Fraudsters are defeating MFA challenges. Here's how-and how to stop them

Fraud and Financial Crime

Chris Gerda Headshot

Chris Gerda

Apr 19, 2022

Multi-factor authentication (MFA) has been the best protection against payment fraud. Unfortunately, Fraudsters have huge toolkits at their disposal designed to acquire passwords or glean personal information that can help defeat challenges, but MFA puts a critical piece of identity verification outside a bad actor’s reach.

No single defense is perfect, however, and fraudsters have been chipping away at this line of defense for a while. In recent months, a pair of threats to MFA have emerged that deserve your attention, especially because one of them has become such a severe problem that the FBI felt issued a warning about it. Another scheme involving your business phones has been emerging in the early months of 2023, as well. 

At Paymode-X, we deploy advanced protections to prevent exactly these kinds of sophisticated account takeover frauds; we see them often, and it’s a primary reason our B2B payments customers utilize Paymode-X. If you don’t, or you’re not working with a company like ours that can protect your sensitive bank account information from unauthorized updates or payment initiations to thwart business payment fraud, you’re going to want to know how to stop these three methods today. 

Let’s take a look at three of the strategies fraudsters are using to hack your accounts and emails and the solutions to each. 

SIM swap

Obtaining a text code to your phone is something we are all familiar with when we try to log in to one of our accounts for a new device. Fraudsters know this too, and so they will try to use a SIM swap, which is essentially your phone number regardless of the device it’s in. These fraudsters use social engineering, compromise your mobile carrier login, or even have an insider help in assigning your phone number to a new SIM card, one that just happens to be in the hands of a bad actor.

Regardless of how they ultimately get the job done, once the number is switched the criminal a bonanza of personal information including calls, texts, contacts, and other information that can help them defeat MFA challenges.

Essentially, once the swap has been completed, fraudsters simply plug your phone number when they get the “forgot password” prompt on, say, your bank account, receive the verification text and then make off with your money. By the time you’re wise to the scheme and contact your mobile carrier to get the number switched back, you or your company may already be out a significant sum.

Voice over IP (VoIP) access

In the early going here in 2023, we have seen a rising number of attempts (and unfortunately, successful attempts) at compromising VoIP phone accounts at businesses. Most phone providers unfortunately do not enable MFA protection for the online portals you would use to log in to and manage your VoIP phone account. You have to go out of your way to set that protection up.

It's well worth doing so, given the ability for fraudsters to access critical information in your online portal and impersonate you. Because these phones are so lightly protected, and many business professionals re-use passwords on their phones, a fraudster who breaks into your VoIP phone account can do a lot of damage by using it to get into other systems. 

​​​​​Reverse proxy, or the scourge of fake logins

Akin to the SIM swap scheme rise, in part due to the percentage of overall users utilizing MFA to stop fraud, fraudsters are also able to steal your MFA codes by using fake website for real banks and online services. As BleepingComputer outlines, these reverse proxy solutions—I prefer to call them fake website logins which is really what they are, because it imparts urgency, but also directly calls it what it is. 

From these fake websites, fraudsters redirect unsuspecting victims from an email to what looks like a legitimate bank login site. Once you put in your credentials, however, the information on these fake login sites is being immediately used by the fraudster to log into your actual bank account on the real website. Since they are on a new device--theirs--they will need an MFA code; and it just so happens your going to need to do the same when you are concurrently logging into the fake website. 

You will get the code from your real bank and input it allowing them to see it and use it on the spot to access your real account. Furthermore, after you put in the code on the fake website they will redirect you to the real company website so you never have a chance to realize you have been duped and just think that your login didn’t happen to work.  

The end result is the same as it is for the SIM swap scheme, or really any other fraud scheme: The bad guy is in your bank account and happily transferring your hard-earned money into their accounts. The sophistication of these sites and how convincing they appear can make them hard to avoid.

How to prevent all three

There are four critical steps you can take to defeat these kinds of fraud. The first is to protect your SIM card with an extra layer of security adding a PIN code, because that’s information a fraudster cannot access when trying to execute a SIM swap. That will stymie their efforts to get the number transferred to their device. In fact, I’d recommend that everyone protect their SIM card with a PIN, which is offered by all cell providers, because of how simple and powerful that extra layer of security can be.

For fake logins, the advice is timeless: Don’t click on a link in an email unless you’re certain you know who it’s from and why it’s being sent. If you’re being taken from an email directly to your bank’s login page, it’s likely best to close out that window entirely, navigate to your bank’s website, and log in from there to make sure you are not being duped into surrendering your credentials and information needed to defeat MFA challenges to a fraudster. Being extra cautious with your emails and logins may take a little extra time, but it can save you from significant losses.

The third step is to secure your VoIP immediately. Go into your account settings, either through your online portal or the phone itself, and enable MFA when prompted to do so. Have all password resets and login confirmations sent directly to a phone in your pocket, and whatever you do, do not use the same password for your phone as your computer. If one system is compromised, a fraudster will have quick access to both if they're protected by the same password. 

To protect your payments, consider a fourth step. For high value B2B payments due to the damaging effects of Business Email Account Compromise (BEC) Fraud and it involves working with a solution that can protect your bank account information and payments through multi-layered approaches that build on MFA with additional authentical layers to create something insurmountable for fraudsters. If you’ve made it through the last couple of years of remote work and increasingly digital payment methods without upping your level of sophistication and protection, you’re fortunate, but it’s time to consider looking into AP automation providers with advanced defenses capable of securing digital payments.  

These schemes are a reminder that you can never get too comfortable just because your accounts are protected by MFA challenges. Whether you’re using additional layers of protection on your phone, working with a partner who can protect your critical payments and bank account information, or both, 2023 should be a year of extra vigilance. The cost of ignoring these emerging threats is simply too high to do otherwise.

Chris Gerda Headshot

Posted by

Chris Gerda

Chris Gerda serves as the head of risk and fraud prevention at Bottomline, with a focus on security for Paymode-X. He is responsible for the overall anti-fraud strategy and technology initiatives to maintain the security of $200 billion in payments within the 450,000+ network membership base.
Browse all posts
footer curve