Scammers may be tricking vast numbers of unsuspecting customers into giving up their personal details so that fraudulent transactions can take place – but these crafty thieves may have met their match in machine learning.
Vishers, phishers and smishers belong to a category of criminals called social engineering fraudsters, meaning they trick their victim into either disclosing confidential financial details or transferring money to a criminal.
In South Africa, data released by the SA Banking Risk Information Centre (Sabric) earlier this year revealed that more than half (55%) of the gross losses due to crime reported were from incidents that had occurred online.
Phishers, smishers, vishers – what next?
Phishers typically try to get personal details via email, smishers try their luck by sms, and vishers are best known for their telephonic skills.
Dr Scott Zoldi, chief analytics officer at analytic software firm FICO, says vishing is an especially great risk around tax season.
"Phone call social engineering fraud – known as vishing – has gained in popularity of late, and relies on the fraudster’s powers of persuasion in conversation with their victim," he says.
"This type of SEF spikes around tax season when fraudsters claim to be the South African Revenues (SARS), and use spoofing to make the calls appear as if they originate from official phone numbers."
Victims may be told they will go to jail if they don't make a payment, or that a refund is due – but their bank details are needed in order to get it.
And, says Zoldi, as security settings advance and real-time payment schemes such as online banking transfers or banking transfers become easier, scammers are favouring tricking their victims into depositing the money themselves (authorised push payment scams) rather than stealing the money through compromised account authentication (unauthorised push payment transactions).
This means the key to beating tricksters is not through tighter security – but through targeting behaviour.
No match for machines
But Zoldi says these crafty tricksters have met their match – and it's machine learning.
Sometimes, he says, "computer says no" is the best answer.
Advances in machine learning mean it is becoming easier to stay one step ahead of social engineering fraudsters, he says.
"The good news is that machine learning models can counteract SEF techniques," he says.
These machine learning models are designed to detect the broad spectrum of fraud types attacking financial institutions, building and updating behavioural profiles online and in real time.
They monitor payment characteristics such as transaction amounts and how quickly payments are being made. This means they can – by recognising patterns – detect both generic fraud characteristics, and patterns that only appear in certain types of fraud, such as social engineering fraud.
"In SEF scenarios, the above-mentioned behaviours will appear out of line with normal transactional activity and generate higher fraud risk scores," says Zoldi.
The machine learning model can also keep track of the way various common transactions intersect either for the customer or within the individual account, for example by tracking a list of beneficiaries the customer pays regularly, the devices previously used to make payments, typical amounts, locations, times and so forth.
"FICO’s research has shown that transactions made out of character are more than 40 times riskier than those that follow at least one established behaviour," says Zoldi.
Machine learning models can also track these risky non-monetary events, such as a change of email, address or phone number, which can often precede fraudulent monetary transactions.
Authorised push payments are a bit more difficult, he explains, because customers can be so panicked by the social engineering fraudster that when the bank intervenes, the customer distrusts, ignores, or resists the bank’s efforts to protect their accounts.
But, he says, even then, typical anticipated behaviours can be used, based on extensive profiling of the true customer’s past actions.
"We are incorporating collaborative profile technology to bring additional cross-customer understanding of the new behaviours of similar banking customers. These methods can be used to home in on individuals that are often targeted for authorised push payments and trigger the bank’s intervention," he explains.
"Fraudsters have always targeted the weakest link in the banking process. As systems become more and more secure, the weakest link, increasingly, are customers themselves.
"However, by analysing the way each customer normally uses their account, banks can detect transactions that are out of character and stop them before any money disappears, which will make social engineering scams less profitable."
Customer profiling will also help prevent fraud in real time, he says.
* Sign up to Fin24's top news in your inbox: SUBSCRIBE TO FIN24 NEWSLETTER