Fraud EDU: The evolving face of cyber fraud — the way businesses stay safe can keep you safe, too

—

February 24, 2026

In the fast-paced world of finance, money moves in an instant. From businesses to everyday shoppers, convenience and technology make buying, selling, paying, and receiving faster than ever, but cybercriminals have taken note.

Jeff Taylor, head of Commercial Fraud Forensics at Regions Bank, focuses full-time on staying a step ahead of the fraudsters. On any given day, he is looking for trends, spotting suspicious patterns, and alerting businesses to emerging schemes while offering guidance on how to protect their accounts.

What he shares with businesses also applies to everyday consumers. No matter their target, fraudsters build their scams around creating trust that, in turn, causes people to lower their guard.

Most recently, Taylor is warning people about two particular types of scams: The “Evolving Trusted Partner Scam” and the “The Spoofed Website Scam”. These scams use real-world tactics that exploit trust, technology, and human error. They also reveal a broader pattern of “industrialized” fraud, where organized actors combine social engineering with digital deception.

“It’s vital to understand the mechanics of these scams,” Taylor said. “And that’s whether you’re in charge of your company’s finances or just your own personal finances. Sometimes asking a simple question is the first step toward recognizing something’s off. And that can mean the difference between saving yourself a lot of heartache – or losing a lot of money.”

The trusted partner scam: Impersonation as the ultimate weapon

The Trusted Partner Scam is a classic yet evolving form of social engineering. Fraudsters pose as representatives from trusted entities—government officials, vendors, law enforcement, or authoritative bodies like Nacha (the National Automated Clearing House Association, which oversees the ACH business payments network).

Contact typically arrives via phone, email, or text, Taylor said, referencing a “”potentially fraudulent transaction,” ,” ““data breach,” ,” or urgent account review. Armed with what appears to be legitimate-looking information (often from prior breaches), the scammer builds credibility quickly.

“Sometimes the victim, believing they are just helping a legitimate partner, will willingly share credentials, one-time codes, or click malicious links,” Taylor said. “But when you’re dealing with a scammer, that’s like handing over the keys to the car. Once obtained, these details enable fraudsters to access accounts and spend, spend, or originate unauthorized transactions.”

The urgency in combatting this problem is clear from FBI data. Scams like these caused around $2.9 billion in losses in 2023, with trends showing sustained high volumes into 2025 and beyond. Global estimates suggest over 1,200 organized scam operations, many employing hundreds of staff in professional structures.

“The human element makes this scam devastatingly effective. Employees in accounts payable or treasury roles, under pressure to resolve issues quickly, may bypass protocols,” Taylor noted. Losses extend beyond funds to include regulatory penalties, reputational harm, and operational disruptions.

Experts recommend the “STOP-CALL-CONFIRM” method: pause, end the suspicious interaction, and verify by calling a known number. Legitimate institutions will never request user ID and password combinations over unsolicited channels.

The spoofed website scam: Search ads as a gateway to compromise

While the Trusted Partner Scam relies on direct impersonation, the Spoofed Website Scam weaponizes technology and user habits. Cybercriminals create near-perfect replicas of trusted login portals for online banking sites , business-payment platforms, and more services.

“Sometimes they even purchase ads on major search engines, ensuring these fake sites dominate results for queries like “‘online banking login’ ” or specific portal names,” Taylor warned. “Never go online and search for your bank’s bill-payment site to get to the login. When you do that, a fake or ‘spoofed’ version of that site might show up first. Instead, always go to your bank’s trusted, verified website.”.

Users clicking on spoofed sites often encounter a convincing interface but with subtle URL discrepancies (e.g., minor misspellings or altered domains). Entering credentials triggers a step-up authentication prompt—a common security feature. Almost instantly, a follow-up phishing call or text arrives from a ““trusted source” (often spoofing the institution), pressuring the user to approve the request “to prevent account lockout.” Approval hands over full access.

The best way to protect against this problem is to manually type official URLs or use bookmarks and desktop shortcuts. Additional red flags include poor spelling, transposed characters, or design glitches.

This “malvertising” approach is surging. Reports from the FBI and cybersecurity firms document similar campaigns targeting banks, government sites, and business tools. In recent years, dual-channel attacks (ads leading to phishing sites, followed by calls) proliferated, with attackers adapting to bypass single-factor protections.

How these scams interconnect and amplify risk

“These threats rarely operate in isolation,” Taylor added. “A spoofed site can harvest initial credentials, paving the way for a Trusted Partner follow-up call to extract approval codes or additional details. Both exploit the same psychological triggers: urgency, authority, and familiarity. In the ACH ecosystem, where billions flow daily, a single compromise can cascade into massive fraud.”

Comprehensive prevention: Building a culture of security

Effective defense combines policy, technology, and training. Key recommendations include:

Verification first: Always confirm unsolicited requests via independent channels. Legitimate entities will not ask for full credentials electronically without a secure method.
Safe digital habits: Bookmark legitimate sites, scrutinize URLs, and avoid public Wi-Fi for sensitive logins. Create desktop shortcuts for frequent portals.
Training and awareness: Conduct regular sessions on phishing indicators with your employees, step-up authentication practice risks, and principles like “institutions never ask that.” Simulate attacks to build muscle memory and remember banks will never contact you out of the blue asking for sensitive information.
Technical safeguards: Enforce multi-factor authentication beyond simple approvals, deploy advanced email filtering, endpoint detection, and ACH positive pay services. Monitor accounts in real-time.
Incident response: Act immediately on suspicions—contact your institution’s fraud team and forward suspicious messages. Review policies annually, as threats evolve rapidly.

Conclusion: Vigilance in an era of industrialized fraud

These alerts serve as timely wake-up calls amid rising cyber threats. The Trusted Partner and Spoofed Website Scams thrive on speed and trust. That’s why it’s necessary to counter them with deliberate pauses, verified channels, and ongoing education.

By following these lessons—never sharing credentials unsolicited, avoiding search-driven logins, and fostering a security-first culture—organizations and individuals can protect assets, clients, and operations. Resources from Nacha, the FBI, and cybersecurity experts provide blueprints; the responsibility lies in implementation. In cybersecurity, the best offense is informed, proactive defense. Stay alert, verify relentlessly, and turn awareness into action.