March 15, 2019
Banking Fraud: Customers are Now the Most Targeted Fraud Vulnerability
Posted February 14, 2019
Cybersecurity measures within banking have changed dramatically over the last decade, driven by rapid advancements in technology across the sector. Great strides have been made in protecting the banking infrastructure from network-based attacks and securing the web and mobile application layer – the front door into banks for customer interactions.
Interestingly, fraudsters are not always responding by upping their own technological prowess but turning to con artist style tactics to simply circumvent increasingly sophisticated cybersecurity measures. We have seen a dramatic rise in social engineering attacks, a more analogue approach to hit the banks where it hurts and as a result, customers have now become the new weakest point.
So, what can be done to anticipate or prevent this sort of attack?
Based on my observations, several years ago around 70 percent of online banking attacks against banks involved account takeovers. Accounts can be hacked into using stolen identity credentials, or off the back of a phishing campaign where the customer is tricked into entering their login credentials on a fake site. Once the account has been compromised, the fraudster then accesses their digital banking account and commits the fraud.
Social Engineering Attacks on the Rise
Today, however, account takeovers only account for half of the online banking fraud problem due to the rise in social engineering attacks, also known as Authorised Pushed Payments (APP). APPs involve fraudsters contacting account holders directly and tricking them into making a payment. In the first half of 2018, over 34,000 people in the UK were defrauded in this way to the tune of £145m. The banks only returned £31m back to customers. A lot of this fraud has come from ‘call-centres’ set up in South Asia. The UK was the initial target, but they have now begun to move to mainland Europe for easier pickings, UK customers are becoming more aware of these scams.
A phone call from a concerned “member” of the fraud team at a bank may make a consumer panic, and instantly put all trust in that person. The consumer might then willingly send all his or her money to a separate account for “safe keeping”. In reality, that money has disappeared and so will the member of the fraud team who made the initial call. This is a simple method of APP attacks used today.
These fraud techniques are especially effective with some of the most vulnerable people in our society, who tend to struggle with the evolution of banking and fintech. The average age of APP victims is in the early 50s, the oldest 94, the youngest 18.
Advancements in certain remote access tools that allow the cybercriminals to access and control the customer’s computer are making the job even easier. Given that the customer appears to give consent to the transaction, and it is originating from a device that is associated with that user, these attacks tend to be more difficult to detect. The fraudster may not even commit the fraud online as a step-up authentication may cause customer suspicion. Once in control of the customer’s machine, they may manipulate the webpage to show additional funds (easy to do via webpage HTML), instructing the customer to go into branch to move the ‘new’ money out to account the fraudster can control. The fraudsters will even phone call the customer when in branch to ‘coach’ them not to alert bank staff.
Adjusting Tactics to More Efficiently Fight Fraudsters
If fraudsters are evolving, so must the banking industry. The first step to tackle APP is through education. Ensuring all customers have extensive knowledge on the “dos and don’ts” when it comes to digital and phone banking is of paramount importance. Email alerts reminding customers that their bank would never ask for certain information over the phone, as well as adverts raising awareness on the risks of letting another person access their computer, are but a few options that can be used to ensure customers are protected and well-informed.
Analysing click stream data on traditional ‘security hubs’, often hidden away in the corner of a bank’s website, suggests a static approach to authentication is no longer enough. Getting in-channel, dynamic, relevant messaging in front of the right people and at the most appropriate time would be the best result. The UK regulators are also starting to recognise this growing threat and are making their own moves, initiatives like Confirmation of Payee (to check name against account details) will land in mid-2019.
Protecting the Customer Journey
It is also imperative for the bank to place protections throughout the customer journey by monitoring user behaviour and spotting anomalies that indicate fraud. Banks must actively look for indictors of social engineering and account takeover attacks at crucial customer touchpoints including login, setting up a new beneficiary, and making a payment.
By assessing activity in the context of historical activity for that individual, key red flags can emerge to identify suspicious behaviour. An example of this could be a payment from a desktop when the customer traditionally uses the mobile app, or a longer time between login and payment than normal, or remote access tools being on the device for the first time.
Another factor that prevents fraud is an approach based on “find the mules, stop the fraud”. Assess the beneficiary account and corresponding identity in order to spot money mule accounts that are channelling stolen funds. Using machine learning algorithms, identifying anomalous behaviour and linking groups of mules can flag the destination account as suspect. The banks are now blending technology, AI and old-fashioned investigations to tackle this industry-wide problem.
Once the suspicious behaviour is identified, banks can choose between blocking the transaction or alerting the customer through other means to advise them that something is out of the ordinary. The art here is to strike the delicate balance between maximum protection against fraud – while avoiding blocking or questioning legitimate transactions, which can annoy customers and drain internal resources.
Advanced Behavioural Analytics are Key
Avoid basing decisions on the typical banking customer but use advanced behavioural analytics to assess how that particular individual typically transacts. By using real-time intelligence on a user’s digital identity and their historical behaviour, banks can deliver security and customer satisfaction without compromise.
Banks implementing protocols like these can help ensure that customers are not placed in harm’s way and that cybercriminals are not entering into bank systems.
It is important to follow the latest fraud trends in order to keep ahead of the curve. There will always be new technologies and techniques that increase the threat posed by criminals. However, in the same way technology may sometimes play against us, it also provides us with a number of tools which help us undermine attackers and keep businesses and customers safe.
To see how regulation is trying to help prevent social engineering, read Confirmation of Payee: The Solution for Authorised Push Payment Fraud?