Pause Before You Approve

Protecting Your Business from Today’s Most Deceptive Financial Scams

by Donald Todd, Midland States Bank

It starts with a phone call.

The caller ID says it’s your bank. The voice is calm and professional. They explain there’s suspicious activity on your business account like a wire transfer pending or unusual login attempts. They just need to verify a few details to better assist you.

Across our communities, businesses are receiving these calls with increasing frequency. In many cases, unknowingly handing over the keys to the kingdom: online banking credentials, one-time passcodes, and multifactor authentication approvals.

In late 2025, the FBI’s Internet Crime Complaint Center warned that account takeover fraud, where criminals gain unauthorized access to financial accounts, continues to generate hundreds of millions of dollars in losses nationwide. These schemes often begin with social engineering: a convincing email, a well-timed text message, or a phone call impersonating a financial institution. The victim, believing the contact is legitimate, provides login credentials and passcodes. Within minutes, the criminal controls the account.

What makes the current wave especially concerning is how convincingly criminals impersonate fraud departments or security teams at legitimate financial institutions. They spoof real bank phone numbers. They reference actual products. They understand treasury management services well enough to sound credible. This includes utilizing AI to spoof voices making them appear more authentic.

Here’s how it typically unfolds.

A caller claims to be from the bank’s fraud or security department. They create urgency by telling the victim “We need to stop a wire.” They instruct the employee to log in or provide them with a link spoofing the banks login that captures their account credentials. When a one-time passcode or multifactor authentication prompt appears, they ask the employee to read it back or approve it so they can “block the fraud.” In reality, that sequence of events authorizes the criminal’s access.

Funds are quickly transferred out and often go through multiple accounts or converted into cryptocurrency. Recovery becomes difficult and often impossible.

For business owners, this is not just an IT problem. It is a governance and internal controls issue that can be addressed by understanding the following questions:

  • Who in your organization can initiate a wire?
  • Who has administrator-level access to online banking?
  • Is dual control required for outgoing transactions?
  • Would your team know that a legitimate bank will never ask for a password or one-time passcode?

Multifactor authentication is an essential safeguard. Research published by Microsoft found that enabling multifactor authentication reduces the risk of account compromise by more than 99 percent. That is a staggeringly strong control. But if an employee is tricked into providing a fraudster sensitive details, even strong technical controls can be undermined.

Physical security matters, too. Printed wire instructions left on desks. Check stock stored in unlocked cabinets. Sensitive financial calls taken within earshot of others. Criminals gather information wherever they can.

The most resilient businesses treat financial security like workplace safety. They build layers like below to better mitigate risk:

  • They require dual authorization for wires and ACH batches.
  • They limit administrator privileges.
  • They prohibit credential sharing.
  • They train employees to pause and independently verify.

Most importantly, they make it acceptable to hang up or question the person on the other end of the conversation.

If someone calls claiming to be from your bank’s fraud department, end the call and independently verify using a trusted number from your statement, official website, or relationship manager. A brief pause can prevent significant disruption.

Consider adding fraud awareness to your next leadership meeting. Review your payment processes. Talk with your bank about available safeguards. Encourage your team to slow down when something feels urgent.

With thoughtful controls, clear communication, and a culture that values verification over speed, area businesses can continue to operate confidently and securely.

 

Donald Todd, CFE, CIPP, CISSP, is a financial services professional at Midland States Bank with a deep background in risk management, data protection, and regulatory compliance. He brings a strategic, cross-disciplinary approach to safeguarding financial institutions and their business and consumer customers.