Types of digital banking frauds
1. Account Takeover
Account takeover (ATO) fraud is on the rise, with the financial industry being a prime target for cybercriminals. A study by the Aberdeen Group found that 84% of financial institutions have been affected by this digital threat, resulting in losses equivalent to 8.3% of their annual revenues.
ATO is a type of digital banking fraud where fraudsters gain access to and control users' bank accounts to make unauthorized transactions, transfer funds, or engage in other malicious activities.
Below are the main techniques used by fraudsters to carry out ATO attacks:
Social engineering attacks
Phishing is the most common form of social engineering in account takeover fraud. It involves fraudsters sending messages or emails that appear to come from legitimate sources, such as financial institutions. These messages often contain links to fake websites designed to collect confidential information, such as login credentials, personal identification numbers, or one-time passwords.
Brute force attack
Fraudsters use trial and error to guess passwords or usernames. They often employ tools that automate these attempts, increasing the chances of success.
Credential stuffing
Fraudsters use bots to test known combinations of usernames and passwords across multiple sites. For example, they may test the credentials of an e-commerce account on a bank account. This is because people often reuse their passwords on different platforms, which means that if one account is compromised, others are also at risk.
SIM swapping
Criminals deceive the victim's mobile operator to transfer the victim’s phone number to a new SIM card controlled by fraudsters. This allows them to receive authentication codes and control accounts linked to the victim's phone number.
Abuse of accessibility permission
A new and particularly alarming tactic involves exploiting accessibility permissions to conduct account takeover fraud. Accessibility features on Android and iOS are designed to assist users, including the elderly and those with special needs, by enabling screen reading, voice commands, and control of the keyboard.
However, when accessibility permissions are misused, they can become tools for malicious activities. Here’s how this abuse looks like in action:
1. A user installs malware through a phishing link received via email or SMS, disguised as a legitimate app.
2. The malicious app prompts the user to grant accessibility permissions via push notifications. 3. Once the user grants permission, the fraudster gains control over the device, monitoring screen activity, keystrokes, and all installed apps.
4. The fraudster can even collect data the user types or displays, including login credentials, passwords, and credit card numbers, even intercepting authentication codes.
5. Armed with this information, the fraudster is able to infiltrate the victim's bank account, conducting fraudulent transactions and pilfering funds.
2. Payment Fraud
Payment fraud is a significant threat where fraudsters steal victims' payment information to make unauthorized transactions. In the banking context, this fraud can occur at various points throughout a customer's account lifecycle, including online payments, card transactions, withdrawals, electronic transfers, and loan payments.
Digital banks are the primary target of this type of fraud, wherein scammers steal personal information (such as name, address, social security number, among other data) to assume control of the victim's identity for malicious purposes.
With access to the stolen victim's information, fraudsters target banks in the following ways:
- Seeking credit loans without any intention of repayment.
- Opening bank accounts in the victim's name, a specific type of identity theft known as synthetic identity fraud, wherein real and fake information is combined to deceive Know Your Customer (KYC) protocols.
4. Loan Application Fraud
Loan fraud is on the rise, with approximately one in every 131 loan applications being fraudulent. Fraudsters use stolen personal information to apply for loans. Once the loan is approved, they disappear without repaying the debt, leaving the victim with the financial burden.
Detecting and preventing of banking fraud
Fraud typically starts with a device, whether it's used to create fake accounts to hide the fraudster's identity or to launch attacks on digital bank accounts. Thus, the most effective way to tackle fraud is by addressing it at its root: identifying the device used for creating fake accounts and employing malicious tools and techniques.
Taking a proactive stance and deploying real-time fraud prevention software and risk analysis are crucial steps. These approaches blend various strategies, including:
Device risk monitoring
The widespread use of smartphones for transactions and accessing financial services has led to a surge in fraud and abuse. Consequently, banks need to monitor device fingerprints meticulously to accurately recognize and authenticate each user accessing their system. This technology enables the consideration of multiple user attributes, ranging from device data to individual behavior. Typically, these settings are tailored to ensure that only one user accesses the system at different points in their journey, thus mitigating the risks and damages stemming from banking fraud.
Automation
The implementation of a platform that manages risks in real-time and in an automated manner is extremely necessary as it:
- Boosts operational efficiency by automating manual processes and reducing incidents of fraudulent activities;
- Empowers the fraud team to operate more effectively, freeing up resources to concentrate on business goals and strategic initiatives;
- Drives cost optimization by spotting threats in real-time that could otherwise lead to substantial financial losses for the financial institution.
Artificial intelligence and machine learning algorithms
Deploying a fraud detection and prevention solution enhanced with artificial intelligence and machine learning algorithms keeps financial institutions a step ahead of fraudsters. This technology can process vast amounts of data in real-time, including device information, network, behavioral data, and historical patterns, allowing for the detection of known and new fraud tactics.
How can SHIELD help in digital banking fraud detection and prevention?
For the last 16 years, SHIELD’s device-first approach has served as the first line of defense for businesses worldwide. Our solution empowers businesses to not only combat payment fraud, but also a host of use-cases including account takeover, identity fraud, loan application fraud, and money laundering.
Powered by cutting-edge device fingerprinting and the latest in AI & machine learning algorithms, our Device-First Risk AI platform identifies the root of fraud - the physical devices behind attacks - with accurate device identification (SHIELD Device ID) and real-time actionable risk intelligence.
The combined power of the SHIELD Device ID and SHIELD Risk Intelligence empowers digital banks worldwide to eliminate fake accounts and all fraudulent activity, stopping fraud, building trust, and driving growth.
