Blog article
See all stories »

Social engineering in the Financial Sector: Humans remain the Weakest Link in the Security Chain

Each year, the risk of being a victim of cybercrime grows. In the first half of 2021 in the UK, criminals stole a total of £753.9 million through fraud, an increase of over a quarter (30 per cent) compared to the first half 2020. Criminals are increasingly targeting banks and other financial organisations with social engineering fraud.  

Here, cybercriminals exploit the weakest link in the security chain – the people. People are error prone and make the same mistake multiple times. The inability of financial institutions from preventing us from making mistakes, makes us the weakest link in the chain.  While this form of fraud has been implemented for years, mostly in the form of phishing and vishing (voice phishing), it is growing continually. 

However, technologies based on behavioral biometrics can detect this type of fraud – it can be used to verify a person's identity during the banking transaction without the need for additional security layers.  


When the bank advisor calls: real-time fraud detection 

Real-time fraud, also known as approved push payment (APP) fraud, is a type of social engineering that may inflict significant financial harm. To establish the necessary authenticity, cybercriminals utilise their victims' personal data obtained through data breaches on the dark web or captured from social media profiles. The more information available to the perpetrators, the more authentic they can appear. In doing so, they contact their victims via telephone and pretend to be a representative of a government agency, an employee of the bank or another official organisation. In this way, they can persuade the person called to transfer a certain amount of money to another account. The banks' security processes can be bypassed because a real account holder triggers the transfer. Multi-factor authentication (MFA) thus offers no protection either. 

Since it is a legitimate user logging in from a valid location and completing the authentication process with their own end device, the fraud is very difficult to detect. This is because the usual checks - for example, identifying the location, the end device, or the IP - are no longer sufficient. Even out-of-band methods such as authentication with a one-time password (OTP) via SMS can be circumvented. Cybercriminals who carry out such attacks also usually have a sophisticated script and are familiar with a bank's security practices and procedures. To make matters worse, cyber criminals use social engineering methods to elicit emotional response from their victim. Criminals will try to extract feelings of sympathy, guilt, or companionship from their victims. They will use a sense of urgency, flattery, an aura of authority or trusting dispositions.  These popular methods elicit feelings such as fear, anxiety, or ease, causing victims to behave hastily or without judgement, resulting in the attacker's desired outcome. 


Behavioural Biometrics: Detect Authorized Push Payment (APP) Fraud  

APP fraud is, unfortunately, gaining momentum in the UK, with victims of this scam experiencing £479 million worth of losses, averaging over £7K per victim in the UK.  However, technologies based on behavioral biometrics can detect this type of fraud; it can be used to verify a person's identity during the entire banking transaction. BioCatch uses data-based insights to distinguish behaviors of "real" and manipulated users.  In collaboration with its customers, BioCatch has developed risk models that can be used to identify a variety of threats, as this collaborative effort is deemed essential in empowering clients and keeping consumers safe. In addition, there are clear behavioral patterns that can distinguish "real" from "fraudulent" activity during an online session and reveal manipulation by a cybercriminal: 

  • Unusual duration of the session: the session lasts considerably longer than usual, and the account holder shows noticeable behavior patterns, such as aimless mouse movements. This may indicate that the person is nervous or under pressure while waiting for instructions from a criminal.  

  • Segmented keystrokes: If there are interruptions in typing, this may be a sign that the account number is being read aloud by the perpetrator, preventing routine typing.  

  • Hesitation: The time required to perform simple, intuitive actions such as confirming an entry increases significantly.   

  • Unusual handling of the terminal device: The orientation of the device changes frequently. This may indicate that the logged-in user repeatedly puts down or picks up his smartphone to accept the criminal's instructions. 

Regardless of how complex a bank's systems and controls are, cybercriminals who employ social engineering as a means of defrauding businesses are incredibly tenacious. In most cases, there is no way to trace the victim's money after a successful social engineering scam. Therefore, in order to protect customers from financial loss, it is imperative to detect fraud the moment it occurs. The use of behavioral biometrics can prevent significant losses, while comprehensively protect customers and company assets. It must form the bedrock of any financial institutions anti-fraud protection. 



Comments: (1)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 13 May, 2022, 13:03Be the first to give this comment the thumbs up 0 likes

AFAIK, APP stands for Authorized Push Payment. By definition, an authorized payment cannot be fraud. Accordingly, of late, it's correctly called "Scam" rather than "Fraud"

Re. "In this way, they can persuade the person called to transfer a certain amount of money to another account.":

How? How many people have received telephone calls from their banks asking them to transfer money?? (I never have). Even if I was sure it was my banker, for what purpose would he ask me to transfer money?? 

This just reinforces my long-held take that APP Scam is more about Intent than Identity. I'm not sure how tools to verify identity will curb APP Scam. 

That said, I do agree with the title of this blog post: Human is indeed the weakest link in many types of cybercrime including APP Scam.

Now hiring