19 May Preventing social engineering with contextual fraud messages

In today’s hyper-digital world, fraudsters are constantly finding new ways to target consumers, so it’s more important than ever for businesses to protect their customers online, explains Saeed Ahmad, Managing Director, Middle East, and North Africa, Callsign.

According to Callsign’s latest study, at least 30% of MEA respondents have experienced online fraud. Various governments and regulatory agencies have implemented anti-fraud legislation and enforced stiffer penalties for criminals. Numerous regional banking and financial institutions, such as the Central Bank of the UAE, place an emphasis on educating businesses and end-users on best practices and alerting the public to emerging fraudulent schemes. Many regional organisations have also adopted proactive fraud-prevention strategies. While large banks and businesses can spend billions on security and put protocols and procedures in place to limit fraud, the general public is largely unaware of the risks lurking in the shadows. And the dangers are becoming increasingly. complex and refined.

Why is fraud on the rise?

The Covid-19 pandemic compelled users to access services digitally to continue living their daily lives, whether that was shopping, making payments or accessing services. This increased digitisation has resulted in more online transactions taking place than ever before, and securing the digital journeys has become more difficult. Fraudsters are always on the lookout for new opportunities, and the volume of online transactions during the pandemic delivered more opportunities for fraud. Fraud hides in volume, and scammers always focus on the weakest point in the chain, which is often human behaviour. Scammers have progressed from simple phishing techniques (acquiring credentials) to make an unauthorised transaction themselves, to Authorised Push Payments (APP) fraud utilising more complex forms of social engineering convincing the consumers themselves to make a payment. Fraudsters are targeting this type of transfer more often because real-time payment (RTP) transactions are instantaneous and irreversible and, because it’s the genuine user themselves making the payment, it can be hard to spot the fraud until it’s too late.

Tackling fraud warning message fatigue

Current methods to combat APP scams involve educating customers to spot fraudulent behaviour, and also bombarding users with fraud warning messages, but the messages aren’t particularly effective. Customer alert fatigue is one challenge with a blanket approach of fraud warning messages. Users are frequently overwhelmed with warning messages during their online journey, many delivered at login or moments when they aren’t under threat, causing them to ignore messages altogether. Callsign’s research has found that a quarter of people did not notice fraud warnings presented to them by banks and retailers, and 58% of those who did notice the fraud warnings did not change their actions as a result.

Psychologists have established ‘cold ‘and ‘hot’ states of behaviour; in a ‘cold ‘state, people aren’t under stress, but in a ‘hot’ state they are stressed, perhaps panicking and anxious, and this is when users are more susceptible to fraudsters because all the education and rational thought is overwhelmed with emotion. Fraudsters know this and employ social engineering techniques where they imitate a user’s bank or other services, suggesting that their accounts have been compromised and they need to move all their money (to a fraudster’s account). Fraudsters cause panic and push people into a ‘hot’ state, at which point, any recollection about fraud warnings they saw in their calm ‘cool’ state are forgotten. And because the majority of fraud warning messages are static and pop up at the same time in the user journey, scammers anticipate and coach victims through them. As fraud has continued to evolve, so must the prevention strategies that organisations deploy. To tackle APP fraud, dynamic fraud warning messages are required alongside continued customer education.

Turning off the autopilot

Businesses require agile technologies that alert users at the exact moment of danger, jolting them back to their ‘cold’ state and their ability to recall the education about fraud that they have received. Like a warning sign on a vehicle’s dashboard, organisations need something to discourage people from thinking in autopilot mode. Therefore, organisations require real-time solutions for APP fraud protection, such as dynamic fraud warnings and next-generation behavioural biometrics. Behavioural biometrics and machine learning can be used to detect if a user is acting on their own or if they may be under duress. One example could be that behavioural signals show a user is typing with one hand, this might signal that they are on the phone to a fraudster. This is where contextual dynamic messages come in, and organisations can send relevant message at that moment in time ‘are you on the phone to your bank?’ or ‘are you expecting to make this payment today?’. These messages can cognitively jolt customers, prompting them to pause and return to their ‘cold’ state, allowing them time to consider who they are paying. Crucially, for genuine users performing recognised activity, these messages won’t be presented. Businesses can intervene if a user is at risk and can even stop a payment if they think the risk of fraud is high. Scams like APP are a digital fraud problem requiring a digital solution. Static warning messages are no longer a robust fraud prevention method, and as scams continue to rapidly evolve, dynamic technology must be used to keep up.