By Jaime Macumber
Fraudsters are becoming increasingly sophisticated, evolving their tactics faster than most organizations can keep up. New Federal Trade Commission data reveals a 25 percent increase in financial losses due to fraud over the previous year, primarily because of the rising success of more elaborate imposter scams.
One of the latest threats targeting businesses is “double-sided spoofing,” a complicated social engineering scam that impersonates multiple parties to access funds and sensitive financial information.
This credit push or authorized push payment (APP) fraud scheme can circumvent traditional security measures, making awareness and education essential for commercial banking customers. As the National Automated Clearing House Association (NACHA) explains, scammers leverage double-sided spoofing to overcome controls established by financial institutions to prevent corporate account takeover.
How Double-Sided Spoofing Works
Criminals use double-sided spoofing to impersonate financial institutions and business customers, typically by altering phone numbers and email addresses to appear legitimate. Here’s how the scam unfolds:
- Impersonating the Customer to the Bank: The fraudster contacts the bank by posing as a commercial customer. Using stolen or publicly available business information, they attempt to access confidential details such as login credentials or security codes.
- Impersonating the Bank to the Customer: At the same time, the criminal contacts the business customer, spoofing the bank’s phone number or email. They claim to represent the bank and request multi-factor authentication (MFA) codes, token codes, or other security details to access the customer’s account.
- Executing the Fraud: By deceiving both the bank and the customer, the fraudster can effectively access accounts, authorize payments, or alter banking details to redirect funds.
Implementing Multiple Security Protections Can Mitigate Rising Risks
Fraudulent calls have previously raised red flags among customers based on connection delays or background noise. Scammers are elevating their efficacy by using Artificial Intelligence (AI) to produce engineered phone calls or voice tracks. They can even impersonate the intended victims by generating content from their social media channels.
AI can also assist in making fraudulent emails appear more grammatically correct, which requires extra attention. Criminals may use bank website details and logo information to create well-crafted content that seems to come from the bank.
Proactive communication with customers and ongoing education about fraud threats is critical. Independent Bank has multiple layers of security in place to protect commercial customers, including:
- Mobile token codes for added authentication
- Secure Browser login sessions
- IP address restrictions
- Dual control for transactions
- ACH and check positive pay services
- Enhanced customer verification tools
How to Prevent Double-Sided Spoofing on Each End
Independent Bank directly alerts customers and publishes advisories on all public-facing communication platforms when new threats arise. Helpful reminders for all customers entail:
- Verify all communication and confirm the bank will never contact customers to request login credentials, security codes, or MFA tokens.
- Be wary of caller ID spoofing. Hang up and call the bank directly, preferably connecting with a known banker by name at a confirmed phone number.
- Avoid communicating through email, especially if the message aims to collect login or account details. Instead, start a separate chain with the banker using the email addresses found on the institution’s website or business card.
- Run regular cybersecurity checks to update anti-malware and other security software. Share examples of phishing emails and fraudulent phone calls.
- Be patient with extra time or identity verification steps, which are in place to protect every customer and their money during this era of rising impersonation attempts.
Engaging with each customer and their business on a personal level can reveal potential risks and facilitate quicker solutions. Independent Bank’s TreasuryONE team of local experts in Grand Rapids quickly intervenes with security advice for incident recovery during rapid scams.
Unfortunately, the nature and financial impact of impersonation scams will continue to grow. Banks have a timely opportunity to strengthen customer relationships by proactively and consistently communicating their expertise in treasury fraud. We all share the responsibility of keeping the risks, prevention measures, and immediate solutions at the forefront of our customers’ minds.
About the Author
Jaime Macumber is Senior Vice President, Director of Treasury Management at Independent Bank. She has worked in Treasury Management for over 17 years, and has a B.S. in B.A. from Central Michigan University, and is a Certified Treasury Professional (CTP) as well as an Advanced Certified Public Funds Investment Manager (ACPFIM).