Authorized Push Payment and Social Engineering: How to Fight Back

When fraud occurs as a result of scams and social engineering, organizations can struggle to stop it. This is because when legitimate customers fall prey to online imposter scams—for instance, in the case of authorized push payment fraud (APP)—the impact from losses can snowball, affecting not just the customer, but the organization at which the fraud took place.

In fact, according to the FTC, American consumers reported losing over $2.3B to imposter scams in 2021. Meanwhile, across the pond, UK Finance reported that losses due to authorized push payment fraud rose by 71% in the first half of 2021 in the UK, the same report stating that the amount of money stolen through this type of scam even overtook card fraud losses.

Ultimately, financial institutions need to find ways to effectively combat thes massive losses that can come from APP fraud before they’re left footing the bill.

Among the various types of fraud that organizations are trying to prevent, scams and social engineering come with several unique challenges. These challenges exist primarily due to the fact that the criminal doesn’t interact with the organization’s digital properties directly—they interact with the organization via the consumer who falls for the scam.

This can make it very difficult to spot this type of fraud before it happens because consumers who have fallen for scams can easily pass authentication and biometrics challenges, given they are logging into their own accounts. Protective measures such as multi-factor authentication (MFA) and even identity proofing are of limited use in this situation. Instead, financial institutions need to think critically about how they can effectively intervene with the user directly in order to prevent APP fraud from happening, and at which point in the journey this type of intervention should occur.

Fraud prevention is frequently addressed at two key points of the user journey: at the point of authentication and at the point of transaction. However, given the user is legitimate and should be able to authenticate into their account without issue, this could leave the transaction as the only point of defense. It is common practice to require additional approvals to transfer large sums of money, but even that won’t stop a scammed user from making a costly mistake.

It is important to note that consumer education remains critical, forming the first line of defense against fraudsters. That being said, consumer education will never fully eliminate the problem. Fraudsters are tricky and intelligent, and even a wary consumer can be scammed if they are approached in the right way at the perfect time. Financial institutions must therefore build a strong second line of defense to cover those cases where consumers have not realized that they are being scammed.

There are several methods available to address this, and a canny organization may implement several of them to provide a more layered defense. To begin with, it is useful to examine user behavior across the entirety of the session. Between authenticating and completing a transaction, users may take a variety of other actions such as making modifications to their profile or viewing and changing PII. While most behavioral biometrics focus on distinguishing legitimate users from fraudsters who have taken over an account, a legitimate user may still exhibit some unusual behaviors as a result of a scammer’s influence. When fraud and risk detection tools work continuously throughout the user session, there are more opportunities to spot these anomalies and take appropriate action.

But, in order to mitigate this type of fraud, it isn’t enough to focus on detection. Rather, financial institutions need to find a way to intervene directly and cause the user to think critically about their actions. This is easier said than done, but can be accomplished by adapting the user’s experience based on perceived risk. Rather than putting a request for MFA in front of a suspicious transaction, it is more useful to challenge the user in a different way, by making them think critically about their actions.

Typically, the fraudster has already done significant work to get the user to trust them, but the user can be made to question that trust. Users who appear to be at risk of authorizing a fraudulent payment can be taken down another path: instead of immediate access to the “transfer” button, it could be enough to present them with a warning screen which alerts them to the possibility of fraud and asks them several questions about how they know the payee, whether they are confident in what they are paying for, and so on.

Sometimes, encouraging the customer to stop and think is enough to stop them from putting a payment through.

Most organizations have multiple counter-fraud measures and technologies deployed. Fraud prevention is generally additive in nature, with new defenses layered on top of existing ones in an effort to keep up with new fraudster tools and tactics. Unfortunately, adding new technology or making significant adjustments to existing tools take time, money, and a variety of approvals.

This is because change control processes and governance can be very rigid, leaving financial institutions in a difficult position. Fraudsters are unencumbered by comparison and able to move more quickly, causing fraud teams to feel like they can never quite keep pace. Understanding the tools available to fight scams and social engineering and actually putting them into practice are two very different things.

Financial institutions can circumvent this particular challenge by lifting their fraud policies out of individual applications into a centralized fraud hub that allows for quick and easy policy changes without code. With this in place, fraud teams can adjust their policies to react to potential scams in a variety of ways, choosing mitigation paths that rely less on standard tools like MFA or identity verification and more on other types of challenges. The benefit of this approach is that it is easy to track the performance of these policies, testing and adjusting as needed in real time.

Scams and social engineering are challenging to address, but the right combination of tools and tactics can ensure that your organization is up to the task.

Ping Identity takes an integrated approach to fraud prevention, combining tools for fraud detection, decisioning, mitigation, and orchestration in one platform. Our fraud decisioning and orchestration tools allow organizations to easily aggregate fraud signals from a variety of sources, including Ping’s own detection tools as well as external ones, and build out policies that allow for flexible mitigation at any point throughout the user journey. Modifying and testing policies inside our decisioning hub is quick and easy, and our fraud prevention experts are ready to share their experience in preventing fraud losses from APP scams and social engineering.

Want to learn more about how Ping can help your organization prevent fraud? Read Ping’s Ultimate Guide to Fraud Prevention or contact us today.