Do you feel like something in your fraud management is still not working? If so, maybe that’s because you are not looking at some pieces of the puzzle correctly.
Speaking with our clients, we gathered a few common beliefs that were keeping them away from leaping efficiency and scalability.
In this article, we have collected 7 myths about fighting online fraud to leave behind in 2022 and improve your approach to technology, people, and processes.
Sometimes, a change of perspective leads to great results.
Myth #1 “Behavioral Biometrics is the ultimate solution to stop online fraud.”
Behavioral Biometrics technology alone is not enough to stop fraud, as advanced malware, like SharkBot, can bypass it.
Behavioral Biometrics is an advanced technology that leverages machine learning techniques to continuously assess the identity of online users based on their behaviors, such as how they type, swipe, or move their devices.
The banking industry has recently seen a consistent increase in the adoption of Behavioral Biometrics for its ability to help build precise customer profiles and strengthen the KYC (Know Your Client) capabilities against online fraud.
However, this technology hasn’t proved to be effective if working alone.
For example, new generation malware, like SharkBot, can bypass Behavioral Biometrics detection capabilities.
Behavioral Biometrics represents a powerful tool in banking only if integrated with other detection capabilities, such as Malware detection, Endpoint telemetry, and Behavioral and Transactional analysis, to name a few, to look after online customers more comprehensively and understand their behaviors behind the scenes.
Myth #2 “There are standardized models to minimize fraud risk.”
Online banking attacks have become too sophisticated to be fought with standardized security posture models.
Despite commonly believed, there are multiple ways to fight a specific cyber threat. As online banking frauds have dramatically evolved in recent years, it has become more difficult to predict and stop them using standardized models that worked in the past.
After many years in the online banking fraud industry, we believe that best practices to fight specific threat patterns do not exist anymore. Criminals are developing attack schemes so targeted to a specific victim that what is a best practice for a bank could be a terrible practice for another.
To understand what’s the best way for you to prevent and stop targeted attacks, it is important to consider several variables at the same time: your digital channels, the products and services you are offering, the technologies you are using, as well as all the processes in place to support your security posture. Your situation is unique, like the one of everyone else.
This is where the importance of a Tailored Threat Intelligence comes in. A team of fraud experts can study the evolution of the fraud scenario, understand your system's vulnerabilities and the needs of your clients, and, thus, advise the best decisions to take.
Myth #3 “AI-based technology alone can do all the work.”
Artificial Intelligence in fraud management should not be used as a replacement for human decisions, as it cannot stop targeted attacks by working independently. Artificial Intelligence needs to be adopted as an enabler of better human decisions, thanks to the possibility of automating processes and scaling-up response actions.
Too often, talking with people around us, we realize how difficult it is for them to understand the real value technology brings to fraud management. A common belief is that it is enough to integrate the technology into the company’s security systems and “push a button” to make it work.
It doesn’t work that way. Technology cannot fight fraud alone. The teamwork between skilled fraud experts and efficient anti-fraud solutions makes the magic.
AI-based technology can help detect potential risks, highlight system anomalies, or set up rules and automation easily it can’t make the best decision on how to respond to new threats alone. This is where fraud analysts and security experts come in.
For example, at Cleafy, before committing with a potential customer, we conduct several discussions to understand if and how our solution can best fit that specific client's needs. We ask questions to understand the systems and internal operative processes in place, who is in charge of fraud management, how a threat is identified and how decisions are made once the attack pattern is detected. Only then, we tailor our solution to that specific situation.
Fraud management is not only about technology. It is also about people and processes.
Myth #4 “Anti-phishing capabilities are critical in the fight against online fraud.”
Phishing itself is not the real threat. It is just a door that lets criminals make the very first move to perpetrate fraud.
When searching for the right fraud management solution, banks and financial institutions often look for the one with the best phishing protection to reduce the customers’ exposure to fraud.
The truth is that phishing, like viruses, cannot be stopped. If you think about it, it works like in the real world: we cannot avoid the existence of viruses, but we can prevent infections by getting vaccinated, so we cannot avoid phishing, but we can avoid being hit by ATO and ATS attacks by using the right anti-fraud system.
The ultimate goal of phishing is to perpetrate fraud via Account Takeover or Automatic Transfer Systems attacks.
To successfully fight fraud, it is paramount to focus on stopping ATO and ATS attacks via a combination of detection capabilities that can identify and stop even the most advanced fraud schemes, and monitor what’s happening across all digital channels throughout the entire user’s journey.
What if you had a vaccine against ATO and ATS? Would you still be worried about phishing itself?
Myth #5 “Relying on risk scores enables fraud management to make the best decisions.”
The risk score tells only a part of the story. You can make the best fraud management decisions only by looking at what's behind the risk score number.
Fraud management systems can analyze what’s happening in each user’s session and easily calculate each session's riskiness level.
When discussing with our clients, we realized that the importance they give to the risk score is higher than it should be.
Far from arguing that the risk score is not crucial in fraud management.
But decisions made by only looking at that number will be imprecise and inefficient, either letting fraudsters in or blocking genuine customers too often.
It is essential to look at what led to that risk score, bringing in a holistic view, where every single micro-detail of each session is accessible with clarity, and nothing is left out of sight.
Myth #6 “Monitoring each digital channel independently is needed to prevent online fraud.”
Advanced frauds are multidimensional and multichannel. Identifying and stopping online attacks is paramount to monitor all digital channels simultaneously and cross-correlate events that might identify a threat.
Let's consider a real-case scenario to understand better the importance of leaving this myth behind.
- A fraudster might open a session on your web app and try an Account Takeover by calling your customer and pretending to be a bank employee.
- Your customer is asked to log into your banking app and read the OTP codes the fraudster needs to authenticate.
- The fraudulent transaction is finalized.
It would be impossible to detect fraudulent activities like this without correlating in real-time what’s happening on both the mobile and web channels.
To timely detect online fraud, it is necessary to monitor all digital channels simultaneously.
Myth #7 “Monitoring the transaction details is enough to stop fraud.”
Analyzing the transactions is not enough to detect an online banking fraud.
In the past few years, fraudsters developed advanced ways to commit crimes to avoid being easily discovered by fraud management systems. If before, they were stealing money by moving significant sums of money to fake accounts, today they operate more on luring the real customer into making the transaction stay undetected.
Focusing on the transaction means leaving critical information out of the picture.
Moreover, at that point, any failure in detecting the attack would result in money loss, as the transaction is the final step of the fraud.
To stop fraud, monitoring what comes before the transaction, along the entire user journey, starting before the authentication phase is essential.
This is possible by adopting a holistic view (as mentioned in myth #5), correlating data from different channels (as mentioned in myth #6), different sessions, and different detection mechanisms, such as Behavioral Analysis and Biometrics, Malware, and BOT Detection, and so on.
Staying ahead of fraud is not an easy job. And we know that.