Fraud prevention is frequently addressed at two key points of the user journey: at the point of authentication and at the point of transaction. However, given the user is legitimate and should be able to authenticate into their account without issue, this could leave the transaction as the only point of defense. It is common practice to require additional approvals to transfer large sums of money, but even that won’t stop a scammed user from making a costly mistake.
It is important to note that consumer education remains critical, forming the first line of defense against fraudsters. That being said, consumer education will never fully eliminate the problem. Fraudsters are tricky and intelligent, and even a wary consumer can be scammed if they are approached in the right way at the perfect time. Financial institutions must therefore build a strong second line of defense to cover those cases where consumers have not realized that they are being scammed.
There are several methods available to address this, and a canny organization may implement several of them to provide a more layered defense. To begin with, it is useful to examine user behavior across the entirety of the session. Between authenticating and completing a transaction, users may take a variety of other actions such as making modifications to their profile or viewing and changing PII. While most behavioral biometrics focus on distinguishing legitimate users from fraudsters who have taken over an account, a legitimate user may still exhibit some unusual behaviors as a result of a scammer’s influence. When fraud and risk detection tools work continuously throughout the user session, there are more opportunities to spot these anomalies and take appropriate action.
But, in order to mitigate this type of fraud, it isn’t enough to focus on detection. Rather, financial institutions need to find a way to intervene directly and cause the user to think critically about their actions. This is easier said than done, but can be accomplished by adapting the user’s experience based on perceived risk. Rather than putting a request for MFA in front of a suspicious transaction, it is more useful to challenge the user in a different way, by making them think critically about their actions.
Typically, the fraudster has already done significant work to get the user to trust them, but the user can be made to question that trust. Users who appear to be at risk of authorizing a fraudulent payment can be taken down another path: instead of immediate access to the “transfer” button, it could be enough to present them with a warning screen which alerts them to the possibility of fraud and asks them several questions about how they know the payee, whether they are confident in what they are paying for, and so on.
Sometimes, encouraging the customer to stop and think is enough to stop them from putting a payment through.