We have all seen the headlines about victims losing money to a variety of scams. The most dominant – and one that has become the focal point for financial institutions around the globe – is impersonation scams. An impersonation scam occurs when a fraudster pretends to be an official from a trusted institution, most often a bank, in order to get a victim to initiate a financial transaction or payment to an account controlled by the fraudster. 

Impersonation scams have become the weapon of choice for fraudsters largely because the financial services industry has gotten much better at defending against traditional third-party attacks. As a result, they have shifted their tactics to target what is in reality the weakest link – the human. BioCatch data shows social engineering scams increased 30% globally last year. However, after taking a deeper dive into the data, one region stood out as a hotbed of scam activity in 2022 – Latin America saw a drastic 156% increase in confirmed fraud scams.

Impersonation Scams with a Twist

The scams originating in Latin America start off in a standard way. A fraudster contacts a victim and introduces themselves as a manager or employee of a certain area of the bank. This usually starts with a phone call, SMS text, or WhatsApp message (the latter which is very common across the region). Using data acquired from phishing sites or purchased through the dark web and Telegram groups, the fraudster is able to log in to the account to analyze balances, transaction history, and investments. By demonstrating knowledge of the user and their account information, the fraudster will be able to build trust and credibility with the victim when they call them to get what they really need: the second passcode.

Most banks in Latin America require a customer to perform a step-up authentication in the form of a second passcode which is typically found in a unique soft token enabled on the customer’s mobile device. This is the information the fraudster needs to execute a transaction and make the scam successful. 

Some of the most common scams proliferating in Latin America include: 

• Fee reversals. A fraudster will contact a victim and state there has been credit added to their account by mistake and request the victim reverse the funds. The victim is then directed to transfer the funds to a new account that is actually a mule account controlled by the fraudster. 
• Account issues. A fraudster will contact a victim to say there is a problem with their account or iToken. The fraudster advises the victim to initiate a transaction, such as transfers to other accounts, as a way of “testing” the account. The victim is told that the amounts will be returned to them within 24 hours, which never actually happens.
• Promotions. The fraudster will contact the victim offering a promotion such as an invitation to get a “black card” or some other premium incentive that makes them feel important. These deals will require the victim to move to another segment of the bank. In order for this to happen, the victim is advised to move their funds to a new account which is actually controlled by the fraudster. 
  
  

Fraudsters have added a new twist to their crimes, specifically the fee reversal scam. Once they are in possession of a victim’s credentials, they will log in to the account and deliberately enter the wrong password so that the account is blocked. The fraudster will then call the victim, impersonate a bank employee, and inform the victim that the account has been blocked due to suspicious activity. The fraudster will then advise the victim that a security procedure needs to be performed to unlock the password. In order to do that, they guide the victim to type it on the phone's keyboard to perform an alleged synchronization. 

During the process, the fraudster captures the first password and is able to access the user account where they can perform activities that do not require the soft token, such as transferring the balance of a savings account to the checking account. The victim will now see an amount on their statement that they do not recognize, adding legitimacy to the fraudster’s claims that there has been suspicious activity on the account. 

The victim does not realize in the moment that it is their own money that has simply been transferred into a different account. The fraudster then convinces the user they need to reverse the payment and return it to an account that, yes, is owned by the fraudster. 

 
Stop Letting Criminals Call the Shots

What makes social engineering scams so hard to detect is that the fraudster never interacts directly with the banking platform. Instead, they use coercion tactics to convince the genuine customer to execute the illicit activities on their behalf without knowing what is really happening. The recent Gartner Market Guide for Online Fraud notes that authorized payment scams have become “the greatest fraud concern” for financial institutions, thus driving an increased interest in behavioral biometrics to address this unsolved challenge.

Combining device and behavioral intelligence, there are many patterns that can indicate a social engineering scam is in progress. For example, the victim is on an active call at the time of the scam. An active call is present in 40% of confirmed scam cases compared to less than one percent of the genuine population. Another pattern is the presence of a second device connected to the same account with characteristics never seen in the genuine customer’s history. 

Even how a fraudster transacts is often different than the genuine user, opting to make several low-value payments instead of a single high-value payment. In general, a fraudster will choose to “test” the system by performing the first transaction in a negligible amount, and then after the system “trusts” their device, massive cashout operations begin.

Find out how behavioral biometrics is being used by financial institutions to protect their customers from falling victim to these attacks in the white paper: Spot the Impostor: Tackling the Rise in Social Engineering Scams.