When fraud occurs as a result of scams and social engineering, organisations can struggle to stop it. When legitimate customers fall prey to online imposters, the losses can be significant - according to the FTC, American consumers reported losing over USD 2.3 billion to imposters scams in 2021, and in the UK, losses due to authorized push payment (APP) fraud rose by 71% in the first half of 2021, and the amount of money stolen through this type of scam overtook card fraud losses. Financial institutions need to find ways to effectively combat these massive losses before they’re left footing the bill.
Among the various types of fraud that organisations are trying to prevent, scams and social engineering come with several unique challenges due to the fact that the criminal doesn’t interact with the organisation’s digital properties directly. It can be very difficult to spot this type of fraud before it happens because consumers who have fallen for scams can easily pass authentication and biometrics challenges. Protective measures such as multi-factor authentication and even identity proofing are of limited use in this situation. Instead, financial institutions need to consider how they might intervene with the user directly - and when this type of intervention should occur.
Fraud prevention is frequently addressed at two key points of the user journey: at the point of authentication and at the point of transaction. However, given the user is legitimate and should be able to authenticate into their account without issue, this could leave the transaction as the only point of defence. It is common practice to require additional approvals to transfer large sums of money, but even that won’t stop a scammed user from making a costly mistake.
It is important to note that consumer education remains critical, forming the first line of defence against fraudsters – however, consumer education will never fully eliminate the problem. Fraudsters are tricky and intelligent, and even a wary consumer can be scammed if they are approached in the right way at the perfect time. Financial institutions must therefore build a strong second line of defence to cover those cases where consumers have not realized that they are being scammed.
There are several methods available to address this, and a canny organisation may implement several of them to provide a more layered defence. To begin with, it is useful to examine user behaviour across the entirety of the session. Between authenticating and completing a transaction, users may take a variety of other actions such as making modifications to their profile or viewing and changing PII. While most behavioural biometrics focus on distinguishing legitimate users from fraudsters who have taken over an account, a legitimate user may still exhibit some unusual behaviours as a result of a scammer’s influence. When fraud and risk detection tools work continuously throughout the user session, there are more opportunities to spot these anomalies and take appropriate action.
However, in order to mitigate this type of fraud, it isn’t enough to focus on detection. Rather, financial institutions need to find a way to intervene directly and cause the user to think critically about their actions. This is easier said than done but can be accomplished by adapting the user’s experience based on perceived risk. Rather than putting a request for MFA in front of a suspicious transaction, it is more useful to challenge the user in a different way, by making them think critically about their actions. Typically, the fraudster has already done significant work to get the user to trust them, but the user can be made to question that trust. Perhaps users who appear to be at risk of authorizing a fraudulent payment can be taken down another path – instead of immediate access to the ‘transfer’ button, it could be enough to present them with a warning screen which alerts them to the possibility of fraud and asks them several questions about how they know the payee, whether they are confident in what they are paying for, and so on. Sometimes encouraging the customer to stop and think is enough to stop them from putting a payment through.
Most organisations have multiple counter-fraud measures and technologies deployed. Fraud prevention is generally additive in nature, with new defences layered on top of existing ones in an effort to keep up with new fraudster tools and tactics. Unfortunately, adding new technology or making significant adjustments to existing tools take time, money, and a variety of approvals. Change control processes and governance can be very rigid, leaving financial institutions in a difficult position. Fraudsters are unencumbered by comparison and able to move more quickly, causing fraud teams to feel like they can never quite keep pace. Understanding the tools available to fight scams and social engineering and actually putting them into practice are two very different things.
Financial institutions can circumvent this particular challenge by lifting their fraud policies out of individual applications into a centralized fraud hub that allows for quick and easy policy changes without code. With this in place, fraud teams can adjust their policies to react to potential scams in a variety of ways, choosing mitigation paths that rely less on standard tools like MFA or identity verification and more on other types of challenges. The benefit of this approach is that it is easy to track the performance of these policies, testing and adjusting as needed in real time.
Scams and social engineering are challenging to address, but the right combination of tools and tactics can ensure that your organisation is up to the task. Ping Identity takes an integrated approach to fraud prevention, combining tools for fraud detection, decisioning, mitigation, and orchestration in one platform. Our fraud decisioning and orchestration tools allow organisations to easily aggregate fraud signals from a variety of sources, including Ping’s own detection tools as well as external ones, and build out policies that allow for flexible mitigation at any point throughout the user journey. Modifying and testing policies inside our decisioning hub is quick and easy, and our fraud prevention experts are ready to share their experience in preventing fraud losses from APP scams and social engineering.
Want to learn more about how Ping can help your organisation prevent fraud? Read Ping’s Ultimate Guide to Fraud Prevention or contact us today.
About Maya Ogranovitch Scott
Maya Ogranovitch Scott is a product marketing manager for Ping's fraud detection and mitigation solutions. She is passionate about leveraging the power of identity to help enterprises deliver exceptional customer experiences that are simultaneously secure and seamless.
At Ping Identity, we believe in making enterprise experiences both secure and seamless for all users, without compromise. That’s digital freedom. To achieve this, the PingOne Cloud Platform turns you into an experienced artist who can bring exceptional journeys to life with a simple no-code canvas. You can deliver passwordless authentication, protect user privacy, prevent fraud, architect for zero trust, and much more. For more information, please visit www.pingidentity.com.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now