Fraudsters are on the prowl and are increasingly looking to exploit the weakest links, whether in underlying technologies or among humans.
There’s a joke, albeit ironical, doing the rounds as forwarded emails and messages – “Who’s driving digital transformation among enterprises: CEO or CIO? The correct answer is COVID-19.” Going beyond impacting global well-being, COVID-19 is pushing the corporate world to rapidly introduce new measures for business continuity. Diametrically opposite to continuity, the black swan event of the novel coronavirus is creating disruption in terms of exploitation and fraud perpetration – especially in the banking and financial sector.
Fraudsters are on the prowl and are increasingly looking to exploit the weakest links, whether in underlying technologies or among humans. The modus operandi is to execute multi-pronged attacks – from system hacks to social engineering – to overwhelm fraud prevention subsystems and fly under the radar.
There is a steady increase in impersonation fraud incidents, whether online phishing via social media accounts, or the conventional route of emails, to obtain login and KYC credentials or execute transactions. Phishing attacks are also on the rise, preying upon gullible victims to extract sensitive personally identifiable information to compromise bank accounts or carry out card not present (CNP) frauds. SIM swaps, web, and ATM skimming are further fueling such attacks, which were otherwise being mitigated with two-factor authentication as per the Reserve Bank of India guidelines.
In the COVID-19 era, real-time payment frauds are also becoming more prevalent. For instance, dubiously similar account names, UPI IDs, and SWIFT codes for emergency relief accounts are mushrooming to dupe unsuspecting victims. Case in point, the ‘PM Cares Fund’ fake UPI ID scam, where instead of the correct UPI ID pmcares@sbi, fraudsters are creating fake IDs such as pmcare@sbi, pmcare@upi, pmcare@yesbank, and more.
Fraudsters are exploiting the fact that consumers may find it harder to verify fraudsters’ claims with financial institutions, given the restrictions on physical movement and disrupted helpdesks. Moreover, with overall transaction volumes being vastly reduced, fraud perpetrators are hoping to exploit the shorter window of time before banks recalibrate their trigger thresholds for patterns that rely on volume.
System hacks and technology zero-day attacks are also getting increasingly sophisticated. For example, a new malware – EventBot – is targeting over 200 financial apps on the Android OS, abusing its accessibility features to access data stored in the financial apps and intercept text messages that are used for two-factor authentication (2FA) to log onto bank accounts.
Similarly, Cerberus – a new Android banking Trojan – is doing the rounds, which not only compromises financial apps, collects information and harvests 2FA messages, but also uses pedometer function of a smartphone to avoid detection. It activates only when it counts specified steps of a person holding the smartphone, to ensure it has infected a real user, while it remains invisible if it’s installed on sandboxes or test environments set up by malware analysts.
Banks and financial institutions must, therefore, evolve their fraud strategies to battle emerging security threats across multiple channels. Today’s fraud scenarios underline the need for a dynamic and secure fraud management system with a multi-layered approach to minimise risks. It is evident that the conventional siloed approach of implementing channel-specific monitoring solutions, without building integrated defense-in-depth at the enterprise level, will simply be ineffective and inadequate against attacks from multiple sources.
The Layers of Augmentation
A stronger fraud strategy demands a combination of deep human insights and experience, coupled with the use of advanced tools and technologies. As customers use different real-time payment methods to make purchases, pay bills, and conduct other routine transactions online, granting frictionless and secure access to users is one of the biggest challenges banks and financial institutions face.
The next crucial step in thwarting fraud in real-time is therefore reliant on a bank’s ability to identify its legitimate customers. Financial institutions need to ramp up usage of relevant technologies across multiple channels to help quickly determine whether consumers’ transactions and accounts are legitimate. While rules- and signature-based anomaly detection technologies work best against most of common security threats, the increasing digitisation of payments and sophistication of identity or credential theft (and proliferation of synthetic IDs) require a more advanced approach. A combination of artificial intelligence (AI), biometrics, machine learning (ML), and big data analytics can increasingly help financial institutions flag up such fraudulent transactions.
An added layer of behavioural biometrics technology to a bank’s fraud management can analyze and build base profiles of its online banking users by studying over 2,000 behavioural parameters in real-time. A more comprehensive profile is built based on detailed behavioural data of a user assessed across multiple channels. Combining an enterprise-wide single version of the “truth” of a customer with confirmed fraud intelligence, banks and financial institutes can analyze the customer – instead of just the transaction – to determine fraud.
With AI-powered User Behavior Analytics (UBA) in the arsenal, financial institutions can detect and deter sophisticated attacks. Going beyond static machine learning, adaptive UBA in fraud management systems allows banks and financial institutions to assess micro behaviour patterns such as a swipe on the phone screen, tap on the keyboard, a stroke of the touchpad or wriggle of the mouse. Users respond to invisible challenges that are subtly introduced into online sessions to provide additional unique behavioural data that helps distinguish a real user from a fraudster – whether human or robotic.
Additionally, a more democratized approach to machine learning enables risk managers to build, test and deploy machine learning modeling tools on their own. Banks and financial institutions can therefore develop a better and more accurate understanding of users’ behaviour, their reactions and consumption of various features across multiple channels. This is especially important with changes in consumer behavior during the COVID-19 pandemic. With such model scores combined with positive consumer profiling, financial institutions can not only block fraud attacks but also enhance customer experience, improve conversion rates and maximize revenue.
While a multi-layered approach to fraud is crucial in warding off malicious elements, real solutions will come only when financial institutions, banks, and the larger ecosystem come together to put serious thought into how anti-fraud measures are implemented. Considering a shorter window for fraud prevention with real-time payments and a lesser chance of recovering a fraudulent payment, the RBI’s recent initiative to enable banks to report and access fraud information from a central payment fraud registry will ensure collaborative learning and faster response times.
The latest fraud trends and patterns from the central repository will help banks to augment their analytics subsystems and fraud management processes to build more defense in depth against future frauds, especially with fast-evolving trends in the COVID-19 era. This will go a long way to facilitating cross-industry collaboration and thus transforming the customer experience.
Kaushik Roy is VP and Country Leader, South Asia, ACI Worldwide. Views expressed are the author’s personal.