy access to multiple devices and the data stored within them.
  5. Be smart when creating passwords. Using secure passwords and PINs to secure your devices is one of the most essential steps taken while using multiple devices. It goes without saying that one must always use different passwords for different devices. Use strong passwords that can’t easily be guessed or decoded using brute force. Only store credentials in official password managers to keep everything secure.
  6. Make sure websites are secure. A secure URL should begin with “https” rather than “http.” The “s” in “https” stands for secure, which indicates that the site is using a Secure Sockets Layer (SSL) Certificate. This lets you know that all your communication and data are encrypted as it passes from your browser to the website’s server; however, this doesn’t mean that you are connecting to the correct website. Double check the URL to ensure you are going to the correct and intended website.
  7. Keep your firewall turned on. A firewall helps protect your computer from hackers who might try to access your system to steal your information. Always keep your firewall turned on and up-to-date.
  8. Stay Educated. Stay Protected. Being vigilant is crucial to being more digitally secure. The best way to do this is to stay updated with the latest developments and be aware of the tactics implemented by those looking to compromise multiple systems. This can also help one spot potential risks and mitigate them before the need arises.
  9. Verify payment requests. If you receive a payment request, make sure to verify the request before sending any money. Verify the requestor’s identity and ensure you understand the payment’s purpose. If you have any doubts, contact the requestor using a known and verified contact.
  10. Don’t click on links and open attachments in suspicious emails. If you receive an email from a sender you don’t know, or if the email looks suspicious, don’t click on any links or open any attachments. They can be malicious and lead you to a website that will steal your information or compromise your device
  11. Refrain from trusting a sense of urgency. Scammers often try to create a sense of urgency to get you to act quickly. Don’t let yourself be pressured into making a decision; take the time to verify any payment requests.

When it comes to preventing ACH fraud, it takes a village. We can only win this battle by implementing various layers of internal controls throughout the funds transfer process. If you believe you or your business is a victim of ACH fraud, contact us immediately to halt additional fraudulent transactions. Also, consider reporting the incident to law enforcement, which helps your business and others avoid similar fraud attempts.

Should you have any questions regarding your personal or financial information at the Bank, please do not hesitate to contact a Customer Service Representative at (916) 567-2899 or (800) 564-7144 or by email at [email protected].

November 28, 2022

Protect Yourself from Wire Fraud

" "

Wire Fraud is on the rise, but it is preventable. Whether you’re managing business or personal accounts,  verification is key to making sure the right person is receiving your money.

Before you initiate a transaction, ask yourself these questions:

  • Is this an entity or person you normally make payments to via wire?
  • Are the payment instructions different than in the past?
  • Have you spoken directly with your payee regarding the change/request? It’s the best way to ensure the change/payment request is valid.

Creating and following a wire verification process is essential to protecting yourself and your business. Do not take shortcuts and fall victim to fraudsters. You can outsmart them by carefully reviewing wire requests and following the process.

Customers cumulatively lost almost $200,000 this month alone by not following a wire fraud verification process. In all cases, the customers did not call back the beneficiary with the phone number on file to verify the wire transaction.


We’re all in this together to prevent electronic transaction fraud. We can only win this battle by implementing various layers of internal controls throughout the funds transfer process. If you believe you or your business is a victim of wire or ACH fraud, contact us immediately to halt additional fraudulent transactions. Also, consider reporting the incident to law enforcement, which helps your business and others avoid similar fraud attempts.

Should you have any questions regarding your personal or financial information at the Bank, please do not hesitate to contact a Customer Service Representative at (916) 567-2899 or (800) 564-7144 or by email at [email protected].

March 31, 2022

LinkedIn phishing scams increase 232% since February


Phishing attacks impersonating emails from LinkedIn have grown 232% since the start of February. The increase is likely related to more people looking for jobs, switching companies, or recruiting for open positions, thus making people more likely to click on emails from LinkedIn.

We have all received emails from LinkedIn saying things such as “You appeared in 4 searches this week,” “You have 1 new message,” and “Your profile matches this job.” Cybercriminals use email addresses with a LinkedIn display name to send fake emails with the same subject lines. In addition, the emails are branded with the LinkedIn logo, brand colors, and icons. To make the phishing attack more convincing, criminals use other well-known organizations’ names, including American Express and CVS.

The branded email templates lure victims to click on phishing links and enter their credentials into fraudulent websites. The hope is the credentials can be used for other websites that contain sensitive information.

What can you do to protect yourself?

  • Go directly to the LinkedIn website – To check messages and get updates, type in the full LinkedIn URL in your internet browser.
  • Slow down and review links – Hover over links to verify they direct you to the correct website.
  • Turn on two-step verification – Review your LinkedIn profile Settings & Privacy page. Turn on the two-step login verification system.
  • Report suspicious messages – LinkedIn encourages members to report suspicious messages to their help center.  This helps their team identify scams and better secure the platform.

For more information on cyber security and protecting your personal and financial information, visit our Safety and Security page.

December 20, 2021

New TSA PreCheck Scam Seeks to Collect Your Personal and Credit Card Details

By Stu Sjouweman, Founder and CEO | KnowBe4.


Doing one of the best jobs impersonating a website ever seen, this new scam attempts to take those renewing or initially signing up through a believable process that most would fall for.

Most of the time, impersonation scams take you to a “website” that’s more than a single web page designed to look like the logon page of the impersonated brand. But a new scam centered around registering for or renewing with TSA PreCheck takes the impersonation website to an entirely new level.

According to security researchers at Abnormal Security, this new scam starts out as wonky as most phishing scams with an email that doesn’t quite feel like it’s really from the TSA:


But where it gets interesting is when potential victims click the link and are taken to a pretty believable TSA registration site:


According to Abnormal Security, the scammer went through the trouble of not just collecting the salient personal details they can misuse later, but went as far as to ask nearly all the same questions found in the actual application. And unlike most scams, they are attempting to take your credit card where payment is solicited for up front. This scam takes “payment” when it normally would – at the end of the process.

This scam is one of the reasons KnowBe4 exists – to educate users through effective Security Awareness Training so they won’t be fooled by these kinds of scams. The sender email address and email copy are dead giveaways – something well-trained users will spot a mile away, avoiding the scam all together.

To view more security articles, visit KnowBe4’s Security Awareness Training blog at https://blog.knowbe4.com/.

September 29, 2021

Security Alert – Phishing URLs

Phishing URL

Unfortunately, phishing scams are not going away.  The use of business email compromise, smishing or text scams, and ransomware scams are still prevalent. However, the use of Phishing URLs has seen a sharp increase over the past year. Reported cases in April 2021 nearly tripled that of April 2020; 28,000 cases to over 63,000 cases.

Phishing URLs affect both businesses and consumers. This type of scam can generally be attributed to the increase in remote workers and the heavy use of convenient online services such as banking, shopping, and bill pay.

What is a Phishing URL?

A Phishing URL is a website domain or URL that appears to be the official website but has a slight variation. At a glance, the website address seems to be legitimate; however, it takes you to a different website. The scam website can mirror the legitimate website’s homepage, making this type of scam tricky for consumers and highly effective for criminals.

Examples of Phishing URLs:

  • Legitimate website URL: www.rivercitybank.com
  • Phishing URLs: www.river-citybank.com; www.rivercitybanking.com; www.river-city-bank.com
  • Legitimate URL: www.irs.gov
  • Phishing URLs: www.irs.org; www.irs.com; www.internalrevservice.gov


How Can You Avoid Phishing URLs?

  • Confirm the URL: Double and triple-check the website address before entering any credentials or clicking on links within the website.
  • Bookmark Frequently Used Sites: Use the bookmark or favorite’s functions to save frequently visited sites instead of conducting a web search each time. The bookmark will save the legitimate site, thus mitigating the risk of clicking on a Phishing URL.

For more information on cybersecurity, visit the River City Bank Safety and Security page.

December 23, 2020

Holiday Season Phone and Email Scams

Mobile phone with Amazon logo on the screen

The busy holiday season is here, and while this season may look different due to the pandemic, online shopping is at an all-time high. The increase in online shopping means cyber criminals are busier than ever.

There is a popular scam making its way across the country right now where scammers, purportedly from Amazon or Apple, call or email people conning them out of money or their banking credentials. Below are common variations of this scam and ways you can avoid being a victim.

A phone , green, decorative

Phone Scam Variations

Email green, Decorative

Email Scam

October 23, 2019

Protecting Yourself from Phishing

Person in front of a laptop holding a mobile phone
Person in front of a laptop holding a mobile phone

As the gift-giving season approaches and shoppers start to plan out their online shopping strategies, cybercriminals begin ramping up their activity. Some of us have learned, the hard way, that the holidays have a way of bringing out individuals who happily profit by preying on others. Thieves are generally after two things: money and things they can turn into money, including gaining access to your private information.

Phishing is a scam that uses email to deceive you into disclosing personal information. Cybercriminals send thousands of emails, hoping to trick individuals into falling for their scams. For example, an email may appear to come from River City Bank, but it does not. It may sound urgent and warn you to update or verify your bank information by clicking on the link contained in the email. These emails are fake and do not come from River City Bank. No bank, including River City Bank, will ever ask you to provide confidential banking information through an email or link.

Phishing Examples and What You Should Do:

The criminal sends an email purportedly from a member of your business or one of your suppliers and requests you to wire funds. Before you react, pick up the phone and obtain verbal verification from your contact using the phone number you have on file, not one that may have been provided by the criminal.

If you get an email that warns you that an account of yours will be shut down unless you reconfirm personal information, or that the bank is “missing” information about your account, do not reply or click on the link in the email. To confirm if a River City Bank email solicitation is legitimate, please call our Customer Service Center at (916) 567-2899.

For additional security tips, how to limit unwanted calls and emails, and recent scam alerts, visit the Federal Trade Commission’s website dedicated to consumer protection at www.consumer.ftc.gov.

Again, keep in mind that River City Bank will never ask for your personal information by email or text. Your personal and financial security is our top priority. Should you have any questions or concerns regarding your account information or communication you have received from River City Bank, please do not hesitate to reach out to a customer service representative at (916) 567-2899 or (800) 564-7144.