Digital banking is under attack by fraudsters whose creativity in impersonating legitimate users has reached unprecedented levels, bringing into question the efficacy of standalone, disconnected defense systems like login monitoring, multi factor authentication (MFA) and transaction monitoring to defend against account takeover. Hanging in the balance is a negative customer experience, loss of reputation and a potential hit to the balance sheet.
“From a digital perspective, imposter fraud scams are skyrocketing, according to the Federal Trade Commission,” says a new report from BAI. “They often start with a fraudster impersonating a consumer or business by using stolen identities to open a new account at a bank or by gaining credential access and posing as the user in the digital banking environment.”
Data from several sources supports this contention. As the BAI report shows, digital payment fraud losses are expected to surpass $343 billion globally between 2023 and 2027. Another recent study found that bad actors have stolen or compromised the personal information of four in 10 individuals in the past year. Fifty-one percent of these victims lost personal funds when fraudsters compromised their accounts, and half said these bad actors had targeted them more than once. When this fraud elevates to the corporate level, businesses can average a loss of $200,000 per successful attempt. Now factor in the new AI-generated tools fraudsters are using to create deep fake audio and video, and it becomes clear why account takeover is soaring. The average user, according to BAI, receives approximately 8 to 10 fake chatbot requests a week.
The latest threat plaguing banks is website impersonation fraud. Here’s how it works: A consumer or authorized business account administrator is asked via digital ad, text message or email (or both) to sign on to their account. The message looks to be completely legitimate; the website looks to be authentic. Once there, legitimate users are tricked into providing their credentials (including the information needed to pass MFA challenges), unknowingly enabling fraudsters to take over their account. The fraudster then uses those credentials to transfer funds, access critical data or both. Bottomline has worked with and stopped this type of fraud attempt at several current and prospective accounts.
“The reaction to these attempts needs to be aggressive and urgent,” says my colleague Kevin Pettet, CRO of banking in North America. “Banks need to upgrade the fraud monitoring of their digital platforms if they want to keep their most valuable commercial clients. With the lifetime value of those clients typically much higher than consumer accounts – and the fact that many businesses have relationships with multiple banks - the stakes are high.”
The continued creativity makes locking down digital banking platforms a moving target. Fraudsters have shown they can access digital banking platforms, even if those platforms have multi-factor authentication in place. This rise in digital banking fraud adds to the vulnerability of banks that rely on separate systems to monitor login and payment activity. A more aggressive approach will not only correlate the login and payment activity, but will also analyze the user session activity, such as, for example, updating the account information of an existing beneficiary.
To understand this, it’s important to dissect a fraudulent digital banking session. The first stage in a user session happens at login and here MFA challenges can be effective. But what if fraudsters have found a way around that, as they have with fake websites? If that’s the case the fraudster will move onto making changes that will pave the way for fraudulent transactions, like creating new payees, updating user privileges, modifying account numbers, etc. Knowing that these types of changes took place is key, but it requires monitoring user sessions. Suppose a fraudster reaches the point at which he or she can create a payment and tries to execute a $50k payment. The transaction fraud monitoring system must look at that payment in connection with the actions that took place earlier in the process. If not, then the bank is not seeing the full picture. If that $50k payment is consistent with past payment patterns for that account, the payment can easily fall under fraud radars and proceed to execution.
Now here’s the way the scenario could and should unfold using Bottomline’s Secure Payments solution. The initial login should be challenged and evaluated. Secure Payments analyses all login information including time of day, IP address, and device fingerprint to determine if the login is suspicious. For example, if the user is logging in at 3am from Tokyo and just logged in an hour ago from New York, that would be considered suspicious. Another example would be if the user is logging at a time of day that is very unusual for them (statistically). And even if the fraudster passes the MFA challenge, knowledge of the suspicious login should be retained by the solution as the payment process progresses. The ensuing non-monetary event – in this case the account number change - should also be retained as a suspicious event and factored into the payment evaluation. The most effective solutions will analyze and connect all three phases of the transaction. It will correlate login, session and payment activity, and the result will be a real-time halt to the payment before it even leaves the digital banking platform.
A transaction monitoring solution alone won’t stop fraudsters from trying account takeovers and social engineering fraud. Their persistence and creativity should lead bank executives to demand better tools at their disposal to secure payments.