A new credit-push fraud scheme is being used by fraudsters to target financial institutions and their commercial clients. 

Nacha’s Risk Management Advisory Group member banks reported seeing the new scheme in November and December 2024. They are taking action to defend against it and would like other financial institutions and their customers to be aware. 

RMAG serves in an advisory capacity to Nacha executive management and the Board of Directors on risk management related topics to assure ongoing strength, stability, and continued high quality of the ACH Network. At its January meeting, RMAG discussed the scheme and the actions RMAG member banks are taking action to defend against it. 

The new scheme is a sophisticated social engineering technique that uses spoofing to trick both a financial institution and its commercial clients. Spoofing is a fraud technique where the fraudster alters their phone number or email address to disguise their identity and make it appear that the incoming call or email is from an entity the target knows and trusts.

The scheme starts with the fraudster targeting a commercial customer of a financial institution by calling the customer and representing themselves as the financial institution or law enforcement. The fraudster uses social engineering to convince the targeted commercial customer to provide login credentials and additional security information that can be used for the second step in the scheme. 

That second step uses the collected information to target the financial institution. Presenting itself as the commercial customer, the fraudster asks the financial institution to reset the token on their device, using the information gained from the commercial customer to correctly answer all security questions. Once the token is reset, the fraudster logs into the victim’s account at the financial institution and proceeds to submit ACH credit and wire transactions to be sent to receiving accounts the fraudster controls at other institutions. 

While this fraud is sophisticated, RMAG members recommend a few actions they are employing successfully against it:

• Review any changes to the customer profile when contacted by a customer calling in to make changes to the token or security questions. If changes are newer than 30 days, step up identification efforts. 
• When a caller asks to reset a token, additional effort should be made to verify the legitimate identity of the customer. Let the caller know you will return the call on a known number from the financial institution’s system of record.
• If the customer is calling from a phone, use a pin drop to identify the location of the caller and confirm it is the customer’s expected location.
• If the customer contact is over an electronic device, check the IP. Determine if this a new device or one that has been used previously. Verify the traffic is from an expected IP address and location for the customer contact.
• Use biometrics. Speech pattern recognition can be used to detect if the caller is familiar with the account information or if they’re reading from a script. 
• Encourage Positive Pay for debits and credits. Convince corporate customers to use the service to prevent fraud before becoming a victim rather than signing up after the fact to prevent additional fraud. Setting up Positive Pay is significantly less work than changing all account information with vendors and customers after a fraud has occurred. 

Double-sided spoofing relies on social engineering much in the same way as other forms of credit-push fraud. In double-sided spoofing, though, the fraudster’s goal is not to convince a victim to push a credit transaction to the fraudster. Instead, the goal is to defeat controls imposed by a financial institution to prevent corporate account takeover. Fortunately, there are far fewer financial institutions than account-holding customers. This makes it easier for RMAG and others to get the word out to risk management professionals at peer institutions who have an opportunity to detect fraud attempts and deploy additional preventive controls. 

Help RMAG spread the word about double-sided spoofing before it becomes the latest fad in fraud’s never-ending search for the path of least resistance.