Fraudsters use social engineering to harvest information from legitimate account holders to scam consumers. Scams that manipulate the legitimate account holder to conduct a transaction that leads to fraud are not new to most organizations and industries. What's different now is the increase in the use of digital and mobile channels that allow communication with unknown individuals whose identity and authenticity the customer may need help to verify.
We began tracking mobile traffic in the LexisNexis Digital Identity Network in 2014. The percentage of mobile traffic then was a mere 25%. In our latest report, the mobile split of transactions reached 75% for the first time. The relentless shift to mobile continues, driven by younger and older generations embracing mobile technology earlier and emerging market populations skipping desktop devices altogether and moving straight to mobile services.
This combination of increased use of digital and mobile channels and lack of ability to verify whether the individual contacting the customer is legitimate, runs parallel with some basic human vulnerabilities, leading to an explosion in scams and social engineering.
Fraudsters are looking to manipulate consumers into giving sensitive information – both personal and financial – that they would not offer voluntarily. The fraudster poses as an authority such as an agent of a specific company, law enforcement, or an interested romantic partner. Because human behavior is in play, an effective preventive solution needs to involve both the education of the customer and a more nuanced approach to detection and mitigation.
Since customers believe they are conducting a legitimate transaction, traditional anti-fraud methods alone are often not enough. It’s important to combine fraud detection and targeted authentication for an enduring solution.
There are at least four elements for security teams and fraud units to consider when understanding how to fight social engineering and other cybersecurity scams:
- Detect the scammer: Organizations should thoroughly investigate the association of payee name with email or phone numbers, then conduct analysis to determine if the payee account association or activity velocity rises to a level of concern.
- Identify the channel of attack: Is the customer being contacted via text, email or a phone call? What is the motivation? Is there an urgency in the tone of the communication? Is the communication pulling on a consumer’s heartstrings in the form of charity or romantic enticement to get them to act fast? These are all signs of suspicious activity that warrants further investigation.
- Understand fraud channel signals: Other red flags are simple person-to-person, real-time payments, particularly if they are out of the norm, and wire transfers, especially in a series to the same person.
- Protect the consumer: While the organization has an obligation to protect their consumers in the background, they should also help educate them on how to identify suspicious activity or behavior. When in doubt, consumers should contact the organization through a published phone number directly to confirm whether a threat is real.
While these different factors may seem daunting to solve, there are approaches that combine digital and physical solutions, behavioral biometrics, and analytics to help solve scams. The psychological manipulation of the consumer makes conventional fraud controls that use IP addresses, device and network attributes less effective on their own to thwart these complex scams. Adding multiple prevention tactics such as behavioral biometrics layered with device and physical identity data elements offers a stronger defense against fraud.
Behavioral biometrics has emerged as a relatively new defense tactic that financial institutions, retailers and others can use to help detect scams. It analyzes in the background the way a user interacts with a device or online application, looking at phone movement, touchscreen behavior, typing rhythm, length of time on a page and other interactive gestures.
It uses this information to develop a deeper understanding of the digital identity behind the action and their typical movements to identify deviations that’s possibly indicative of fraudulent activity. Businesses can leverage the rich insight and real-time context from behavioral analytics to make better fraud decisions that support consumers and protect them across their digital experience.
Fraudsters will continue to find innovative new ways to defraud customers. Companies can overcome the complexities of social engineering and other scams by adopting new strategies to better detect the multiple threat vectors tied to scams. This includes analyzing account attributes associated to how the consumer transfers funds and the channels used in the attack. Businesses can also minimize social engineering opportunities by educating customers about taking a more proactive role in protecting their online safety.
Chris Schnieper, senior director, fraud and identity, LexisNexis Risk Solutions
