Trust center: Comerica security and supply-chain notes

Phishing patterns that target bank customers

Phishing attacks on bank customers have shifted from mass-broadcast email blasts toward targeted, context-aware messages that mimic real transaction alerts, password-reset flows, and fraud-warning notifications.

The most common pattern observed across regional commercial-bank customers is the fake fraud alert. The message arrives by text or email, mimics the format of a real transaction notification, and claims that unusual activity has been detected on the account. It provides a link or phone number and asks the customer to confirm or dispute the transaction immediately. The urgency framing — "respond within 24 hours or your account will be locked" — is the tell. Legitimate bank fraud alerts ask you to reply Y or N, or to call the number on the back of your card. They do not direct you to a fresh URL.

A second pattern is the credential-harvest page. The customer follows a link from a phishing message and arrives at a page that looks visually identical to the bank's sign-in screen. The URL is the giveaway: legitimate sign-in pages for the upstream Comerica site use a domain the bank controls. Any domain that adds words before or after the brand name — "comerica-secure-login.com" or "verify-comerica-account.net" — is not the bank. Modern browser address bars and password managers both flag domain mismatches, so keeping your browser updated and using a password manager that auto-fills only on exact domain matches provides meaningful protection.

Business customers face a third category: business email compromise, or BEC. In this pattern, an attacker sends an email that appears to come from a known vendor, executive, or bank contact, requesting a wire transfer or account-number change. Because these messages often arrive in the context of a real business relationship, they are harder to spot. The standard defence is a verbal confirmation step: any wire-transfer instruction or account-change request received by email should be verified by calling the requester at a known phone number before execution. The Comerica Business Connect platform supports user-permission controls that can limit who in an organisation can initiate wire transfers, which is worth configuring even for small businesses.

Secure messaging best practices

The most secure channel for communicating sensitive account information with any bank is the in-app secure-message feature, which encrypts the conversation end-to-end within the authenticated banking session.

Secure messaging through an authenticated banking app differs from email in one critical way: the message thread exists inside a session that required your credentials and, typically, a second factor to open. Email, by contrast, traverses servers outside the bank's control and can be intercepted, spoofed, or forwarded. For any communication that involves account numbers, social security numbers, balances, or dispute details, the in-app secure-message channel is preferable to email.

For customers who prefer phone contact, a few practices reduce risk. Call the number printed on the back of your physical debit or credit card, not a number found in an email or text message. If a call feels coercive — the agent is pushing urgency, asking you not to hang up, or requesting your full online banking password — end the call and dial back on the verified number. Banks train their legitimate staff to expect this. An agent who objects to a customer hanging up and calling back is a red flag.

Two-factor authentication deserves a brief note. Most bank SMS-based one-time passcodes are vulnerable to SIM-swap attacks, in which an attacker convinces your mobile carrier to transfer your phone number to a device they control. Customers who manage large balances or business accounts should ask the bank about app-based authenticator options, which are not vulnerable to SIM swap in the same way. This is worth a direct conversation with a branch representative or the bank's customer-service line.

FDIC and OCC oversight context

Comerica Bank is a federally chartered national bank regulated by the OCC for safety and soundness, and a member of the FDIC, which means deposits are insured up to $250,000 per depositor per ownership category.

The FDIC's deposit-insurance coverage is one of the most misunderstood protections in consumer banking. The $250,000 limit applies per depositor per ownership category per insured institution. A household with a joint account and individual accounts can have substantially more than $250,000 fully insured at a single bank if the accounts are structured correctly across ownership categories. The FDIC's Electronic Deposit Insurance Estimator (EDIE) tool on the FDIC website calculates coverage for specific account configurations at no charge.

The OCC's supervisory role is different in nature. The OCC examines the bank for safety and soundness — whether the bank's capital ratios, loan-loss reserves, and operational risk controls meet regulatory standards — and for compliance with consumer-protection laws including fair lending and the Community Reinvestment Act. OCC examinations are not published in real time, but the OCC maintains a public enforcement-action database and a bank-search tool that allows any consumer to confirm whether a bank is nationally chartered. The OCC's BankSearch tool at occ.gov provides this confirmation at no charge.

Neither the FDIC nor the OCC operates a customer hotline for resolving individual account disputes. Those disputes should go first to the bank's internal dispute-resolution process, then — if unresolved — to the CFPB's complaint portal, which routes complaints to the bank and tracks resolution. The OCC does accept formal complaints against national banks at its Customer Assistance Group, which is separate from general consumer-finance questions.

Fraud reporting paths

The most effective fraud-reporting sequence starts with the bank's internal fraud team, then escalates to the CFPB or FTC if the internal process does not resolve the issue.

For suspected account fraud — unauthorised transactions, credential compromise, or identity theft linked to a bank account — the first call is always to the bank's fraud team, reachable at the number on the back of your card. For debit-card and electronic-transfer disputes, Regulation E requires the bank to provisionally credit disputed amounts while the investigation proceeds, subject to timing rules that depend on how quickly you report. Credit-card disputes follow a different framework under the Fair Credit Billing Act, but the first step is the same: call the fraud number and initiate a formal dispute.

If the bank's internal process does not resolve the issue to your satisfaction, the CFPB complaint portal at consumerfinance.gov accepts complaints about deposit accounts, credit cards, and electronic money transfers, and routes them to the bank with a response deadline. The FTC's ReportFraud.ftc.gov accepts identity-theft and phishing reports and populates the national database that law-enforcement agencies use for fraud pattern analysis. Filing both is not redundant — they serve different purposes and different audiences.

Risk categories, Comerica context, and recommended customer response

Risk category	Comerica context	What to do
Phishing email or text	Spoofed messages mimic the bank's transaction-alert and fraud-warning formats; links lead to credential-harvest pages	Do not click links; forward to the bank's fraud address; report to FTC at ReportFraud.ftc.gov
Credential compromise	Attacker has obtained username and password, possibly through a data breach or phishing harvest	Change password immediately via the verified sign-in flow; call bank fraud line; enable or upgrade two-factor authentication
Unauthorised account transactions	Regulation E covers unauthorised electronic fund transfers from deposit accounts; timing rules apply	Report to bank within 2 business days for maximum Reg E protection; file CFPB complaint if bank does not resolve
Business email compromise	Wire-transfer or account-change requests arrive by email appearing to be from known contacts	Verify by phone on a known number before executing any transfer; use Business Connect permission controls to limit wire-initiating users
Identity theft	Attacker uses stolen personal data to open accounts, apply for credit, or change account details	Place a credit freeze at all three bureaus; report to FTC at IdentityTheft.gov; notify bank fraud team; file police report if required for insurance

Frequently asked questions

Five questions customers ask most often about security, fraud, and the regulatory oversight of the regional commercial bank.

How do I report a phishing email that appears to be from Comerica?

Forward the suspicious message to the fraud reporting address documented on the upstream Comerica site, then delete it without clicking any links or attachments. Do not call phone numbers provided in the message. Report to the FTC's ReportFraud.ftc.gov as well, which routes reports to law enforcement. If you clicked a link before realising it was suspicious, change your online banking password immediately through the verified sign-in flow and call the bank's fraud line.

Is Comerica FDIC insured and what does that cover?

Yes. Comerica Bank is a member of the FDIC, and deposits are protected up to $250,000 per depositor per ownership category at the institution. FDIC coverage applies to checking accounts, savings accounts, money market deposit accounts, and certificates of deposit. It does not cover investment products, annuities, stocks, bonds, or mutual funds, even if those products were purchased through the bank. The FDIC's EDIE estimator can calculate your specific coverage across account types.

What is the OCC's role in overseeing Comerica?

The Office of the Comptroller of the Currency supervises Comerica as a nationally chartered bank. OCC examiners review safety and soundness, fair-lending compliance, and Community Reinvestment Act performance on a regular examination schedule. Consumers who have unresolved complaints against the bank after exhausting the bank's internal process can contact the OCC's Customer Assistance Group. The OCC is distinct from the FDIC: the OCC regulates the bank's operations while the FDIC insures its deposits.

What should I do if I think my account has been compromised?

Call the fraud line using the number on the back of your card — not a number from any recent email or text message — and report the suspected compromise. Change your online banking password immediately. If the compromise appears to involve identity theft beyond the bank account, place a credit freeze at Equifax, Experian, and TransUnion, then file a report at the FTC's IdentityTheft.gov. Under Regulation E, the bank is required to investigate and provisionally credit disputed electronic fund transfers while the investigation proceeds.

Does Comerica ever contact customers to ask for passwords or PINs?

No. Legitimate communications from the bank will never ask for your full online banking password, debit-card PIN, or a one-time passcode that was just sent to your phone. A caller who claims to be from the bank and asks for this information is not from the bank. End the call, wait a few minutes to ensure the line is clear, and dial back on the number printed on your card. Reporting the fake call to the CFPB and the FTC helps pattern-track these attacks nationally.