why the financial industry is still plagued by social engineering fraud
By Iain Swaine, EMEA Cyber Strategy Manager, BioCatch
Every year there is a greater likelihood of being a victim of cybercrime. In the first half of 2021 in the UKcriminals stole a total of £753.9m via fraud, an increase of more than a quarter (30%) on the first half of 2020. Criminals are increasingly focusing on banks and other financial organizations with social engineering fraud.
Cybercriminals continue to take advantage of the weakest link in the security chain: people. People are error prone and make the same mistake many times. The inability of financial institutions to prevent us from making mistakes makes us the weakest link in the chain. Although social engineering fraud has been implemented for years, primarily in the form of phishing and vishing (voice phishing), it continues to grow.
To combat this, technology based on behavioral biometrics can be used to confirm a person’s identity during a banking transaction without the need for additional layers of security to detect this type of fraud.
What is real-time fraud detection?
Real-time fraud, also known as authorized push payment (APP) fraud, is a form of social engineering that can cause significant financial damage. To establish the necessary authenticity, cybercriminals use personal data of their victims obtained through data breaches on the dark web or captured from social media profiles. The more information authors have, the more authentic they can appear. While doing so, they contact their victims by phone and pretend to be a representative of a government agency, bank employee or other official organization. This way they can persuade the called person to transfer a certain amount of money to another account. Bank security processes can be bypassed because a real account holder initiates the transfer. Multi-factor authentication (MFA) therefore offers no protection either.
Identifying fraud is difficult because it involves a real person logging in from an authorized location and completing the authentication process using their own terminal. This is because the usual checks – for example, identifying the location, the end device or the IP address – are no longer sufficient. Even out-of-band methods such as one-time password (OTP) authentication via SMS can be bypassed. Cybercriminals who carry out such attacks also usually have a sophisticated script and knowledge of a bank’s security practices and procedures. To make matters worse, cyber criminals use social engineering methods to elicit an emotional reaction from their victim. Criminals will try to extract feelings of sympathy, guilt, or companionship from their victims. They will use a sense of urgency, flattery, an aura of authority, or dispositions of trust. These popular methods elicit feelings such as fear, anxiety, or ease, causing victims to behave in a hurry or without judgment, resulting in the abuser’s desired outcome.
How can you use behavioral biometrics to detect authorized push payment (APP) fraud?
In the UK, APP fraud is on the rise, with victims losing a total of £479 million, or more than £7,000 per person. However, technologies based on behavioral biometrics can detect this type of fraud; it can be used to verify a person’s identity throughout the banking transaction. BioCatch uses data-driven insights to distinguish between “real” and manipulated user behaviors. Working with its customers, BioCatch has developed risk models that can be used to identify a variety of threats, as this collaborative effort is deemed essential to empowering customers and keeping consumers safe. Additionally, there are clear patterns of behavior that can distinguish “real” from “fraudulent” activity during an online session and reveal manipulation by a cybercriminal:
- Unusual length of session: the session lasts considerably longer than usual and the account holder exhibits noticeable behaviors, such as aimless mouse movements. It may indicate that the person is nervous or under pressure while waiting for instructions from a criminal.
- Segmented Strikes: If there are interruptions in typing, this may be a sign that the account number is being read aloud by the author, preventing routine typing.
- Hesitation: The time required to perform simple and intuitive actions such as confirming an entry increases considerably.
- Unusual terminal handling: The orientation of the device changes frequently. This may indicate that the logged in user is repeatedly putting down or picking up their smartphone to accept the criminal’s instructions.
No matter how complex a bank’s systems and procedures are, the cybercriminals who use social engineering to defraud organizations are highly motivated and skilled. After a successful social engineering fraud, the victim’s money is usually impossible to locate. Therefore, to protect customers from financial loss, it is imperative to detect fraud when it occurs. The use of behavioral biometrics can prevent major losses, while fully protecting customers and company assets. It should form the basis of any financial institution’s anti-fraud protection.