News and resources on cyber and physical threats to banks and fintechs worldwide.

Callsign unveils tech to tackle authorised push payment/Zelle scams

Source: Callsign

Callsign, the digital trust pioneer, has announced its Dynamic Interventions capability controlled by its Orchestration Engine.

This technology allows organizations to detect social engineering scams in real time and intervenes when fraud is detected, delivering contextually relevant and personalized messages protecting the user from becoming a victim of fraud.

The phenomenon of social engineering has emerged as a way for fraudsters to psychologically manipulate consumers into transferring money to accounts held by those fraudsters. Known in the industry as online payment scams or authorized push payment (APP fraud), it is hard for banks to detect as the authorized customer is making the payment.

‘Online payment scams are a digital fraud problem requiring a digital solution. With real-time and faster payment systems becoming the global norm, banks and financial service organizations need to look beyond conventional fraud detection and actively detect, intervene and protect. With online payment scams, static fraud warning messages to customers have become ubiquitous and easy to ignore. Fraudsters anticipate static messages and coach users past those warnings, but Callsign’s Dynamic Interventions responds to threats in real time, intervenes and alters digital journeys appropriately, introducing new controls or steps to protect customers,’ said Mario Dusaj, solutions engineer, North America, Callsign. In the last 18 months, online payment scams have grown exponentially. Recent research from industry analysts Forrester reveals that authorized push payments are considered a major problem by 66% of financial services and consumer banking organizations across the globe (APAC 66%, Middle East 67%, North America 56%, UK 72%). Organizations agree that using a combination of threat detection, dynamic fraud warnings and behavioral biometrics can help solve this issue.

With instant or real-time payments in place across the globe, it’s impossible to recover money once it has been sent, ramping up the costs of fraud for financial services organizations or consumers. Peer-to-peer payment platforms such as Zelle have recently hit the headlines due to APP fraud occurring on the platform. Available to over 100 million banking customers, it is estimated that $490 billion was sent by consumers and businesses in 2021 over the Zelle network and because transactions are instant and non-reversible, the platform has attracted fraudsters.

Using machine learning, the Callsign platform understands recurring behavioral patterns of users when they make online payments and uses that knowledge to detect if the user is acting under coercion. Combined with threat and malware detection, Dynamic Interventions can intervene the moment a customer might be in danger, delivering intelligent, contextual and timely fraud messages to the consumer or stopping payments altogether. Crucially, for genuine users performing recognized activity these messages won’t be presented. This ensures users will not get message fatigue.

The platform identifies threats by asking these questions:

• Is the session secure?
• Is the user human? Is there any malware present on the user’s device or has their device been compromised by a bad actor?
• Is this user authorized? Is the user allowed to make the transactions they wish to make?
• Is the user being tricked? Are they performing any actions that are unusual, such as making a big transfer to a suspicious account? Does their behavior indicate that they are under some sort of duress or being coached?
• How can we manage the risks and user experience? What user journeys do we need to orchestrate?

For example, a bad actor may attempt to deploy an impersonation attack against a genuine user, by claiming to be a bank representative and asking for a large payment. As the legitimate user attempts to initiate the payment, Callsign’s Orchestration Engine detects something is wrong by screening the genuine user’s device to ensure that a fraudster isn’t using remote access software to take over the account – or that malware was running, ensuring that the fraudster can’t fool the technology by turning it off at specific stages in the digital journey.

From here, the genuine user’s typing cadence and mouse movements are monitored –for example, they may be slower and more ponderous, indicating they are on the phone receiving directions. Before the payment is approved, Dynamic Interventions powered by Callsign’s Orchestration Engine asks the user about the payment they are making, prompting them with multiple contextual questions. Based on customer answers, threat detection and customer behavior, the technology establishes if a bad actor is directing them. The answers confirm to Callsign they are under attack, the Orchestration Engine would advise them it is likely that they are under the influence of a bad actor, and to not comply with their instructions, or would intervene to prevent payment taking place.

When contrasted with the current set-up that requires users to read and consent to generic messaging in a challenging user interface, this approach is more targeted, user friendly, and engaging. Organizations can customize the interventions to suit their sector and their customers’ needs and can be deployed with just a few clicks of a mouse without any need for coding. Consequently, fraud teams can establish interventions to counter new attacks quickly and efficiently, ensuring that bad actors aren’t successful.

Regulation needs to play a key role when it comes to enforcing consumer protection. Forrester’s research revealed that almost half of the financial services and consumer banking industry see regulatory issues as a significant challenge when trying to detect and prevent scams such as APP fraud. The impact of regulatory compliance has been cited as most significant in both the US and the UK.

With the increase in APP fraud and consumer losses, regulators around the world are acting. The Consumer Financial Protection Bureau (CFPB) in the US recently revised guidance on unauthorized electronic fund transfers (EFTs) and, the UK Government and Payment Services Regulator (PSR) intend to improve reimbursement of APP fraud scam victims.

It’s clear a new approach to combatting online scams is needed, and the best result for organizations in all sectors is layering solutions, for example using a combination of threat detection, dynamic fraud interventions and behavioral biometrics, to ensure genuine users are protected.

Comments: (0)