The Rise of Scams in India and How Banks Can Stop Them

Can you describe how Feedzai prevents and detects fraud?

We are responsible for protecting many banks’ online channels. We accomplish this by understanding the many ways that user credentials can be compromised – including phishing, data breaches, or malware that harvests user information stored on a device. Fraudsters use these stolen credentials to access the bank’s online platform and from there they look to monetize their efforts. 

Feedzai takes a combination of steps to prevent bad actors from profiting from fraud. We go beyond transaction analysis that simply looks at factors like the frequency, the average value of the customer’s of payments, or whether they’ve paid the recipient before. We also establish digital trust with the customer by learning their digital footprint. This insight includes the device the user typically uses, the location where they log in, and even their behavioral patterns with their device – such as how they touch their screen, move their mouse, or tap keyboard keys. From there, we use this information to normalize the customer’s behavior over a period of time.

Combining the digital trust signals that make up the customer’s digital footprint with the transaction analysis makes it easy to identify potential fraud in real time. This approach gives our banking partners a really strong handle on preventing unauthorized fraud attempts. 

Have new payment systems like United Payments Interface (UPI) resulted in higher or lower fraud rates compared to older ways of transferring funds?

What we’ve globally is that faster payments generally means faster fraud – and more fraud. This means banks don’t have a two-hour (let alone a 24-hour window) to investigate transactions. Banks in India (and around the world for that matter) must ensure their fraud decisions are real-time to keep up with the realities of instant payments technology. This has forced banks to rethink how they provide controls for their consumers and how they adopt the right technology to prevent instant payments from becoming instant fraud losses.

We’ve already seen this play out in countries where instant payment systems have been introduced. In the UK, for example, consumers were quick to embrace the nation’s Faster Payment Service (FPS) after it was introduced. And why wouldn’t they be? Consumers realized that money could move quicker than ever before and who wouldn’t like that? Unfortunately, fraud rates also shot up after FPS’s launch. 

How should banks use behavioral biometrics solutions for their mobile app security?

A good behavioral biometrics solution allows banks to protect both channels – web and mobile. It’s worth noting that due to the differing nature of device types, the data that is collected from a mobile app is very different from what would be collected from a web browser. 

On the web, we typically look at the data in two parts: keystrokes and mouse movements. Keystroke analysis looks at how fast users type, whether they use keyboard shortcuts (which indicates whether they have a higher typing proficiency), and how long a user holds down a key. Meanwhile, mouse movement analysis tracks mouse curvature, inflections of the mouse, and mouse clicks. 

On mobile channels, however, there is no mouse data to collect. Instead, we look at data such as the size of the finger that presses on a mobile touchscreen, swipe patterns, and the pressure that the user applies. We also review gyroscopic data on mobile devices. Gyroscopic signals include the angle at which the phone is held, if the phone is held in the right or left hand, or even held up to the user’s ear. Other mobile apps also use these signals – think of how a YouTube screen shifts its orientation when you turn your phone to a landscape position.

Like transaction data, behavioral biometric data is used to build a baseline understanding of how customers normally engage with the devices. This baseline knowledge can be used to make future risk decisions – such as if a user is suddenly logging in from a mobile device instead of a web browser or holding the device differently (think flat on a table instead of in their hand).

Using this data in the smartest possible way can be a game-changing strategy for banks when it comes to preventing a whole range of different mobile fraud types.

Is there a significant difference in fraud prevention investments between traditional banks and challenger banks?

There are a few key differences. First, challenger banks – which are usually digital or mobile-first financial institutions – typically have different fraud risks than traditional banks. This is because traditional banks have a broader range of channels through which the consumer can interact. That changes the way fraudsters plan to attack the institution. Traditional financial institutions, as a result, must assess their technology investment differently.

Data usage is another key difference between challenger banks and traditional banks. Challenger banks tend to be much more effective when it comes to utilization of data, making strong usage of data science and analytics. However, at the same time, challenger banks don’t tend to have the breadth and depth of data that traditional banks have, due to their limited time on the market. Traditional banks, meanwhile, have access to large volumes of data – but often lack the process and infrastructure connectivity to draw maximum value from that data.

Finally, each type of bank has different risk appetites. For example, traditional banks have already essentially cornered the market by amassing a large share of consumers. As a result, they’re more likely to take a defensive position and are more concerned with guarding their reputations, keeping their customers satisfied, and protecting a strong reputation of reliability and security. Challenger banks, on the other hand, are more focused on making it as easy as possible for consumers to onboard and reduce the friction in their consumers’ journeys. Unfortunately, if it’s easy for consumers to onboard, it will be equally easy for fraudsters as well, so it is important for challenger banks to manage this risk accordingly.

Will the Telecom Regulatory Authority of India (TRAI)’s proposal to display the name of the caller and the industry’s proposal to shift away from SMS OTP for 2FA lead to reduction in scams?

Both proposals are focused on not allowing the telecoms to continue to facilitate the rise of scams and fraud. Most fraudsters will contact their victims on a spoofed number that presents the same number as the number printed on a customer’s bank card. Therefore, my opinion is that displaying the name of the caller wouldn’t necessarily fundamentally change the risk landscape. However, I think a better strategy would be telcos working together to tackle number spoofing – one of the biggest scams risks that is currently used today.

As for the SMS OTP debate, it’s worth noting that this was never designed as an authentication mechanism. But we’ve become so wedded to this process that it’s now an accepted and popular method for two-factor authentication (2FA). But it has three key limitations. First, it’s not particularly secure since it’s vulnerable to SIM swap, for example, which is an easy way to circumvent an SMS OTP.

Second, it’s a cumbersome user journey. I may not receive the SMS OTP. Or the bank might not have my most recent phone number on file so the OTP goes to the wrong number. Or it might take 15 seconds to come through and for me to tap it into the screen. Any one or more of these conditions makes for an authentication headache.

Finally, it can be expensive. It only costs a small sum to send an SMS. That might not sound like a lot, but it adds up to a hefty sum for a bank that has roughly 20 million customers. 

What I’d like to see happen is for banks to shift from overt mechanisms like SMS OTP to more covert and secure mechanisms, like positively identifying a user through their digital footprint. This will improve the experience for the user, and if executed correctly, reduce the fraud and scam risk at the same time.

In what ways are fraudsters increasing their level of sophistication in trying to carry out digital frauds?

It wasn’t that long ago that you might get an email claiming that you’ve won a lottery or from someone claiming to be a Nigerian prince with a plea for help. Scams have gotten much more advanced since those days. 

Today’s criminals do their homework to learn your name, where you bank, and may even call your bank to learn some of your most recent transactions. If the bank reveals the information to a scammer, they can call you claiming to be your bank. If they know your most recent transaction, they’ll be much more convincing. Scammers might play background sound effects on a phone call to make it appear that they’re in the office.  Once the victim trusts the scammer, the victim is more likely to do whatever they say.

Scammers will also play on the emotions of either fear or greed. From a fear point of view, a scammer may convince a victim that their account has been compromised and tell them to transfer money to a different account while they investigate. From a greed perspective, a scammer urges their target to invest in a crypto wallet and promises a generous incentive to move the money. 

Fear is more effective on elderly victims since older consumers are more likely to trust people in public positions. Younger consumers, on the other hand, are more likely to fall for the greed approach as these users have grown up in a culture where it’s cool to get rich at a young age and retire early. 

At the end of the day, scams are no longer random. They will speak to the person in a way that will best resonate and give scammers the best option to monetize their efforts. 

If you are looking for a fraud solution that provides strong digital trust, we’d like to help you. Schedule a demo with us today to see how our experts and technology can help establish digital trust for you and your customers.