Fraudsters are defeating MFA challenges. Here's how-and how to stop them

Fraud and Financial Crime

Chris Gerda Headshot

Chris Gerda

Apr 19, 2022

Multi-factor authentication (MFA) has been critical, if not the best protection, for payment fraud prevention. Fraudsters have huge toolkits at their disposal designed to acquire passwords or glean personal information that can help defeat challenges, but MFA puts a critical piece of identity verification outside a bad actor’s reach to thwart attempts. 

No single defense is perfect, however, and fraudsters have been chipping away at this line of defense for a while. In recent months, a pair of threats to MFA have emerged that deserve your attention, especially because one of them has become such a severe problem that the FBI felt issued a warning about it.

At Paymode-X, the accounts payable automation company I work for, we deploy advanced protections to prevent exactly these kinds of sophisticated account takeover frauds; we see them often, and it’s a primary reason our B2B payments customers utilize Paymode-X. If you don’t or you’re not working with a company like ours that can protect your sensitive bank account information from unauthorized updates or payment initiations to thwart business payment fraud, you’re going to want to know how to stop these two methods today. 

Let’s take a look at two of the strategies fraudsters are using to hack your accounts and emails and the solutions. 

SIM swap

Obtaining a text code to your phone is something we are all familiar with when we try to login to one of our accounts for a new device.  Fraudster’s know this too and so they will go to the length of a SIM swap, which is essentially your phone number regardless of the device it’s in.  use social engineering, compromise your mobile carrier login, or even have an insider help in assigning your phone number to a new SIM card, one that just happens to be in the hands of a fraudster. Regardless of how they ultimately get the job done, once the number is switched the criminal a bonanza of personal information including calls, texts, contacts, and other information that can help them defeat MFA challenges.

Essentially, once the swap has been completed, fraudsters simply plug your phone number when they get the “forgot password” prompt on, say, your bank account, receive the verification text and then make off with your money. By the time you’re wise to the scheme and contact your mobile carrier to get the number switched back, you or your company may already be out a significant sum.

Reverse proxy, or the scourge of fake logins

Akin to the SIM swap scheme rise, in part due to the percentage of overall users utilizing MFA to stop fraud, fraudsters are also able to steal your MFA codes by using fake website for real banks and online services.  As BleepingComputer outlines, these reverse proxy solutions—I prefer to call them fake website logins which is really what they are, because it imparts urgency, but also directly calls it what it is.  From these fake websites where fraudsters have redirected unsuspecting victims from an email to what looks like a legitimate bank login site. Once you put in your credentials, however, the information on these fake login sites is being immediately used by the fraudster to log into your actual bank account on the real website.  Since they are on a new device, theirs, they will need an MFA code; and it just so happens your going to need to do the same when you are concurrently logging into the fake website.  You will get the code from your real bank and input it allowing them to see it and use it on the spot to access your real account.  Furthermore, after you put in the code on the fake website they will redirect you to the real company website so you never have a chance to realize you have been duped and just think that your login didn’t happen to work.  

The end result is the same as it is for the SIM swap scheme, or real any other fraud scheme: The bad guy is in your bank account and happily transferring your hard-earned money into their accounts. The sophistication of these sites and how convincing they appear can make them hard to avoid.

How to prevent both

There are three critical steps you can take to defeat these kinds of fraud. The first is to protect your SIM card with an extra layer of security adding a PIN code, because that’s information a fraudster cannot access when trying to execute a SIM swap, and will stymie their efforts to get the number transferred to their device. In fact, I’d recommend that everyone protect their SIM card with a PIN, which is offered by all cell providers, because of how simple and powerful that extra layer of security can be.

For fake logins, the advice is timeless: Don’t click on a link in an email unless you’re certain you know who it’s from and why it’s being sent. If you’re being taken from an email directly to your bank’s login page, it’s likely best to close out that window entirely, navigate to your bank’s website, and log in from there to make sure you are not being duped into surrendering your credentials and information needed to defeat MFA challenges to a fraudster. Being extra cautious with your emails and logins may take a little extra time, but it can save you from significant losses.

The third option is important especially for high value B2B payments due to the damaging effects of Business Email Account Compromise (BEC) Fraud and it involves working with a solution that can protect your bank account information and payments through multi-layered approaches that build on MFA with additional authentical layers to create something insurmountable for fraudsters. If you’ve made it through the last couple of years of remote work and increasingly digital payment methods without upping your level of sophistication and protection, you’re fortunate, but it’s time to consider looking into AP automation providers with advanced defenses capable of securing digital payments.  

These schemes are a reminder that you can never get too comfortable just because your accounts are protected by MFA challenges. Whether you’re using additional layers of protection on your phone, working with a partner who can protect your critical payments and bank account information, or both, 2022 should be a year of extra vigilance. The cost of ignoring these emerging threats is simply too high to do otherwise.

Chris Gerda Headshot

Posted by

Chris Gerda

Chris Gerda serves as the head of risk and fraud prevention at Bottomline, with a focus on security for Paymode-X. He is responsible for the overall anti-fraud strategy and technology initiatives to maintain the security of $200 billion in payments within the 450,000+ network membership base.
Browse all posts
footer curve