2021 is the year in which global cybercrime losses were projected to hit $6 trillion, and online banking fraud plays no small part in that total. However, while enterprise cybersecurity companies are growing fast, leveraging cutting-edge tech in an attempt to prevent and remediate this trend, the more traditional digital security techniques of financial fraud prevention firms aren’t aging well.
Financial institutions have historically been on the back foot when dealing with online fraud, left chasing fraudsters in an endless game of cat-and-mouse which leaves them liable for reimbursing customers and furthermore attempting to win back their precious loyalty. And the evolution of bad actors’ fraud tactics over the past decade – particularly during the past eighteen months while the uncertainty of the pandemic reigned – has laid clear the extent to which fraudsters are exploiting the system and causing huge losses.
Online fraud is the modern-day bank robbery; except cybercriminals don’t physically have to show up in order to steal large amounts of cash. The perpetrators can maintain their anonymity and it is extremely difficult for authorities to identify and catch them. Research from British trade body UK Finance demonstrates that impersonation attacks – where bad actors pose as legitimate customers – increased by a massive 94 percent during the pandemic.
Indeed, it was recently reported by the BBC that the Isle of Man’s most common crime is now online fraud, following a rise in cases prompted by the crisis. With a population of just 85,000 people and surrounded by sea, crime rates are usually pretty low here. However, the advanced social engineering tactics being deployed remotely by cybercriminals are fooling a vast proportion of the population into putting their funds at risk. Authorities on the island have publicly taken the stance that it’s very unlikely they will be able to catch anyone attempting to target residents online – so the focus has to be on prevention.
Analogue fraud prevention unfit for the digital age
The problem is, manual or analogue fraud prevention no longer works in the digital age to combat cybercriminals’ adaptive fraud techniques, as the scale and sophistication of modern attacks are simply too much for a human-powered approach. Financial institutions need to follow the example set out in the enterprise cybersecurity arena and fight fire with fire by adopting the latest technologies to comprehensively prevent online banking and payments fraud.
The impossibility of manually monitoring for online fraud attempts has prompted the industrial revolution of cybersecurity, where what was once a manual alert triage has become a fully automated process across an enterprise’s technology stack, from endpoints to IoT to the cloud through a single XDR Platform.
Financial institutions need to follow suit if they are to finally beat the cat-and-mouse game of online fraud. They can do this by duplicating enterprise cybersecurity tactics and leveraging behavioural AI to protect customers through detecting and responding to possible fraud at every stage of the threat cycle.
Employing an active defence
The low entry threshold and lack of serious consequences for fraudsters looking to commit online banking fraud means the best way in which to stop attempted fraud is by increasing its cost and complexity. This can be done by transforming a manual alert triage into an autonomous process that occurs in real-time, in two steps.
1) Detect the attempted fraud
With ever-more complex methods of impersonating or manipulating users arising all the time, including AI-powered voice cloning or reanimation of photos, it’s easier than ever for fraudsters to pretend to be genuine banking customers.
While financial institutions still need to be analysing for signs of attacks including phishing and malware, the only way in which to ensure a user is who they say they are is through analysing their behavioural biometrics, such as the way they scroll on a page, the rhythm and cadence with which they type or the pressure with which they tap their screen to name just a few of the thousands of potential parameters that can be studied. Unlike passwords or even physical biometrics like facial recognition, behavioural biometrics cannot be replicated, and so are playing an increasingly expansive role in the cybersecurity market.
Collectively, a user’s online behaviour can make up a kind of digital fingerprint – or BionicID – which is unique to them. It allows the financial institution in question to continuously ask a user if they are who they say they are throughout their online session
2) Trigger an intelligent response
Once a possible threat has been detected, the real key to getting ahead of cyberattacks of all kinds is not just to detect potential attempts but to simultaneously respond to them. Enterprise cybersecurity has recognised the necessity for combining detection and response and as a result an automated incident response or ‘active defence’ has developed and been widely implemented. This approach to stopping cyberattacks seeks to both detect and block attacks in real-time, mitigating and remediating the effects of the attack at worst, and at best stopping attacks before they can even occur.
For online banking and payments fraud, this means stopping bad actors at the front door, and blocking them from gaining access to an account or stealing funds. By leveraging artificial intelligence as part of this strategy, fraud teams at financial institutions can pre-configure certain rules, determining what action should be triggered compared to the level and type of threat detected, ranging from stepped-up authentication requests, session termination and even freezing the account all together. In this way, fraud analysts maintain full control over client-side automated risk mitigation, even while threats are being blocked in real-time.
For example, if there were anomalies in a user’s behaviour when interacting with online services, such as typing in their login details slightly differently or using a different device to usual, an all-in-one fraud detection and response platform could detect the slight difference and step up authentication, asking the user to get through increased security before gaining access. Equally, it could detect the presence of malware such as a remote access trojan (RAT) being used to gain control of a victim’s device or hijack their online banking session, and block access to the account completely, keeping the funds safe.
Time to tip the balance
Truly robust protection against online fraud requires always-on fraud responses, but humans do not work this way. By automating the first line of defence, not only can financial institutions stop attacks before they occur, they can alleviate the burden on internal fraud analysts by reducing the number of alerts they receive and the number they need to actively respond to. Internal fraud teams can be put back in the driver’s seat to perform and uncover more complex fraud cases such as unrooting intricate networks of mule accounts hiding in a bank’s system. Meanwhile, they still maintain full control over the active response process with the capability to completely configure the type and severity of response to each alert.
Automating the response process also helps financial institutions achieve that holy grail of an online fraud prevention strategy: maintaining a frictionless online experience for customers, while implementing an active defence means that each fraud alert will be met with a proportionate response in real-time, blocking bad actors from committing their crime and making off with a customer’s funds. This automatic layer of protection will soon change the game of online fraud prevention by raising the stakes for cybercriminals and stopping fraud before it can occur.
By Richard da Silva, VP EMEA, Revelock