Avoiding the Next Wave of Fraudster Evolution: MFA Bypass, Offline Phishing, and Vendor Contact Manipulation

As finance professionals at organizations have successfully increased their defenses with multi-factor authentication (MFA), comprehensive phishing awareness training, and rigorous verification procedures for remittance changes, fraudsters are evolving — again. Rather than abandoning their efforts, fraudsters are developing sophisticated workarounds that exploit the very security measures designed to stop them.

MFA Workaround: Stealing Passwords Is No Longer Good Enough

In the past, fraudsters relied on tricking users into typing passwords into fraudulent websites. However, the widespread adoption of MFA has made stolen passwords alone insufficient for account takeovers, as attackers still lack the necessary one-time codes. As a result, fraudsters are evolving from traditional fake login pages to the deployment of infostealer malware.

Infostealers are being used to silently harvest session cookies and tokens directly from a victim's browser. By stealing these active session tokens, attackers can bypass MFA entirely, gaining access to accounts without ever needing a password or a verification code. This approach is increasingly popular because it scales well and reduces friction for the fraudster. Rather than waiting for a user to enter credentials, the malware harvests whatever is already saved on the infected machine including saved passwords, session cookies and corporate access credentials. These "silent" attacks are much harder to detect than classic phishing, as they leave no visible red flags like suspicious login pages.

How to Avoid: Look out for malicious ads, attempts to update your browser, other suspicious update prompts, and shady browser extensions.

Phishing Email Workaround: Sending Only Phishing Emails Is No Longer Good Enough

As finance professionals have become more adept at spotting suspicious emails, fraudsters are moving offline to exploit the trust associated with physical mail. Recent campaigns have targeted cryptocurrency hardware wallet users by sending physical phishing letters that mimic official corporate branding. These letters often use high-pressure tactics, such as warning of a mandatory “Quantum Resistance” update to create a sense of urgency.

In 2024, the Federal Trade Commission warned that fraudsters pose as federal officials from fake agencies and send fake forms and letters to small business owners via regular mail. They take advantage of the same strategy used by government agencies like the IRS, which initiates first contact by mail delivered through the U.S. Postal Service..

These physical letters can include QR codes that route victims to phishing websites or phone numbers to criminal call centers. By moving the initial point of contact to a physical letter delivered to a victim's home or business, scammers bypass digital email filters and the mental "shield" users often have when browsing their inboxes. Furthermore, these campaigns are frequently localized, with letters written in the victim's native language and tailored to regional customer data, which significantly increases their perceived legitimacy.

How to Avoid: Verify the federal, state or local agency is real by searching and verifying their name and contact information on the A-Z Index of U.S. Government Departments and Agencies.

Confirmation Call: Relying on Use of Fraudulent Contact Information in BEC Email Is No Longer Good Enough

A strategic evolution is occurring in the realm of Business Email Compromise (BEC). Many organizations mitigate payment fraud by performing confirmation calls, using a previously known contact phone number to verify any requested changes to bank account or remittance details.

In response, fraudsters have introduced a strategic fraud tactic known as the preemptive pivot. Instead of immediately requesting a fraudulent payment, attackers first send a request to add or update the contact information (such as a phone number or email address) to a vendor. By changing the contact details in the victim’s vendor master file before the fraudulent remittance change request is sent, the fraudster ensures that when the victim performs their confirmation call, they are unknowingly calling the attacker instead of the legitimate vendor.

One reason this may work especially well is because the contact information in the vendor master file for a vendor is either missing or it is not the correct contact that can verify remittance changes. As a result, receiving contact information is welcome since it does populate missing information. Another reason it works well is that the subsequent email requesting a change of remittance information is seen as a separate request, and the search for the previous change in contact information is not noticed.

How to Avoid: Check the comments or the audit log of the vendor record in the vendor master file to see if there was a change in contact information. Search for all emails from the vendor to see if an email was sent to change contact information. If a request was recently sent or updated, use the previous contact information, or if not available, use contact information from the internal team member that has a relationship with the vendor to perform the confirmation call.

Conclusion

Fraudsters are adapting to stronger controls by bypassing MFA, moving phishing offline, and manipulating vendor contact data before payment changes are requested. Finance teams must respond with layered validation, clean vendor records, and independent verification workflows that treat every change request as connected, suspicious and worthy of additional scrutiny. Fraud is no longer just about tricking a user into a single mistake, but about systematically dismantling the layers of trust built into traditional process workflows to prevent fraudulent payments.

Resources

1.       Cyber Security News: June 4, 2026: Cybercriminals Shift From Fake Login Pages to Infostealer Malware in Phishing Attacks, https://cybersecuritynews.com/cybercriminals-shift-from-fake-login-pages/#google_vignette

2.       Hack Read: May 17, 2026: Scammers Send Physical Phishing Letters to Steal Ledger Wallet Seed Phrases https://hackread.com/scammers-physical-phishing-letters-ledger-wallet-seed/

3.       Federal Trade Commission: February 13, 2024: Government Impersonators Mail Fake Notices to Business Owners https://consumer.ftc.gov/consumer-alerts/2024/02/government-impersonators-mail-fake-notices-business-owners?utm_source=govdelivery

4.       IRS Page: How to Know It’s The IRS https://www.irs.gov/help/how-to-know-its-the-irs

5.       USA Gov: A-Z Index of U.S. Govern Departments and Agencies https://www.usa.gov/agency-index