Double-Sided Spoofing: What Michigan Businesses Need to Know

Double-sided spoofing is a fast-moving scam aimed at business customers. Criminals impersonate both your company and your bank at the same time to rush approvals, capture one-time passcodes, or push through unauthorized transactions. Knowing the signs and setting up the right controls can stop loss before it starts.

What is double-sided spoofing?

It’s a coordinated attack where a fraudster pretends to be Independent Bank when calling your business while also pretending to be your business when contacting the bank. The goal is to create urgency and confusion so someone shares a passcode, changes a setting, or approves a transaction they shouldn’t. Caller ID can be faked, so a familiar number isn’t proof it’s us.

How the scam works

1. You receive an urgent call “from the bank” about unusual activity.

2. At the same time, the fraudster reaches out to the bank “as you,” trying to move funds, reset access, or change approvals.

3. Pressure tactics push your team to read back a one-time code or quickly approve a transaction.

4. If successful, funds move or access changes before anyone realizes what happened.

Why Michigan businesses are targeted

Businesses move larger dollar amounts, rely on multiple users, and often make time-sensitive payments. That makes tactics like spoofed caller IDs, fake verification requests, and off-hours calls more effective in busy environments—from manufacturers on the Lakeshore to nonprofits in Lansing and hospitality groups in Northern Michigan. Training your team on a simple callback policy goes a long way.

Red flags your team should spot

• The caller demands immediate action or confidentiality

• Requests for one-time passcodes, PINs, or online banking credentials

• Unscheduled “verification” calls from unfamiliar voices or roles

• Caller ID shows the bank’s number, but details don’t add up

• Requests to change payment instructions or user permissions on the fly

Immediate do’s and don’ts

• Do hang up and call back using a number you already trust—your branch, your banker’s direct line, or the numbers listed on our site.
• Do document the call (time, number, name, request) and alert your designated admin and banker.
• Don’t share one-time passcodes, passwords, or multifactor authentication details with anyone who calls you.

Build a stronger defense with Treasury Management

Strong controls stop most attempts before funds move. A few high-impact tools and habits:

• Positive Pay (Check & ACH): Matches presented items to the list you issue and flags exceptions for your review. It’s one of the most effective ways to prevent check and ACH fraud before posting.
  
  

• TreasuryONE & user permissions: Use dual approval for ACH and wires, limit user entitlements to what each role needs, and turn on alerts so activity gets a second look. 

A simple 10-minute playbook for owners and admins

• Create a written callback script and maintain a verified phone roster (bank, CPA, key vendors).

• Turn on dual approval for ACH and wires; require out-of-band verification for any payment or permission changes in TreasuryONE. https://www.independentbank.com/commercial/digital-banking/treasury-one?utm_source=chatgpt.com

• Enroll in Positive Pay and confirm your decision windows and alert settings.

• Set daily account alerts and assign a rotating reviewer to avoid fatigue.

• Document incidents, even near-misses, to improve training.

What to do if you suspect fraud (or it already happened)

Call our TreasuryONE Helpdesk at 800.530.3719, Monday–Friday, 8 am–5 pm (ET), excluding holidays. Then contact your banker. If instructed, pause further transactions, capture screenshots and details, and reset credentials and entitlements. If funds moved due to a business email compromise or similar scheme, faster reporting improves recovery odds.

Want help tightening controls? Our Michigan Treasury Management team can review your setup and walk you through Positive Pay and user-level permissions in TreasuryONE, so your team has the right safeguards without slowing down your operations.

FAQs About Double-Sided Spoofing

What is double-sided spoofing?
It’s a coordinated fraud where criminals impersonate both your company and the bank at the same time. They use urgency and spoofed caller ID to push you into sharing a one-time passcode, changing settings, or approving a transaction you didn’t initiate. Independent verification via a known number is key.

What should my staff do during a suspicious call?
Hang up. Call back using a number you already trust (your banker’s card, our website, or your internal contact list). Never share one-time passcodes or passwords over the phone or email. Document the attempt and alert your admin and your banker. 

How does Positive Pay help with fraud?
Positive Pay compares checks and ACH items presented for payment to the details you’ve issued and flags exceptions for your review. That lets you stop unauthorized or altered items before posting, adding a powerful backstop if social engineering attempts slip through. 

What banking information should we never share by phone?
Never share one-time passcodes, passwords, full debit/credit card numbers, or online banking credentials. If someone requests them—no matter what the caller ID shows—end the call and contact us using a verified number.

Who do we contact at Independent Bank if we’re unsure?
For business and commercial customers, call the TreasuryONE Helpdesk at 800.530.3719 (Monday–Friday, 8 am–5 pm ET).