informa
/
Risk
Commentary

An Answer to APP Scams You Can Bank On

Financial institutions' usual fraud-detection methods can't detect most authorized push payment (APP) scams, putting customers and banks at risk.
A coalition of organizations recently penned an open letter urging the UK government to include scams in its new Online Safety Bill.

From the letter: "Online platforms play a pivotal role in enabling criminals to reach and defraud Internet users through the hosting, promotion, and targeting of fake and fraudulent content on their sites, including adverts that they make significant profits from."

The coalition's heart is absolutely in the right place. Consumers deserve better protection, and anyone who distributes, proliferates, or worse, profits from scam advertisements or content should indeed be held accountable.

But the unfortunate reality is that scam ads, emails, text messages, and phone calls continue to penetrate even the best-designed defenses.

When this happens — and it happens a lot — the communication, purportedly coming from a bank or government official, the police, or even a tax authority, drives an emotional response from the recipient.

Motivated by this emotion, as well as a sense of urgency and an inherent trust in the authority of the other party, duped consumers are spurred to act — often logging in to their own financial accounts to execute a transfer that "remedies the crisis." Banks call this authorized push payment (APP) fraud since the authorized user is the one making the transfer. For the layperson, it can simply be characterized as account transfer fraud.

In the United Kingdom alone in 2020, £479 million in losses reported by customers were attributed by banks to APP fraud, according to UK Finance.

The Challenge for Banks
The amount of losses is not a surprise. Just think about it: A bank's security stack must be able to decipher within milliseconds whether it's you or someone else knocking on the door to your online account.

But in the case of an APP scam, money is being transferred by the actual bank customer, who has been tricked into making a financial transaction, often transferring funds to accounts set up by scammers for this specific purpose in faraway places. In an APP scam, all of the bank's traditional modes of fraud detection — a trusted device, geolocation, IP address, and network — fall short.

What's worse, all the crucial elements of the setup occur outside the bank's purview — in places both online and offline that they can't track. They are completely blind to the scheme.

It's an incredibly confounding challenge for the banks (or anyone, frankly) as they try to stem losses and protect their customers.

Fining content distributors for taking in advertising dollars from scammers is a good place to start. But to protect vulnerable consumers, the banks also need a way to recognize that a scam is occurring, even though their anti-fraud systems are accurately detecting the legitimate customer operating within the account. The banks need a last line of defense at the spot where APP fraud occurs and traditional methods of security fail.

One such detection method that is rapidly being deployed to defeat these scams is behavioral biometrics. The technology got its wings confirming that the person behind a screen is who they claim to be — by continuously tracking swipes, taps, keystrokes, mouse movements, and other behavioral characteristics throughout an online session, and comparing them with preexisting customer profiles — all without interfering with the user's journey around the bank's website.

But beyond providing this kind of real-time, continuous authentication throughout a session, the latest advances in behavioral biometrics have enabled banks to recognize when a legitimate user is behaving as if under the influence of a scam, generally by deviating from their existing norms while navigating their websites.

A Challenge to Regulators
Given the effectiveness of such newly emerging technologies, regulators should also consider something more comprehensive than what the coalition proposes. For example, in addition to fining the content distributors, regulators could reward banks that adopt proven, innovative solutions, rather than relying on limited or outmoded security methods that have largely been compromised.

One way this could work is to require banks to disclose their APP fraud losses, with governments providing tax credits or other financial incentives where loss rates meet a predefined standard. The revenue lost to these incentives could be offset by fines generated from leaky content creators.

The Answer for Boards
Thanks to financial and logistical support from malevolent nation-states, today's fraudsters are becoming ever more resourceful and behaving more like criminal enterprises. Nefarious networks are rapidly replacing the standalone hacker, creating an arms race of sorts between cybercriminals and the banks whose defenses they seek to exploit.

This escalating threat has put cybersecurity front and center on corporate board agendas. With top-level responsibility now a fact of corporate life, it is hard to understand why any bank board would fail to adopt innovative technologies to achieve a secure and seamless online experience.

Recommended Reading:
Editors' Choice
Amichai Shulman, CTO and Co-founder of AirEye
Biagio DeSimone, Enterprise Solution Architect, Aqua Security