Behavioral biometrics analyzes a user’s digital physical and cognitive behavior to distinguish between cybercriminal activity and legitimate customers, identifying fraud and identity theft. Actual customers and fraudsters interact with digital platforms differently. Where you would enter information one key at a time, criminals are more likely to copy/paste their way through a form. Obviously, it’s more complicated than that, but the main takeaway is that we can use behavioral data to make insights into fraudulent activity.
Behavioral biometrics leverages machine learning to analyze patterns in human activity and detect whether someone really is who they claim to be when they interact online and whether the activity is driven by a human or part of an automated attack.
A key benefit of behavioral biometrics is that it works passively in the background of a user web or mobile session to monitor thousands of parameters, such as the way a person holds the phone or how they scroll or toggle between fields, thereby minimizing friction in the user experience.
Whether as a standalone solution or as part of a layered fraud management plan, behavioral biometrics is delivering extraordinary results and exposing the most advanced fraud attacks.
Why Do We Need Behavioral Biometrics?
Why do we need a new way to distinguish between a good user and a cybercriminal? First, it has become far too easy for cybercriminals to find, steal, or purchase personal data such as email and physical addresses, phone numbers, birth dates, and other personally identifiable information to gain access to or open a fraudulent account.
Second, malware, remote access tools and other technologies used by cybercriminals have exposed the weaknesses of passwords, device ID, one-time passcodes, and other authentication tools when taken on their own. In fact, despite existing controls, the fraud problem is so severe that the president of the United States announced new steps to combat criminal fraud and identity theft in Pandemic Relief Programs.
It would be an understatement to say that fraud is a problem for financial institutions — seniors are scammed out of $3 billion dollars every year; there has been a 78% increase in mule activity for account holders under age 21; American banks alone lost $3.5 billion dollars to application fraud in 2021 and $6 billion dollars to account takeover in 2020; and the UK lost £479M to authorized push payment fraud the same year.
Across the board, cybercriminals are becoming more numerous and more bold. Digital and mobile banking has revolutionized the financial industry, but it has also given criminals more ways to attempt fraud. The rising numbers indicate that controls like activity monitoring and device identification aren’t enough to stop cybercriminals, or even slow them down. Now for the good news: The good guys are catching up by turning to newer, more efficient methods of tracking down cybercriminals, and the one that’s shown the most promise is behavioral biometrics.
Finally, as digital experience has taken center stage, fraud prevention technology must work to introduce a frictionless journey for a majority of good users.
Defending Digital Banking Sessions with Behavioral Biometrics
Behavioral biometrics can be implemented across a variety of industries with a digital presence and are poised to play a major role in building digital trust and safety. Financial institutions have been among the first to adopt the technology and are seeing game-changing successes.
Digital banking has become the single most effective channel for financial institutions to drive growth, increase revenue and attract new customers. But financial institutions have a dilemma on their hands: how can they pursue innovation in digital channels and improve the customer experience while also keeping a strong handle on fraud management and risk?
The conundrum is not new, but to date, the remedies have fallen short. The introduction of behavioral biometrics technology is a powerful tool for tackling advanced threats while enabling innovation and growth — and it couldn’t have emerged at a better time. The adoption of digital banking and payments continues to accelerate even after the pandemic. There was a 50% increase in payments sent through networks, such as Zelle, last year. Bank of America reported that small businesses saw their sales from digital channels increase nearly 300%, and emerging services, such as buy now pay later, are growing at unprecedented rates. While these digital trends are positive for both financial institutions and their customers, they have not gone unnoticed by cybercriminals. By moving away from point solutions and putting the emphasis on user experience, behavioral biometrics are enabling financial institutions to meet their fraud management and digital business goals.
Behavior Tells All: Examples of Behavioral Biometrics Use Cases
Four of the most prominent use cases for behavioral biometrics in banking and financial services are for account opening protection, account takeover protection, social engineering scam detection, and mule account detection.
Account Opening Protection: When New Customers Are Not
In a 2020 study conducted by the FTC, there was an 88% increase in new credit card accounts activated and a 33% increase in new bank accounts opened through the use of identity theft compared to the year before. The opening of fraudulent accounts is a serious problem, costing banks time and money and requiring additions to security that hurt the customer experience. The question is: How can you trust a new customer you have never seen before?
During account opening, typing speed, swipe patterns, and every click of the mouse tell a story – one of cybercriminal activity or genuine user behavior. Even when a bank has never seen a user before, behavioral biometrics technology quickly spots trusted behaviors to create a smooth customer journey during the account opening process. The power of machine learning identifies statistically observed norms for “good” and “bad” behavior.
In one case, a top-5 U.S. card issuer realized a $10 million annual uplift by deploying behavioral biometrics in their account opening process. The issuer gained a new layer of visibility that enabled them to decipher between legitimate applicants and cybercriminals and accept more applications with a greater level of confidence.
Account Takeover Protection: Before Cash Disappears
Scammers are getting creative about taking over user accounts, whether through malware, an automated attack, social engineering, or other methods. In a recent study by ISMG/BankInfo Security, account takeover fraud was cited by 72% of financial institutions as a top concern, and among the threats that had the most financial impact last year.
Behavioral biometrics prevents account takeover through a continuous monitoring process that verifies the user’s identity throughout a session, not just at the entry login point. With visibility into the entire session, financial institutions can stop fraudulent transfers before they occur.
One financial institution was able to put the brakes on a sustained account takeover cyberattack, stopping a £1.6 million fraudulent transaction in real-time. In another case, a top bank in Asia used behavioral biometrics to stop more than 90% of fraudulent payments before they occurred.
Social Engineering Scam Detection: Who’s Really on the Line?
Social engineering, by far the most prevalent of scams in today’s modern age, is when fraudsters leverage human psychology to appear to be legitimate in order for them to hook victims into providing important details, or even transferring money to “respectable” institutions. Behavioral biometrics provides a window into a scam-in-process and stops it right in its tracks.
The most common social engineering scam often starts with a phone call. A fraudster will obtain legitimate information through a data breach or phishing attack and then call the victim pretending to be an authority figure from either their bank or government agency and provide an urgent or time-sensitive excuse that requires the victim to take action now. The victim, thinking they are in danger, completes the task and willingly transfers valuable data or money to the scammer.
Authorized push payment (APP) fraud is one example of a social engineering scam that is difficult to detect without behavioral biometrics because the transaction or payment is often conducted by a legitimate user who is logging in from their own device, from a recognized location, and with access to a one-time passcode.
Behavioral biometrics instead looks at differences in digital behavior that, in this case, indicate a user is acting under duress or the coercion of a cybercriminal. That could be the length of the user’s session or that the user is displaying segmented typing patterns (as in, are they stopping and starting as they read off account numbers). Behavioral biometrics helped save one UK bank £500K per month in fraud losses by detecting these real-time social engineering scams in action.
Mule Account Detection: Finding the Go-Betweens
Money mules stand at the junction between cybercriminal empires and real-world financial institutions. When we say "money mules," we're referring to the people who move money from one bank account to another for illegal purposes. They are a critical part of fraud, scam, and identity theft operations. If you weed out the mules, there's no way to turn stolen funds into spendable money, and the whole criminal supply chain falls apart.
Money mule activity has recently taken the spotlight since the pandemic began and cybercriminals took aim at money supplied under the CARES Act and other economic relief programs; a recent statement from the Secret Service attests that nearly $100 billion in pandemic relief funds were stolen from the various programs the government implemented to support citizens. And that’s a specific instance from a single country; there are mules all over the world.
This isn't a new problem — mules have been digital as long as banks have. What's changed is that recent developments in behavioral biometrics have presented a reliable solution for mule account detection. Mules can change accounts and aliases, but they can't change how they act.
For instance, the average customer does not use 92 separate banking applications or copy/paste personal information into online forms (both of which are real examples). Because intent is almost impossible to evaluate for every account and every transaction, behavioral biometrics is leading initiatives in this space. The best way to catch these criminals in the act is to analyze and establish mule activity patterns and then flag suspicious transactions that match them.
With this approach, mules can be detected any time they commit fraudulent activity. Instead of waiting on someone to slip up and make an obvious error, behavioral biometrics technology remains in play at every step of the transaction process, meaning that it can be used to catch the mules making their first transfer and the ones making their 100th. It's an efficient means of finding the people wreaking havoc on our financial institutions without doing any invasive or privacy-infringing data collection. Behavioral biometrics is a promising answer to the money mule problem, and we expect to continue to see its use expanded in this sphere.
Create a World of Trust and Ease
The role of digital services in our lives has never proven more essential. From banking and shopping to how we work and learn, the most routine activities we do every day are taking place online. The bottom line for organizations is that they must be able to build trust with customers and eliminate friction in digital interactions.
BioCatch has been pioneering the field of behavioral biometrics to deliver just that for over a decade. As financial institutions expand their risk appetite and offer more digital services to their customers, this exposes them to unforeseen threats like malware, remote access trojans, and sophisticated social engineering schemes.
Fortunately, in our digital world, behavior tells all.
For more on the practical applications of behavioral biometrics, download this report to learn what executives at more than 175 financial institutions globally had to say about the financial and non-financial impacts of fraud over the last year, top business challenges in preventing digital fraud, and the primary areas of investment in 2022. Get more examples of behavioral biometrics at work in these case studies.