Woman browsing on her mobile phone

How behavioral biometrics can stop social engineering and malware scams dead in their tracks

Suppose you get a frantic call from your aunt, Rose. She tells you that she’s been contacted by IRS collection officers and she owes them money. While on the phone with her, the “IRS” coached Aunt Rose on how to pay, which included prompting her to log in to her bank account and wire them money, which she did. Aunt Rose has just been scammed — or more accurately, coached.

Also called coercion or social engineering with user interaction, coaching is when fraudsters contact users like Aunt Rose and convince them to perform actions on the fraudster’s behalf. Users are then coached by the fraudsters to make a money transfer to a new payee (i.e., the bad actor). More worrisome is that these schemes are targeted to older folks, leading to generalized elder abuse.

Traditional fraud solutions often fail to detect coaching because the legitimate user is still the individual logging in. The user’s geolocation, IP, and device will look familiar in most cases. But there are a few telltale signs that can reveal it as human fraud thanks to behavioral biometrics and analysis.

As more and more human interaction takes place virtually, behavioral biometrics have gained popularity as a friction-free way to verify users online. A behavioral biometrics solution looks at a user’s actions (e.g., how they type) as well as their habits (e.g., the time of day they usually log in) to verify identity without prompting the user to type in a password or take other steps.

 

Behavioral Analytics: A Brain That Keeps on Growing

Calling a timeout on coaching scams

Behavioral biometrics solutions are known for detecting bots masquerading as humans and flagging fraudsters who have stolen someone else’s online account. But their uses go far beyond that. Flexible and versatile, behavioral biometrics can also counter many other types of human fraud — that is, attacks that involve humans or mimic human behavior.

For example, if a user is typing information they’re unfamiliar with — like a bank account number read to them over the phone — they’re likely to type slower than normal. They may also have a higher number of corrections and a higher deviation in typing, indicating they’re inputting characters in small groups rather than typing in a smooth flow.

To detect a coaching scam, behavioral biometrics will also look at contextual and behavioral clues:

Context:

    • The destination information is different (e.g., there’s an unfamiliar payee or shipping address)
    • The user has an unusually high payment total or number of items purchased

Behavior:

    • The user hesitates when logging in or submitting a form
    • It’s an unusual time of day for the user to log in based on account history

If Aunt Rose’s bank uses a fraud detection service with behavioral biometrics, they’ll automatically determine that Aunt Rose is acting differently. The transaction can then be flagged as a potential social engineering attack and blocked. As a fraud alert shows up on Aunt Rose’s mobile phone confirming the wire transfer didn’t go through, both of you can breathe a sigh of relief.

Stopping malware remote access scams

The attackers who targeted your Aunt Rose needed to talk to her to carry out their scam. But bad actors can easily take over your account or even your entire computer without ever picking up the phone.

By using malware to exploit software vulnerabilities in browsers, third-party software, and operating systems, scammers can gain access to your device and its information and resources. From there, they can impersonate you on any of your accounts — especially if your passwords are saved on that device.

A typical malware scenario might look like this: You receive an email from a friend prompting you to click a link they’ve sent. But what you don’t know is that bad actors have already scammed your friend, and now your laptop is infected with their malware as well. You may be logged in to your laptop, but in the background, someone else is controlling it from another device. Now they’ve accessed your email account and can begin sending fraudulent emails on your behalf.

Also called a remote access scam or Remote Access Trojan (RAT), this type of malware scheme can be difficult to prevent. Similar to coaching, traditional fraud solutions often fail to detect malware because the information (the geolocation, IP, and device) looks familiar, so they assume it’s the legitimate user. The account may also be already logged in when the attack happens or the user’s credentials may be autosaved on their device, complicating things even more. But behavioral biometrics and analysis can identify remote access scams based on a few factors:

Context:

    • New beneficiaries or shipping addresses are added to the account
    • There is a lack of established history with destination accounts
    • Abnormally high spend or money movements

Behavior:

    • Familiarity with destination data (e.g., the user is copying and pasting information instead of typing it in)
    • Behaviors don’t match the existing good user profile (e.g., the typing patterns are different than normal)

So, if someone has accessed your email account through malware, the way they are behaving on your account will be different than the way you normally behave — whether it’s a suspicious number of emails sent at once or an unusual typing cadence.

If your email provider uses behavioral biometrics, this would immediately trigger an alarm. Your email provider could then sign the compromised device out of your account and require two-factor authentication to get back in — which will take care of the fraudster, as long as they haven’t gotten into your smartphone, too.

Don’t fall victim to human fraud

Scams like coaching and remote access malware can be terrifying and stressful for users, especially when their money or online identities are at stake. But next time Aunt Rose gets a call from the “IRS,” don’t panic. With behavioral biometrics, we can often detect these sneaky human fraud attacks before the damage is irreversible.

User experience – a delicate balance?