Double-sided spoofing
Page Article
How the Scam Works
Targeting a Business Customer:
- A fraudster contacts a commercial client of a financial institution, posing as a bank representative or law enforcement.
- Using social engineering tactics, they manipulate the customer into revealing login credentials and other security details.
Compromising the Financial Institution:
- The fraudster, armed with the stolen credentials, contacts the financial institution pretending to be the commercial client.
- They request a token reset or security changes, using the obtained information to correctly answer verification questions.
Executing Unauthorized Transactions:
- Once the token is reset, the fraudster gains full access to the client’s bank account.
- They initiate ACH credit and wire transfers, sending funds to accounts under their control.
How Businesses and Financial Institutions Can Protect Themselves
Enhanced Authentication and Verification
- Scrutinize profile changes: Before processing security changes (like token resets), check for recent modifications. If changes are within the past 30 days, apply additional verification.
- Verify customer identity rigorously: Instead of acting immediately on a reset request, call the customer back using a known phone number from internal records.
- Pin drop technology: When speaking with customers on the phone, use location-based verification to confirm if the call is coming from a recognized location.
- IP monitoring: If a request is made from an electronic device, check if the IP address is associated with the customer's usual activity. Flag requests from new or suspicious locations.
- Biometric authentication: Use voice recognition to detect scripted responses and verify if the caller’s speech pattern matches the account holder’s past interactions.
Proactive Fraud Prevention Strategies
- Implement Positive Pay: Encourage business customers to use Positive Pay services for both credits and debits. This tool prevents unauthorized transactions by requiring prior approval before processing.
- Educate commercial clients: Regularly train business customers on fraud risks, including how to recognize spoofing attempts and social engineering tactics.
- Multi-layered transaction monitoring: Establish behavioral analytics to flag unusual transactions, such as sudden large withdrawals or transfers to high-risk accounts.
- Strengthen internal fraud detection: Implement AI-driven fraud detection systems that can identify patterns associated with social engineering attacks.
Why This Scam is Especially Dangerous
This type of double-sided spoofing is a sophisticated evolution of credit-push fraud. Unlike traditional fraud, where the goal is to trick victims into sending money, this method bypasses a financial institution’s security controls by manipulating both the business customer and the bank itself. The fraudster does not need to steal credentials alone—they exploit the bank’s own processes for resetting authentication mechanisms.
What Are Tokens?
Tokens are security mechanisms used in financial institutions and digital systems to authenticate users and authorize transactions. They act as digital keys that verify a user’s identity before granting access to an account or allowing financial transactions.
How Tokens Work
- Authentication Token Generation: When a user logs into a banking system, a token is issued to verify their identity.
- Secure Transaction Authorization: Tokens provide an extra layer of security beyond usernames and passwords. They generate one-time codes or require biometric verification to authorize sensitive actions such as fund transfers.
- Expiration & Resetting: Tokens typically expire after a set period or after a session ends. If lost or compromised, users can request a reset, which is what fraudsters exploit in this scam.
Types of Tokens Targeted in This Scam
Fraudsters manipulate businesses and banks into resetting or bypassing the following types of tokens:
- Hardware Security Tokens:
- Physical devices (e.g., key fobs, USB tokens, smart cards) that generate a unique authentication code for each login or transaction.
- How fraudsters exploit it: They trick the bank into resetting the hardware token to a different device they control.
- Software/App-Based Tokens:
- Examples: Google Authenticator, Microsoft Authenticator, bank-issued mobile apps.
- These apps generate one-time passcodes (OTP) that expire within seconds or minutes.
- How fraudsters exploit it: They convince the bank to disable the current authenticator and allow them to register a new device.
- SMS or Email-Based One-Time Passcodes (OTP):
- Temporary codes sent via text message or email for verifying logins and transactions.
- How fraudsters exploit it: They take over the victim’s phone number (SIM swap fraud) or intercept emails to gain access.
- Biometric Tokens:
- Fingerprint, facial recognition, or voice-based authentication.
- How fraudsters exploit it: They bypass biometric authentication by requesting a security reset that removes the biometric lock.
- Cryptographic or API Tokens:
- Used for machine-to-machine authentication (e.g., API keys for financial apps).
- How fraudsters exploit it: They convince the bank’s IT or security team to regenerate API keys, allowing unauthorized system access.
Why Token Resets Are the Weak Link
- Financial institutions often trust the reset request if the caller provides enough correct details.
- Fraudsters social engineer both the business client and the bank, making the reset process their easiest point of entry.
- Once the token is reset, existing security measures become useless, allowing the fraudster to take over the account.
Best Practices to Protect Against Token Reset Fraud
- Enforce a “Call-Back” Policy – Before resetting a token, financial institutions should call the client using a pre-verified phone number (not the one provided during the reset request).
- Delay High-Risk Token Resets – If a reset request comes shortly after profile changes, impose a 24-hour hold before allowing token reissuance.
- Require In-Person Verification for Hardware Tokens – Physical tokens should only be reset or replaced with face-to-face identity confirmation.
- Use Multi-Factor Authentication (MFA) for Token Resets – Banks should require an additional step, such as a video call, PIN, or security challenge, before allowing a reset.
- Monitor Unusual Token Reset Requests – Implement AI-driven fraud detection that flags resets requested from new devices, IP addresses, or locations.
Final Takeaway
Banks and businesses must move beyond relying on standard authentication procedures. Fraudsters are constantly evolving their tactics, making it crucial to layer security measures, educate customers, and implement real-time fraud monitoring. Sharing intelligence among financial institutions is key to stopping these attacks before they spread.