Thwarting online fraud requires a more holistic approach to fraud prevention, one that captures the full context of a transaction based on the user’s digital journey across the bank or vendor’s website.
Digital fraud and risk teams are locked in a perpetual game of catch-up with online fraudsters. New technology comes along that helps to prevent online fraud, the fraudsters evolve their tactics, and the cycle repeats. With US companies losing $3.56 billion to online fraud in the first half of 2022, fraudsters seem to have the upper hand. The time has come for defenders to flip that dynamic around. But to do that, they need to innovate. Next-gen fraud detection can help.
Why are fraudsters winning?
These days, fraudsters have a clear advantage. They can impersonate users with growing accuracy and have automated software that can rapidly scale up attacks. Crucially, they also have a huge amount of stolen data they can draw on to hijack accounts, open new credit lines, and make fraudulent payments.
Defenders, on the other hand, rely on legacy fraud detection systems that use data sourced from “point-in-time” interactions. Early on, that approach sufficed, but practically speaking, it’s akin to determining if someone is shoplifting in the offline world using static photographs instead of watching them on video. Lacking context, these systems struggle to disrupt fraud that occurs using complex social engineering tactics that unfold over weeks or months. Neither are they well equipped to address newer forms of online fraud, such as Authorized Push Payment (APP) fraud.
APP fraud occurs when victims are tricked into making a payment to a fraudster impersonating a legitimate payee, usually via newer payment platforms such as Zelle or Venmo. Fraudsters made an estimated $440 million off Zelle users in 2021, and banks are not covering most customer losses.
APP deception is likely the fastest-growing segment of online fraud. It’s also extremely hard to spot using point-in-time data. Thwarting it requires a more holistic approach to fraud prevention, one that captures the full context of a transaction based on the user’s digital journey across the bank or vendor’s website.
So, what does monitoring the full user journey look like?
For starters, banks could look at whether there were any unusual interactions or hesitations during the payment journey. Behavioral biometrics could spot potential signs of coercion. Was the victim on the phone while making the payment? Are the journey pattern and payee details typical for that victim? Is the journey like previous scam journeys?
The bank could then assess the payee account. How long has it been open? Is it a risky account type (i.e., cryptocurrency)? Has it received many high-risk payments in the recent past? All this needs to be done in milliseconds in the background, with zero friction on the user experience. Suspect transactions could be blocked outright, or tailored messages could be dynamically inserted during the payment journey.
While detection may not kick in until the person making a payment initiates a transaction, as that transaction is unfolding, digital fraud detection systems should be collecting intelligence around the beneficiary as soon as they visit the site and combine that intelligence into a scam model that runs in real time during payment journeys.
Imagine how much easier fraud types such as account takeover or payment fraud would be to spot if the organization were able to cross-check with a previous bot attack that tested the victim’s credentials. It’s all about profiling and collecting data from users’ online journeys, then risk assessing against information on devices, behavior, identity, session, and content.
More high-quality data of this sort ultimately means better decision making and reduced friction for the customer. Following the customer for the full duration of their digital journey enables good user behavior to be baselined from previous journeys so that even if a customer made an “unusual” purchase, perhaps for a high-value item, the transaction would not be blocked if the IP, device, location and behavioral indicators all suggested low risk.
Interventions, when necessary, can and should be made in real time, on a per-user basis, and at potentially any point in the customer journey. That kind of flexibility protects customer loyalty while minimizing fraud losses.
Anyone tasked with a compliance audit will tell you that passing an audit on Monday doesn’t mean you’re in compliance on Tuesday – for compliance to reap lasting gains, it needs to be continuous. The same premise applies to detecting fraud. What may have looked innocuous at a single point in time may not appear to be when seen in the context of the full user journey. The continuous monitoring of user journeys will not only offer defenders a path to regaining a home court advantage, but it will also better prevent their customers from becoming fraud victims.