It’s spring scamming season: Take stock of your scam defenses

Spring is in the air and we can all feel it. Flowers are blooming, the sun is setting later, and the itch is there to clean out our homes and start fresh.

Financial institutions are also performing spring cleaning in response to a new wave of fraudulent activity and innovative hacking methods — and many have uncovered the need to revisit foundational security practices. The process includes taking stock of existing safeguards against common types of human-driven scams, which fall into two key categories: (1) downstream account takeover scams and (2) coaching scams.

They say April showers bring May flowers, and it’s a concept that also holds true in cybersecurity. In the midst of spring scamming season, defenses implemented today can ensure a more secure tomorrow.

Spring Scam No. 1: Account takeovers

The first broad category of scams due for a deep cleaning involves human-driven account takeover scams in which fraudsters trick users into providing their own account credentials. For example, a fraudster may call a customer posing as an employee at their bank. The fraudster alerts the customer that their account has been compromised and immediately requests their credentials so they can set up a new account on the customer’s behalf. Receipt of these credentials then allows the fraudster to take over the customer’s current account, launder money, and carry out other forms of financial fraud.

Phone calls are a preferred channel of attack for account takeover scams, and for good reason: Phone scams garner the highest reported loss of money per person at $1,400. Unlike text messages or email, which allow targets the opportunity to pause and question messages, phone calls are immediate and urgent. The user must react at the moment to the fraudster’s voice, with little time to think critically about what’s happening or verify requests. Before cold-calling, fraudsters will sometimes even send a phishing text message to test the waters and increase the odds of success for the follow-up phone call.

To limit the effectiveness of account takeover scams, financial institutions can’t rely on bot-detection tools alone since many of these security measures are limited to automated attacks. Instead, it’s critical for financial
institutions to invest in behavioral biometric technology that can detect both manual and automated attacks.

Every user has a different typing cadence, typing speed and mouse movements — details that are incredibly difficult to replicate. Behavioral biometric tools passively track these patterns, ensuring financial institutions
have the opportunity to intervene during the initial stages of an account takeover attempt.

What does this look like in practice? Suppose a fraudster successfully acquires a user’s login information. The way they enter and leverage the user’s login credentials will vary from the customer’s known behaviors. For example, the customer may typically take several seconds to enter their password and sometimes require two or three tries, while the fraudster enters the same information in seconds and with no errors. This discrepancy signals that the business should take a closer look at the access request and introduce additional security measures, if needed.

Spring Scam No. 2: Coaching scams

Many scams are challenging for financial institutions to track, largely because businesses are removed from interactions between fraudsters and customers. Let’s say instead of asking a customer for their credentials, the fraudster tells the customer their account has been compromised. But there’s no need to worry because the fraudster has taken the liberty of setting up a new account for the customer, and then asks them to go into their e-banking application and begin transferring funds to the new, “secure” account.

This scenario is just one example of a typical coaching scam — and it’s an approach that’s difficult for the financial institution to manage and prevent because the fraud occurs offline. On the surface, it appears as though a trusted user has made a legitimate transaction transferring funds from one approved account to another. But digging deeper into a combination of physical and non-physical behavioral biometric cues allows the financial institution to detect potentially fraudulent behavior and intervene accordingly.

In this case, non-physical biometrics analyze the circumstances surrounding an individual user’s banking interactions and known behaviors. For example, does the user typically use their banking application at a specific time of day? Is it common for them to transfer large sums of money to a new recipient? The answers to these questions can help financial institutions detect deviations in behavior, even if it’s the same user behind the wheel.

From a physical perspective, hesitancy during the banking interaction can also be a sign that fraudulent activity is afoot. Think about how different your typing patterns and input cadence would be if you were reading instructions from a phishing email or following instructions from someone over the phone versus the way you normally log in and complete desired actions. As with account takeover scams, pauses or delays in typing or mouse movements should give financial institutions cause for concern and provide an opportunity to introduce additional security measures as a form of friendly friction.

Don’t start your spring off on the wrong foot

Bad actors continue to evolve their strategies with new technologies and tactics, such as using ChatGPT, to speed up and scale the creation of emails, fake web pages and other content crafted to dupe end-users. But even as fraudsters find new ways to scam customers, the core protections best suited to keeping customers safe remain the same. They just need a little reinforcement.

This spring — and beyond — financial institutions must invest in behavioral biometrics technologies that protect customers from coaching, account takeover scams, and whatever else may be coming down the road. Spring scamming season is here. Is your business ready?