Authorised push payment fraud: How digital behaviour can uncover social engineering scams

Authorised push payment (APP) fraud is one of the fastest growing financial crimes and perhaps one of the most difficult to fight.  APP fraud typically starts with a phone call from a criminal posing as a representative from a legitimate organisation such as a bank, utility company or government agency. The criminal may use a variety of tactics, most often claiming there has been suspicious activity on an account and the victim must take immediate action to stop fraud from occurring.  The criminal will then tell victims that a new account has been opened in their name and persuade them to transfer money into the new account, one that is actually controlled by the criminal.  

Authorised push payment fraud is devastating for consumers. This scheme is far different than a cybercriminal using a compromised card to buy a Starbucks coffee halfway around the world.  APP fraud schemes are intended to wipe out a victim’s entire life savings.  According to UK Finance, APP fraud losses hit GBP 456 million in 2019, a 29%  increase from the previous year.  

At the core of APP scams is advanced social engineering. The criminals that perpetrate these attacks are well-scripted and often knowledgeable about a bank’s security practices and processes. What makes these scams so hard to detect is that the transaction or payment is being conducted by the genuine user who is logging in from their own device from a valid location. In addition, even if required to provide additional authentication credentials, such as a one-time passcode, the legitimate user will be able to provide them. 

Working together with several of our customers, BioCatch set out to find whether digital behaviours could be used to detect social engineering scams, and if so, determine what behaviours should be examined.  How could we take what we know about digital behaviour based on clicks, swipes, and typing patterns and marry that to human psychology to develop models that produce highly accurate profiling to detect advanced social engineering?  

• Length of session.  The length of a session takes significantly more time and behaviours such as aimless mouse movements are common indicating a person is fiddling while they wait for instructions.
• Segmented typing.  These patterns indicate dictation such as a cybercriminal reading off the account number to transfer funds to.
• Hesitation.  The time it takes to perform simple, intuitive actions such as clicking on the Submit button show a statistically significant increase on average.
• Displacement.  This is indicated by actions such as changing the orientation of the device often. For example, continuous movement of the phone to suggest the user is picking the phone up to take instructions and placing it back down to perform the actions instructed by the cybercriminal.

While technologies such as behavioural biometrics have alleviated some of the risk from advanced social engineering scams, there is still no undermining the value of continued awareness and education.  The topic has become an interest in common culture with the rise of YouTube channels that track and expose scammers in action.  One channel run by an online vigilante operating under the pseudonym Jim Browning has amassed over two million followers on the popular video platform. 

Organisations such as UK Finance have also taken a lead in raising consumer awareness and garnering cross-industry cooperation to tackle the rise in these attacks.  They have been strong advocates for consumers, who previously had to assume the loss, helping to create the Contingent Reimbursement Model Code (commonly referred to as simply the Code).  Launched in May 2019, the Code introduced new protections to help consumers receive compensation if they become a victim of an APP fraud scam. 

Today, with 93% of fraudulently obtained transfers sent over a Faster Payments network and many financial institutions signed up for the voluntary industry Code, there is motivation more than ever to implement the right technology to prevent fraud losses from advanced social engineering scams and build trust with customers.

About Gadi Mazor

Gadi Mazor is Chief Operating Officer at BioCatch.  Prior to BioCatch, Gadi founded and managed three startup companies in the fields of character and voice recognition and wireless communications, and sat on an advisory board of BlackBerry. In 2012, he co-founded OurCrowd, the leading global equity crowdfunding platform, where he served as General Partner and CTO.

About Biocatch

BioCatch pioneered behavioural biometrics, which analyses an online user’s physical and cognitive digital behaviour to protect users and their assets, all the while protecting user privacy. Today, customers around the globe leverage BioCatch’s unique insights to more effectively fight fraud, drive digital transformation and accelerate business growth. With nearly a decade of data, over 50 global patents and unparalleled experience analysing online behavior, BioCatch is the leader in behavioural biometrics. For more information, please visit www.biocatch.com