September 8, 2016
Matt Mills, Featurespace Commercial Director, looks at how financial institutions can protect their most vulnerable customers from social engineering attacks.
Are your customers handing over their savings to fraudsters?
Social engineering attacks are increasing in frequency, target vulnerable customers, and are one of the most difficult forms of fraud to detect.
In the last 12 months, US online fraud attacks have soared a staggering 215%, according to the Global Fraud Index.
Social engineering attacks affect us all – from multi-national business to individual consumers. However, criminals disproportionately target the elderly and vulnerable, impersonating banks to trick customers into transferring their cash directly into the criminal’s own pocket.
Fraudsters initially gain security information about an individual’s bank account, often by phoning the bank’s call centre to extract crucial security information, or by re-directing SMS alerts to their own phone.
The criminals, masquerading as the bank, then contact the account holder and use the security information they have stolen to gain the victim’s trust. They then manipulate them to log into their online bank accounts and move out large sums of money.
These attacks are incredibly difficult to spot as the customer is genuinely logging into their account and transferring the money. It has the appearance of a normal transaction.
Understanding individual behaviour before payment
The key is to identify what is normal and what is anomalous – or uncharacteristic – behaviour. Most approaches to behavioural biometrics focus entirely on whether or not the person is who they say they are. A different approach is to enable financial institutions to understand the behaviour of individuals, and detect when a customer may be under duress.
Featurespace’s ARIC engine is a software platform that uses real-time, Adaptive Behavioural Analytics to understand the behaviour of each individual customer as they interact with financial institutions’ products and services.
By building an individual behavioural profile for each customer, a pattern of normal behaviour can be developed. By analysing every stage of each customer’s interaction with a financial product or service, you can ‘risk score’ their activity.
So, if a customer is the victim of a fraud attempt, ARIC is able to detect the subtle change in behaviour that indicates that, for example, a seemingly genuine transaction is a social engineering attack.
For one major bank, Featurespace spotted one third of social engineering ‘account takeover’ attacks before payment – protecting the customer before the attack had fully taken place. This is tricky to do, and yet ARIC achieved it by monitoring behavioural events and times, not needing to use any browser or metadata to spot and block the attacks.
Spotting out of character behaviour: machine learning
Existing rules based fraud solutions only look at known indicators of fraud. In contrast, ARIC uses advanced deep machine learning to analyse the whole data stream in real time – and by spotting anomalies, stops new fraud attacks as they happen.
The combination of rules and Adaptive Behavioural Analytics gives you protection against both known and unknown types of fraud. This meant that for a major UK bank, in just a two-month period, we spotted 40% of fraud from malware attacks and 25% of fraud from phishing attacks – saving the bank over $650,000 revenue losses in this short time period.
Regardless of the size of the business, protecting customers is key, which is why financial institutions are embracing advanced deep machine learning to upgrade their fraud management systems with adaptive behavioural analytics.
This approach has already been adopted by TSYS – the US leading payment processor – who recently chose to implement ARIC to enhance decision making around fraud for their clients.
Monitoring all aspects of digital behaviour across the lifecycle of online account activity is essential for blocking social engineering fraud attacks.
Spotting subtle changes in behaviour to catch fraud is only possible with advanced deep machine learning software systems.
Financial institutions need to plan and prepare to protect themselves from the increasing prevalence of these fraud attacks.