Bank imposter schemes emerged as an asymmetric threat for fraud managers following the rapid consumer uptake of real-time peer-to-peer (P2P) channels starting in 2019. It was accepted that taking on a real-time P2P payment capability would create significant fraud exposure. But because it also elevated a necessary modern payments channel in a highly competitive environment, many financial institutions held their nose and pursued this P2P option, diving headfirst into the fraud trenches with varying degrees of success.
In those early days, pioneering fraud detection strategies that would remain sustainable in the future was contingent on what was consistent about the attackers and their methods. The kneejerk reaction by fraud strategy leaders was to leverage existing features and legacy fraud platforms that were available at this time, and/or seek new and emerging technologies to assist us in identifying bad actors as they began these novel social engineering approaches.
I sat down with Justin Hochmuth, the threat analyst for BioCatch’s partner portfolio. Justin works directly with dozens of our financial institution clients (especially community banks and credit unions), so has line of sight on many evolving threats. He is presently refining the right approaches to mitigating the risk of social engineering account takeover (ATO) scams with a behavioral-biometrics fraud-fighting toolbox. And while the risk is no longer specifically limited to the P2P channel, his insights are applicable to all online banking ATO exposures. In the following discussion, he’ll share his current strategy for developing controls to mitigate risk and offer a prediction as to where the puck is headed for those seeking the best solutions to optimize fraud-prevention strategies.
---
Seth: As these new unauthorized social engineering scam types emerged, we were heavily focused on new devices, new locations, and new beneficiaries. What’s changed in the key detection logic elements and your strategic approach to dealing with them for your clients since that era?
Justin: Device, location, and new payee data is still valuable, but it is the behavioral piece that gives us greater insight and differentiation between genuine and fraud populations. Even the most sophisticated fraudster can’t replicate the behavior of the genuine user. In response, we can combine those legacy approaches with how the user is interacting within online banking portals. In fraud populations, we typically see unfamiliarity with the user’s data and use of more advanced and unfamiliar keyboard/mouse functions compared to what we’ve seen from the genuine user. Our AI and machine learning models contain thousands of features that can measure even the slightest behavioral anomalies, giving financial institutions an overwhelming advantage in their fight against fraud and ATO. These models are continually updated to ensure that we can detect threats, such as these types of unauthorized social engineering scams.
Seth: Historically, we’ve needed stronger controls to send the right message in real time, allowing banks to decline fraudulent payment transactions. Is this still the right approach?
Justin: Automation in the form of decline or lockout still can be used effectively, but ideally, we don’t even let them get to the point of sending money. In these OTP vishing attacks, the fraudster does a lot more than just move money. There are many different pages and points in an online banking journey where behavioral anomalies can be detected and strategies can be utilized to mitigate risk. It’s important to leverage these behavioral data points throughout the entire banking session, rather than just focusing on the movement of money. Consider all the personal identifying information, card data, and application channels that a fraudster has access to after unauthorized access and evaluate the different ways that a fraudster can use this information to conduct fraud within the online banking environment and outside of the banking environment. By assessing risk and driving decision outcomes throughout the banking environment, risk can be mitigated much earlier in the process and protect your member’s information proactively. Our model’s ability to detect behavioral anomalies allows for more targeted application strategies that help prevent loss, but also reduce friction in genuine populations.
Seth: How have bad actors changed their tactics and refined their social engineering schemes?
Justin: You can spend about five minutes on Telegram and locate how-to tutorials on how to commit this type of fraud. Fraudsters talk to each other. They share best practices and talk about what works and what doesn’t work. The common current method is spoofing the financial institution’s contact center number and representing themselves as the fraud or info security team. Regardless of the message sent within the one-time passcode (OTP) message, the fraudster gains the trust of the member and attains the passcode. It’s common for the fraudster posing as a bank rep to instruct the member not to attempt to log into their account for two days. Unfortunately, this method is effective, delays the reporting of this type of fraud, and allows enough time for the lost funds to become unrecoverable. The fraudsters have developed in-depth understandings of financial institution processes and have learned how to not alarm the suspecting victim.
Seth: How should we expect this to change going forward?
Justin: There is one certainty: Fraudsters will continue to evolve and become more sophisticated. Fraudsters are increasingly becoming more professional. Common mistakes of the past that would blow their cover are easier to fix thanks to Chat GPT and other AI tools that can provide professional scripts, change voices, or even allow deepfake video conferencing. Use of device emulation and VPNs make device and network location data increasingly unreliable, so being able to measure differences in user behavior, mouse movements, key presses, and typical user journeys becomes increasingly valuable in the fight against this evolving threat.
Seth: If you could give guidance to a financial institution experiencing a deluge of these types of attacks, what would you recommend?
Justin: Documentation, data collection, and utilization of fraud tools is crucial to building effective strategies to combat fraud. Blanket business rules that apply a high level of friction across your online banking platform can be problematic for member experience and create inefficiency in your fraud capture. Most financial institutions communicate the importance of not disclosing OTP codes, yet it continues to being an asymmetric riskin the account takeover space. Targeted strategies that focus on both these legacy data types (network and device) and behavioral data is the best way to protect yourself from these typea of fraud attacks.
Secondly, fraudsters are talking about what works, why aren’t we? Utilizing channels of communication within networking groups and shared platforms to share best practices and exchange ideas helps protect your members from these fraudsters. It’s important to note that strategies can vary between financial institutions, but there is an immense amount of value when fraud fighters talk to each other and collaborate. Successful attacks empower and enrich fraudsters to invest in additional tools and data to extend and diversify their attacks. With data, tooling, strategies, and collaboration, financial institutions can mitigate these threats without generating unnecessary friction for genuine users.
Seth: The beauty of what Justin is bringing to the table with these unique insights is that he is delivering some of the most cutting-edge fraud prevention technologies to the smallest institutions, effectively syndicating and democratizing world-class banking services. Further, the technology integrations that made this possible also require minimal effort for institutions to implement and realize rapid benefit. The present fraud risk environment is experiencing the most significant technological turmoil in a generation, which we laid out in our recent blogs and white paper on Scams and AI: So, while fraudsters will always prey on the weakest sheep in the flock, our partner platforms will provide the bank on Main Street with the tools and lessons learned on Wall Street.