Fraudsters have stepped up their onslaught on individual banking customers, using phishing, smishing, threats of violence and traditional con artistry to steal their money. However, traditional financial services security and anti-fraud systems have limited impact when a customer authorises the transfer of all their savings to a criminal account.
To stop the fraud before it happens, next generation user behavioural interaction technology tracks how the customer is using the device whilst on internet banking and mobile app to establish actions that are different than normal or indicative of criminal behaviour. These behavioural insights offer a solution to prevent fraud, and local banks should be adopting it to protect customers.
This is according to Clive Gungudoo, Financial Crime and Risk Management Specialist at MoData, who says digital banking fraud costs bank customers tens of millions of rand every year.
“The losses are huge. Fraud like this destroys lives and helps fund the human ills we see today. Because of the devastating impacts on lives and economies, regulators around the world are starting to enforce shared liability and a customer reimbursement model,” he says.
In the UK, for example, the Payment Systems Regulator is set to implement a new PSR mandate that will require the bank that receives a fraudulent money transfer and the bank from which the transfer originated to split reimbursement of the payment with the fraud victim 50/50.
In South Africa, banks have not yet moved to formally share liability for these losses, however Gungudoo says digital banking fraud puts banks at regulatory, financial and reputational risk.
Digital banking fraud models
He explains that digital banking fraud can be committed in a number of ways: “In unauthorised payment fraud, a criminal uses the customer’s credentials or a stolen device to transfer money out of their account. In authorised payment transactions, the criminal may use social engineering or threats to make the customer transfer money out of their account. The attacker generally masquerades as a reputable source with an enticing message and will use phishing (usually email trickery) or vishing (voice or phone scams) to impersonate an official from the bank, SARS or other authority, and convince the customer to share their account details or one-time PIN.”
Gungudoo says card details are frequently compromised through data breaches or leakage and then used on cross border e-commerce merchants that aren’t 3D secure. Fraudsters then scam unsuspecting customers en masse to redirect payments into accounts that are controlled by the criminals. At a high-level there are 4 stages: Identifying the target through social media or spear ‘targeted’ phishing campaigns; Grooming by building trust and rapport – aka the ‘dating stage’; Exchange of information where the victim is convinced they are conducting a legitimate business transaction and are given payment instructions; and finally Payment. Upon transfers, the funds are steered to a bank account controlled by the organised crime group. Aka ‘mule’ accounts.
Gungudoo notes: “Digital banking channels create customer convenience, allowing people to do all their banking from home 24/7, and manage their own risks – like payment limits. Unfortunately, digital banking also makes it faster and easier for fraudsters to scam customers. Digital banking fraud is a highly lucrative, organised industry, with sophisticated technology, organised banking vehicles for cashout, hidden networks of mules and mule herders, and more. They cycle these mule accounts, so they are hardly detected by banks.”
The 2024 Digital Banking Fraud Trends in EMEA report, released by behavioural insights pioneers BioCatch found that mules are everywhere, with over 10,000 mule accounts detected among the company’s European customers alone.
Limitations of legacy
Advances in AI and deepfake technology make it harder for customers to detect fraud, and legacy banking authentication and fraud detection technology are not enough to prevent these types of fraud, Gungudoo says.
“Banks have invested heavily in traditional authentication and security tools, but fraudsters know this and bypass them by going directly to the customer. They can simply call the customer and get their OTP (one time password) to bypass the second authentication, or convince them to share their card details. So the weakest link in the fraud kill chain – a step by step approach to dismantling threats – is the customer,” he says.
“APP fraud or customer ‘authorised’ fraud generally involves payments that are conducted by the victims themselves after passing all the biometric and device authentication and other security validation checks in place by their financial institution,” Gungudoo says.
“The bank’s fraud and security monitoring system will see that the transaction is performed by the legitimate user, device, and geolocation and will generally allow the transaction. Even if detected, the convinced victim stands by their payment only to report the fraud, long after the loss is realised and most cases don’t even report the fraud due to the embarrassment factor, usually with detrimental consequences.”
He adds that mules are not proactively identified by the banks and mitigation of this risk is largely reactive with hardly any chance of repatriation, with faster payments allowing for immediate cash-out by the organised criminal syndicates.
“This is where behavioural analytics kicks in,” he says.
Proactive fraud prevention with behavioural insights
Gungudoo explains that using behavioural insights reinforces traditional security and proactively protects customers by detecting fraud through the customer’s behaviour.
“It’s called silent authentication. Behavioural insights uses machine learning to understand the normal patterns in human behaviour – how they type, swipe and click when banking online or using their app, and raises alerts when there are anomalies,” he says.
BioCatch, a world leader in behavioural biometrics, assesses as many as 3,000 indicators across behavioural, device, and network attributes, and uses data from billions of genuine and fraudulent historical sessions to provide risk scores and predictive intelligence.
The BioCatch solution “pays close attention to the behaviour and intent behind the biometrics, device, geolocation, and other machine-created signals”, empowering banks to deliver to their customers “a seamless digital banking experience free from fraud and safe from criminals”.
Gungudoo says: “Financial institutions deploy BioCatch solutions to assess the legitimacy of online banking sessions, pulling in indicators like geolocation and network details, and enriching this intelligence with thousands of behavioural biometric signals using physiological biometrics. It profiles ‘how’ the user interacts on their internet banking profile or mobile app. It picks up whether the customer is under duress, or if they are following instructions, by analysing indicators like the time taken to complete each action in the session, changes in typical mouse movements or swipes on the mobile device, or differences in typing cadence.”
BioCatch enables banks to proactively mitigate the risks of impersonation scams, peer to peer fraud, romance scams, investment scams, CEO scams and purchase scams, as well as other fraud risks such as new account fraud, bots, mule accounts, money laundering networks, account takeovers, credential stuffing, phishing sites, SIM swapping and stolen devices.
BioCatch continuously monitors digital user interaction from login to logout. BioCatch also supports the entire digital customer journey from account opening to servicing and has four proven machine learning models to detect:
- Account Opening (AO) fraud, by immediately identifying criminal behaviour.
- Account Takeover (ATO) fraud including detection of malicious software (malware), remote access attacks (RAT), mobile emulators, session intrusion and bot attacks.
- Scams or social engineering generally through voice calls aka ‘vishing.
- Mule accounts at the account opening stage and sleeper mule activity already running on the books. This capability mitigates intra bank and inter bank fraud in real time through secure data sharing with participating banks as proven in markets globally.
The technology is now in use by 32 of the world’s 100 largest banks, and detected and saved banks over $2.5 billion in fraudulent transactions last year alone.
“BioCatch is designed for both the scams we see today and those we’ll see tomorrow. It goes beyond outdated prevention methods, leveraging the power of behavioural insights to give financial institutions a weapon against fraud without adding more friction or privacy concerns for their customers,” he says. “It knows if it’s dealing with a real person or a bot, if a customer is under duress, and if a device has been compromised. It also brings together a number of legacy systems and brings them into the ecosystem with modern overarching capabilities and proven strategic intelligence.”