Resource Corner
Protect Your Business: Double-Sided Spoofing

How the Scam Works
- A fraudster contacts a commercial client of a financial institution, posing as a bank representative or law enforcement.
- Using social engineering tactics, they manipulate the customer into revealing login credentials and other security details.
- The fraudster, armed with the stolen credentials, contacts the financial institution pretending to be the commercial client.
- They request a token reset or security changes, using the obtained information to correctly answer verification questions.
- Once the token is reset, the fraudster gains full access to the client’s bank account.
- They initiate ACH credit and wire transfers, sending funds to accounts under their control.
How Businesses and Financial Institutions Can Protect Themselves
- Scrutinize profile changes: Before processing security changes (like token resets), check for recent modifications. If changes are within the past 30 days, apply additional verification.
- Verify customer identity rigorously: Instead of acting immediately on a reset request, call the customer back using a known phone number from internal records.
- Pin drop technology: When speaking with customers on the phone, use location-based verification to confirm if the call is coming from a recognized location.
- IP monitoring: If a request is made from an electronic device, check if the IP address is associated with the customer's usual activity. Flag requests from new or suspicious locations.
- Biometric authentication: Use voice recognition to detect scripted responses and verify if the caller’s speech pattern matches the account holder’s past interactions.
- Implement Positive Pay: Encourage business customers to use Positive Pay services for both credits and debits. This tool prevents unauthorized transactions by requiring prior approval before processing.
- Educate commercial clients: Regularly train business customers on fraud risks, including how to recognize spoofing attempts and social engineering tactics.
- Multi-layered transaction monitoring: Establish behavioral analytics to flag unusual transactions, such as sudden large withdrawals or transfers to high-risk accounts.
- Strengthen internal fraud detection: Implement AI-driven fraud detection systems that can identify patterns associated with social engineering attacks.
Why This Scam is Especially Dangerous
This type of double-sided spoofing is a sophisticated evolution of credit-push fraud. Unlike traditional fraud, where the goal is to trick victims into sending money, this method bypasses a financial institution’s security controls by manipulating both the business customer and the bank itself. The fraudster does not need to steal credentials alone—they exploit the bank’s own processes for resetting authentication mechanisms.