Is behavioural biometrics the answer to social engineering scams?

V Bhatia

When ‘Jamtara’ aired on Netflix, its narrative struck a chord with Indian viewers. The fallout of increasing access to internet enabled smartphones and digital banking, was a rise in social engineering attacks, especially phishing frauds.

As per a RBI report, of the Rs 0.71 billion reported frauds in the BFSI sector, 0.3 percent pertained to those related to card and internet related instances. This percentage will increase with banks offering more digital services and fraudsters finding ways to bypass conventional security controls. At the same time, banks cannot deploy additional controls at every stage since it will affect customer experience.

According to Vikram Gidwani, Head of Sales- SAARC, BioCatch, data breaches and phishing attacks have led to the increasing number of stolen credentials, turning identities into a significant attack vector in the financial world. “Fraudsters continually use synthetic IDs to open fake accounts, develop automated attacks with Trojans and bots, and employ social engineering techniques to trick users into transferring money into a mule account, passing all multifactor authentication (MFA) forms,” he noted. “Simultaneously, more regulatory requirements are imposed on organizations, requiring stricter controls around privacy and consent lifecycle management, impacting customer experience.”

DAMAGE CAUSED BY SOCIAL ENGINEERING

In addition to using social engineering techniques to harvest credentials and personal information and trade it on the dark web, fraudsters use this data to commit financial frauds and take over accounts. Using voice scams, sophisticated cybercriminals impersonate a bank’s security team and bypass conventional security controls like device fingerprinting and IP checks. According to the FBI's 2018 Internet Crime Report, over 25,000 individuals fell prey to social engineering attacks, resulting in nearly $50 million in losses.

Last year, Paytm's founder Vijay Shekhar cautioned users not to respond to messages informing them that their Paytm account would be blocked due to lack of KYC verification. This was a phishing attempt by fraudsters to dupe them financially.

According to Gidwani, in the financial crime supply chain, the first step is collection of credentials and personally identifiable information. These relatively easy attacks have high ROI for criminals, since this information fetches good profit.

He added that the best way to detect social engineering attacks is by building behavioural biometrics into the fraud prevention stack. Instead of relying on static identifiers, it detects anomalies in user behaviour caused by social engineering in real time, providing a more effective and secure solution to authenticating online sessions and preventing social engineering-driven fraud.

“Social engineering is different from other cyberattacks given its reliance on the human element. As a result, detecting and preventing it requires a unique approach. Behavioural biometrics can help BFSI organizations prevent social engineering by detecting when they’re using stolen information, or manipulating users to enter their own information, to access an online account,” he advised.