To better detect and mitigate fraud and scams, the payments industry is beginning to leverage broader digital risk signals. The trend is being driven by changes in mobile device technology; shifting customer preferences; and rising occurrences of new account fraud, account takeovers, impostor scams and other types of fraud and scams.
Going beyond traditional methods of fraud and scam risk detection, the industry now is combining more advanced risk signals and verification methods. Some examples are:
- Physical and behavioral biometrics
- Device intelligence
- Risk-based multi-factor authentication
- Customized risk notifications
The New Fraud Frontier
The current fraud landscape is defined by speed, sophistication and a pronounced shift toward multiple forms of social manipulation to exploit human trust. Increasingly, criminals are being aided by easier-to-use generative artificial intelligence (AI) and deepfake technologies (Off-site) (PDF), such as believable, realistic videos, pictures, audio and text to create fake identities and commit fraud. Both of these technologies are becoming a top concern for financial services organizations (Off-site). Legacy fraud detection traditionally has relied heavily on rules-based systems and therefore may struggle to handle these evolving threats (Off-site) (PDF).
Fraud mitigation service providers and financial institutions have worked to innovate fraud and scam detection solutions by increasing their use of device-based risk signals and targeted customer interaction methods, such as:
- Physical and behavioral biometrics. Facial scans, fingerprints, voice recognition and other physical biometrics have become common, and can securely connect the authorized user’s physical biometrics (e.g., face) with the device itself and the financial institution’s app or portal. In addition, behavioral biometrics — which analyze how authorized users interact with a device to continuously verify their interactions — have proven highly effective in detecting and preventing fraud.
- Device intelligence. Investigating the device the authorized user is interacting with is an increasingly popular way to collect risk signals. Device intelligence goes beyond simply identifying the type of device being used. This approach collects hundreds of data points to create a unique “device fingerprint,” distinguishing legitimate devices associated with an authorized account holder from unassociated devices being used in fraudulent activities and attempts. These signals include direct and indirect approaches.
- Direct methods are where signals are collected directly from the device. These include whether the device’s user is on a specific app or on a phone call; the type of browser (e.g., Chrome or Safari); the screen size (is the screen the right size for the associated device?) and the Internet Protocol (IP) address (e.g., whether the IP is known to be associated with fraud).
- Indirect methods are where the risk signals are derived from the user’s interaction with the device. For example, risk signals conflict when the device login geolocation is physically more distant from a cell tower location than would normally be expected or the device has traveled an implausible distance within a short time frame.
- Risk-based multi-factor authentication. Traditional multi-factor authentication (MFA) provides additional layers of security but also may pose customer experience challenges. For example, some financial institutions use one authentication approach for all transactions, regardless of risk. This often creates a twofold challenge: (1) customers experience “notification fatigue” after receiving many authentication requests and simply approve all the requests without paying attention to the message text, or (2) customers may choose not to use the financial institution’s services in the future due to a poor experience. In comparison, risk-based MFA takes a transaction’s risk into account when determining whether — or what type of — MFA is to be used. This can help detect patterns where the transaction value or transaction’s time of day is unexpected for the account or device user. As a result, the risk-based MFA approach is likely to generate fewer, more nuanced notifications — creating a better interaction experience.
- Customized risk notifications. Instead of generic warnings, financial institutions can use sophisticated analytics to deliver personalized alerts based on specific details of suspicious transactions. These notifications may include the payee’s name, transaction amount and reason for the alert — prompting the consumer or business customer to confirm or decline the request’s legitimacy. These alerts require direct, verifiable responses from customers to ensure the authorized account owner is making the transaction in question. This allows authorized account holders to be active participants in their own security, an effective addition to a robust fraud and scam prevention strategy.
Putting It Together: Combining the Right Signals
The incremental power of the new digital risk signals paradigm lies not in the individual signals, but in their combination. A multi-layered approach that integrates physical and behavioral biometrics, device intelligence and risk-based authentication is a long step toward a holistic defense (Off-site) that allows for more effective customer security than any single solution.
Use Case: Scam Prevention
A customer receives a call purporting to be from their financial institution, claiming their account has been compromised. If the customer does not pick up the call, a message instructs the customer to phone the financial institution at the number provided. The customer calls the number and is instructed to send money to a “safe account” to protect their funds.
Risk signals that could be used to identify a scam while the customer is on the financial institution’s app include:
- Behavioral analysis: Does the device interaction with the account holder look different than it normally does? A positive affirmation that the user of the device is consistent with the account holder could indicate a scam versus an account takeover.
- Active caller detection: Is the account holder using the financial institution’s app while on an active cellphone call at the same time? This combination could indicate the legitimate account holder is being actively deceived by a criminal into conducting a transaction they would not do if they knew it was a scam.
- Real-time transaction monitoring: Is the transaction higher than the normal transaction level? Is it being sent to a new account number?
By combining the signals listed above with real-time transaction monitoring, the financial institution’s fraud detection system can evaluate the risk of the transaction in question. If appropriate, the financial institution may choose to delay the transaction and send a customized risk notification to the customer, explicitly warning them of the potential scam and offering immediate assistance.
Conclusion
Consider embracing a broader, more dynamic and multi-risk signal mitigation approach in response to a more sophisticated threat landscape. By combining physical, behavioral and device signals, along with risk-based multi-factor authentication, financial institutions can build adaptive defenses that identify and reduce fraud and scams, while creating a more positive customer experience. To realize the potential of this paradigm shift, financial institutions may consider:
- Continuing to combine digital risk signals. No one signal may be sufficient. The integration of existing real-time monitoring systems, along with direct and indirect signals, provide the holistic view needed to create a more resilient fraud detection and mitigation framework.
- Educating and empowering customers (Off-site). As scams become more targeted and manipulative, customers must be part of the defense. Providing customized risk notifications and similar tools enable them to actively protect their accounts and protect themselves from manipulation.
By embracing a proactive, multi-risk signal model, the payments industry can protect itself and its customers, building a more trusted and secure digital ecosystem for the future.
Stay Connected
Keep informed about the Fed’s efforts to support payment security and mitigate fraud by joining the FedPayments Improvement Community.