Experts Warn of Rapidly Evolving Fraud Techniques in the Wake of COVID-19
Like businesses have embraced digitalization to evolve in the wake of COVID-19, fraudsters and scammers too are embracing digital technology to evolve the threat that they pose to businesses and the public, experts from Visa, Rizal Commercial Banking Corporation (RCBC), e-wallet BigPay, and cybersecurity firm OneSpan said during a virtual panel discussion.
“With the global pandemic, things are going online at a much faster rate than we would have,” said Chackan Lai, Vice President of Global Risk Advisory and Innovations at Visa in the US. “The e-commerce channel has accelerated tremendously over the past 12 months and plus. At Visa, on a global basis, about 54 % of our transaction volume is now via the e-commerce channel with only 46% in the face-to-face environment.”
And just like any other enterprises, scammers “are going to go digital just like every business need to adapt,” Salim Dhanani, CEO & Co-Founder of BigPay in Malaysia. “Threats have changed.”
Mobile fraud on the rise
Juan Gabriel R. Tomas IV, Chief Risk Officer at RCBC in the Philippines, noted that mobile-related fraud in particular has witnessed significant growth. In Q4 2020, mobile fraud at RCBC represented 44% of all fraud, a considerable increase compared to the 13% observed during the same period but a year earlier.
“The pandemic has had a psychological effect on people … knowing that there is this risk hanging over their heads … threat actors are looking to capitalize on that,” Tomas said. “One trend we are seeing a lot is social engineering-based types of attacks mostly around instilling fear: ‘your account has been breached, you need to call this number and give me your credentials so we can protect you from that, etc.’”
Another popular attack observed in the Philippines, Tomas said, involves intercepting a one-time password (OTP) that banks send to a mobile device as a secondary protection. Some criminals even use special mobile malware that not only captures the pin, but also automatically inputs it, Sam Bakken, Senior Product Marketing Manager at OneSpan in the US, said.
“Attackers are a business, and they are seeing that more and more people are engaging through mobile channels, people a little bit less savvy are engaging in the mobile channel, and that makes it more and more worth their time to spend there and try to take advantage of any weakness there,” he said.
This fast-changing fraud landscape is forcing banks, fintechs, and other stakeholders in the financial services industry to change their risk mitigation techniques and embrace new technology including behavioral biometrics and artificial intelligence/machine learning (AI/ML).
“Collecting behavioral data on the back-end and building profiles based on that … [is] one obvious thing that tends to help,” Bakken said. “That’s information that’s not quite accessible to attackers, so they can’t quite replay that.”
Behavioral biometrics is another powerful tool in the fight against cybercrime that’s seeing increased adoption. By measuring and recording human behavioral patterns and their use, behavioral biometrics adds an extra layer of intelligence to identity authentication.
“That’s really about building a profile of someone based on how they are reacting with the mobile device,” Bakken explained. “That alone would not suffice for strong authentication but it’s a good continuous monitor to make sure that there’s no automated actions happening on the phone, that it’s not a bot acting but a legitimate human and to a certain degree, the legitimate user that owns the account.”
Banks are also inquiring about advanced mobile app security technology that would allow users to conduct transactions safely even from a compromised device.
“This technology can travel with the app and allows the app to execute even in hostile and untrusted environment,” Bakken said. “Based on the security hygiene of the user, you can’t always trust the device upon which the mobile app executes.”
How financial companies are preventing fraud
When asked how their companies prevent fraud, Lai said that at Visa, the teams strive to build and implement technologies that are inherently secure. In addition to that, several capabilities have been deployed on top of its electronic payment network VisaNet to add an extra layer of security.
“Every single Visa transaction floats through our VisaNet system … within which we have built a very sophisticated, AI-based set of tools to monitor and risk evaluate every single transaction,” Lai said. “Of course, this is not [perfect] but it greatly helps, especially [the] financial institutions [we serve], to identify high-risk transactions.”
On top of that, Visa has a dedicated team within its global risk division responsible for monitoring transactions 24/7, and reacting promptly to fraud attempts. “They look and run a 24/7 risk operation center, constantly looking and monitoring at the transaction level for any sign of attack that may be happening on our network,” Lai explained. “They have the ability to mitigate it by immediately declining and implementing blocks, and therefore help our financial institutions mitigate some parts of the fraudulent attacks on the ecosystem itself.”
Like Visa, Tomas said RCBC has adopted a twofold strategy that involves relying on both technology including AI and ML to monitor activity, and establish baseline for customers, as well as process protocols where a dedicated team is responsible for reacting quickly on perceived threats.
“It’s a combination of technology and process, but the key here is rapid response time,” Tomas said.
Meanwhile at BigPay, Salim said the company focuses on preventing fraudsters from getting onto the platform in the first place, and has set up a sciences team that’s continuously working on its risk models. In addition to financial loss, Salim noted that fraud and security issues can seriously damage a company’s reputation and hamper customers’ trust.
This article, written by Fintechnews, was first published on Fintechnews Singaporeon May 19, 2021. Republished with permission.