Voice of the Industry

When authorised payments are not: spotting coercion in online transactions

Monday 28 June 2021 08:15 CET | Editor: Alin Popa | Voice of the industry

With impostor scams on the rise worldwide and increasingly difficult to detect, financial institutions must develop new strategies to combat the threat of advanced social engineering and maintain customer trust

When someone calls you and claims to be a bank representative or government official, you would expect proof that they are who they claim to be, especially if they ask you to transfer money or provide remote access to your computer. You would assume that if they had personal information about you, such as your recent transactions, bank account information or other personal data, they are most likely legitimate. The reality is cybercriminals prey on human emotions, hoping that by having just a few personal details on a potential victim, it might convince them to act fast to avoid losing all their money or having the police come knocking on their door.

Welcome to the new world of social engineering. In the financial industry, there are two main types of social engineering attacks: harvesting online banking credentials and/or personal information and real-time scams such as authorised payment scams or remote access tool (RAT) scams. The second type of scam requires little technological sophistication, but scammers do need to prove to victims that they are ‘legit’ so they often spend time harvesting information and learning about their victim prior to committing a crime. In fact, 75% of victims claim that a scammer already had their personal information when coercing them into defrauding themselves, according to a report by the US Federal Trade Commission.

Due to global lockdowns, isolation of social distancing, and increased use of digital banking from the pandemic, most types of fraud hit record levels last year. Specifically, social engineering was a favourite go-to method for cybercriminals. According to BioCatch data, one in four confirmed cases of account takeover last year involved some form of social engineering voice scam, such as authorised push payment (APP) fraud. 

Social engineering scams that include authorised payments often introduce many forms of impersonation, and they are on the rise worldwide. UK Finance reported an increase in authorised push payment fraud last year, with UK banks and their customers losing more than GBP 479 million.  In the US, imposter scams remain the most common type of fraud reported by consumers while unsuspecting victims in Australia experienced record losses from a host of social engineering schemes. 

These scams are difficult to detect since the cybercriminal does not interact directly with the banking platform and instead convinces the victim to execute an authorised payment themselves. Standard fraud detection tools are unlikely to detect these scams since the device is a user’s trusted device, the network connection matches with the user profile, and any step-up authentication check would also be passed as the victim directly receives the OTP code.  

Every swipe tells a story

This is where the power of behavioural biometrics comes into play. Even though it is a genuine user making the payment, when a person is acting under the influence of a cybercriminal, there are subtle changes in digital behaviour that are statistically significant enough to suggest a social engineering scam may be at play. Some of the behavioural insights obtained from the data collected can help build a picture of a user’s emotions during a session. Figure 1 below summarises a few of the behaviours victims of social engineering scams can exhibit during a session and how these can be interpreted.

Figure 1: Digital behaviours that indicate a social engineering scam may be occurring in real time

Each individual behaviour on its own does not imply social engineering, but when combined with hundreds of other data points and compared against the norms of the genuine population, these insights have the potential to paint a disturbing picture. Consider something as simple as a customer who is on an active phone call while navigating a live session in a mobile banking app. Analysing the values for this one indicator, there is a significant difference between the genuine and fraud population:

  • Less than 1% of all Android users multitask, combining a phone call with mobile banking activity;

  • More than 1 in 4 confirmed cases of fraud show that the victim was on an active phone call;

  • Data shows that an active call is 30 times more prevalent in the fraud population than the genuine population.  

When considering these differences, an active call during a live banking session can be used with other data points as a strong indicator of social engineering.

How to spot social engineering scams

If this year’s data continues to track as it has so far, 2021 will be a record year for social engineering scams. During Q1, there was an 87% increase in the volume of social engineering scam cases detected by BioCatch compared to the same period last year.  

Adopting a strategy to address the rise in social engineering scams – and identify authorised payments that really aren’t authorised at all – should focus on three main aspects:

Volume. With social engineering scams overtaking traditional account takeover fraud, implementing technology, such as behavioural biometrics, that can see beyond what traditional fraud prevention tools provide will be critical.

Value. Current data shows that cybercriminals are opting for targeting more victims with lower values, rather than the very targeted, high-value cases they previously focused on. For example, 35% of all impersonation scam cases last year had an amount greater than USD 1,000, however, this year, only about 1 in 5 cases are showing values greater than four digits.

Platform. As with other fraud types, mobile applications are becoming increasingly popular with customers and cybercriminals alike with more than 70% of social engineering scams carried out on a mobile device.

About Ayelet Biger-Levin

Ayelet is a seasoned professional with over 20 years of experience in the technology and information security industry, with a diverse background in product, R&D, marketing, sales, and professional services. At BioCatch, she is focused on helping financial institutions provide seamless and secure digital experiences to their customers by leveraging the power of behavioural biometrics. Prior to joining BioCatch, Ayelet spent over ten years at RSA Security in various leadership roles across Product Management, Product Marketing and Professional Services in both the Fraud Prevention and Identity solution areas. 

About Biocatch

BioCatch is the leader in Behavioural Biometrics, which analyses an online user’s physical and cognitive digital behaviour to protect individuals and their assets. BioCatch’s mission is to unlock the power of behaviour and deliver actionable insights to create a digital world where identity, trust, and ease seamlessly co-exist.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: scam, social engineering, cybercrime, online security, digital identity
Categories: Fraud & Financial Crime
Countries: World
This article is part of category

Fraud & Financial Crime

Industry Events