There’s no doubt that financial organisations in the UK take the threat of financial crime and fraud seriously. The recent True Cost of Compliance report from Oxford Economics and LexisNexis Risk Solutions shows the cost of financial crime compliance for an average UK firm stands at over £194 million per year.
Financial organisations have invested huge amounts in technology, software, and training over recent years to counter criminal attacks. Fraudsters and scammers, however, are relentless in their determination to circumvent these sophisticated security processes and their most recent approach is to weaponize banking customers themselves, using complex social engineering to gain illicit access to funds. In response, many banks are utilising behavioural biometrics, a form of machine learning that helps detect and prevent this threat as it occurs. Indeed, many banks are now focussing on advancing the capability further, in particular, to help more effectively identify genuine customers, rather than just fraudulent anomalies.
The weaponization of true customers
Effective customer due diligence is often built on a chain of robust checks, knowledge and understanding. Multi-factor authentication at onboarding and login – relying on layers of knowledge and intelligence drawn from the user themselves, their device and their patterns of online behaviour – can be extremely effective at keeping criminals out. Consequently, banking customers themselves are now being targeted and weaponized by scammers in huge volumes as a key component of their attack – viewed as the easiest route to success and the chink in an otherwise technology-rich armour reinforced by hundreds of millions of pounds of investment each year.
From the fraudster’s perspective, it makes good sense. Genuine customers quickly bypass the bank’s authentication and fraud prevention checks. After all, such systems are designed to spot and prevent bad actors getting in, not the customer themselves. Once in, a fraudster in full control of their victim can instruct them to send money wherever they please – effectively making them complicit in the fraud. Known as automated push payment (APP) fraud, it’s a massive issue for UK banks, costing victims over £600m in the first half of 2022 alone.
Multifaceted fraud attacks
APP scams aren’t the only threat UK banks face. Application fraud and Account Takeovers (ATO) are two other attack types responsible for keeping fraud executives awake at night, according to research by Aite-Novarica in 2022.
Although the execution of each attack varies, all three types share a common thread: preying on genuine customers and capitalising on weaknesses in online and mobile banking systems.
Application fraud is a broad term, covering many different modus operandi, but the fundamental approach is that a fraudster opens an account with an organisation using identification attributes that are either fake, stolen, or both. The primary objective is usually to abscond with funds, or to receive transfers of stolen money to the account. In both instances, the owners of the stolen information is unwittingly weaponized and only suffers the consequences later when the bank pursues them for unpaid debt, fees or fines.
Account Takeover (ATO) fraud sees a fraudster take control of a genuine customer’s account, without the true holder’s knowledge or consent. Personal information, login details and passwords can be obtained via the dark web or a combination of social media skimming and phishing or smishing attacks, or through manipulation. Once access is gained, the fraudster has free rein to empty accounts, apply for credit or make high value purchases, without the victim’s knowledge.
All these attack vectors exploit the remote, digital nature of online and mobile banking, hiding behind the genuine customer to commit fraud, like wearing a mask. It’s precisely this element that proves so complex for financial services organisations to solve with technology – how to determine if the entity engaging is the genuine customer and whether they’re acting with free will or under the influence of another.
Consumer expectations for online services to be quick, convenient, and seamless only adds to the challenge for financial services providers, necessitating that fraud checks are as quick and seamless as they are thorough. This is where behavioural biometrics signals come into their own, as part of a multi-layered fraud solution.
Distinguishing between patterns in human behaviour
Behavioural biometrics offers firms the ability to measure and uniquely distinguish patterns in how people behave. To be clear, these insights are quite distinct from physical biometrics, such as facial and fingerprint recognition, which many financial services organisations have already integrated into their security protocols.
Pure behavioural biometrics technology concentrates on the individual traits and habits that make us human. The speed and cadence of our typing, how much pressure we exert on the screen, the typical tilt of our device and which hand it’s held in – known colloquially as ‘type and swipe’ signals – that every device detects when in use. The unique advantage of leveraging this intelligence is that it can’t be mimicked or stolen by a fraudster.
The advantages of the technology extend beyond fraud prevention, too, supporting banks’ wider strategies to better protect their customers and their own organisation by continually enhancing knowledge and understanding of true customer behaviour. Banks benefit from the ability to build strong assured trust with digital customers quickly and confidently, allowing them to better serve those customers and in doing so, protect their profit margins.
Sophisticated machine learning analyses a customer’s behaviour to form an expectation of how they act. This intelligence helps build a unique profile of the customer that can be used to authenticate them at subsequent logins, protecting both them and the organisation from fraud attacks. The benefit of this in helping improve the experience for genuine customers and also preventing APP scams is clear – a victim being manipulated by a scammer is likely to display altered behaviours during a transaction. Typing erratically or making errors due to stress, pausing as account information is dictated to them, or switching between typing and holding their phone to their ear – behavioural biometric analysis can flag these anomalies and alert the bank to consider imposing additional layers of security, or pause the transaction altogether.
Of course, no single piece of intelligence – whether digital or physical – is a fool-proof fraud detection measure by itself. But, combined with myriad other layers of data and intelligence, behavioural biometrics form a completely passive layer of user authentication, requiring no additional interaction or effort from the genuine customer.
