Authorized Push Payment Fraud: How Digital Behavior Can Uncover Social Engineering Scams

Jan. 6, 2021 | by Gadi Mazor

Gadi Mazor, COO of BioCatch, provides a refreshing take on how digital behavior, and the right technology, can be used to detect advanced social engineering scams.

Authorized push payment (APP) fraud is one of the fastest growing financial crimes and perhaps one of the most difficult to fight. APP fraud typically starts with a phone call from a criminal posing as a representative from a legitimate organization such as a bank, utility company or government agency. The criminal may use a variety of tactics, most often claiming there has been suspicious activity on an account and the victim must take immediate action to stop fraud from occurring. The criminal will then tell victims that a new account has been opened in their name and persuade them to transfer money into the new account, one that is actually controlled by the criminal.

Authorized push payment fraud is devastating for consumers. This scheme is far different than a cybercriminal using a compromised card to buy a Starbucks coffee halfway around the world. APP fraud schemes are intended to wipe out a victim’s entire life savings. According to UK Finance, APP fraud losses hit GBP 456 million in 2019, a 29% increase from the previous year. Many other countries that adopted real-time payments, such as Australia’s New Payments Platform, have likewise experienced an increase in APP fraud following the launch.

At the core of APP scams is advanced social engineering. The criminals that perpetrate these attacks are well-scripted and often knowledgeable about a bank’s security practices and processes. What makes these scams so hard to detect is that the transaction or payment is being conducted by the genuine user who is logging in from their own device from a valid location. In addition, even if required to provide additional authentication credentials, such as a one-time passcode, the legitimate user will be able to provide them.

Working together with several of our customers, BioCatch set out to find whether digital behaviors could be used to detect social engineering scams, and if so, determine what behaviors should be examined. How could we take what we know about digital behavior based on clicks, swipes, and typing patterns and marry that to human psychology to develop models that produce highly accurate profiling to detect advanced social engineering?

It is in these advanced scams that the power of behavioral biometrics comes into play. The assumption was to start with finding differences in actual human behavior that was statistically significant enough to determine a user’s intent and emotional state in context of the activity being performed. Some of the differences in digital behavior we uncovered to indicate a user was acting under duress or the coercion of a cybercriminal include:

  • Length of session. The length of a session takes significantly more time and behaviors such as aimless mouse movements are common indicating a person is fiddling while they wait for instructions.
  • Segmented typing. These patterns indicate dictation such as a cybercriminal reading off the account number to transfer funds to.
  • The time it takes to perform simple, intuitive actions such as clicking on the Submit button show a statistically significant increase on average.
  • This is indicated by actions such as changing the orientation of the device often. For example, continuous movement of the phone to suggest the user is picking the phone up to take instructions and placing it back down to perform the actions instructed by the cybercriminal.

While technologies such as behavioral biometrics have alleviated some of the risk from advanced social engineering scams, there is still no undermining the value of continued awareness and education. The topic has become an interest in common culture with the rise of YouTube channels that track and expose scammers in action. One channel run by an online vigilante operating under the pseudonym Jim Browning has amassed over two million followers on the popular video platform.

Organizations such as UK Finance have also taken a lead in raising consumer awareness and garnering cross-industry cooperation to tackle the rise in these attacks. They have been strong advocates for consumers, who previously had to assume the loss, helping to create the Contingent Reimbursement Model Code (commonly referred to as simply the Code). Launched in May 2019, the Code introduced new protections to help consumers receive compensation if they become a victim of an APP fraud scam.

Today, with 93% of fraudulently obtained transfers sent over a Faster Payments network and many financial institutions signed up for the voluntary industry Code, there is motivation more than ever to implement the right technology to prevent fraud losses from advanced social engineering scams and build trust with customers.

This article was originally published by Gadi Mazor, COO of BioCatch in The Paypers.