Strategies for fighting remote authentication fraud

Say a scammer calls a community bank customer and gains their trust by using information obtained from a major data breach. From there, the criminal might send them to a fraudulent support page to obtain personal identifying information. They could ask permission to assume control of their screen to install keylogger monitoring or other types of malware to obtain data critical for perpetrating a more ambitious crime down the road.

These types of scams fall under the broad term of remote authentication fraud, and they’re increasingly common—and inventive.

Remote authentication fraud occurs when “threat actors use some form of pretext or social engineering, often in combination with some impersonation in the domain name system, to trick a victim into allowing them to have remote access to the customer’s device, whether it’s a tablet or a computer,” says Alexander Urbelis, senior counsel at the law firm Crowell & Moring LLP in New York City.

“To a very large extent, protection from remote authentication scams requires an awareness of the problem,” he says. “When customers think of banking scams, they think of phishing emails, bogus webpages or the old Nigerian 419 scams with the punitive Nigerian prince. But the average consumer doesn’t imagine a scam involving a hybrid of social engineering and domain name system impersonation that can result in remote access to one’s entire device.”

Examples of remote authentication fraud

Education is key to responding to and preventing fraud. Here are the three types of remote authentication fraud that community banks are most likely to encounter:

1. New account fraud. This occurs within the first 90 days after an account has been opened for the sole purpose of committing fraud, according to the Federal Reserve.

2. Synthetic identity fraud. This type of fraud uses a combination of personally identifiable information and guesswork to fabricate a persona or entity to commit a crime.

3. Account takeover fraud. Here, a fraudster obtains a legitimate user’s details to take over their online accounts, enabling the theft of money or a credit card, according to Marianne Crowe, vice president in the Secure Payments Innovation and Research group at the Federal Reserve Bank of Boston.

COVID-19 has spurred an increase in these remote authentication scams. Since the pandemic started, Crowe says, more customers are opening online or mobile accounts and making remote payments. Online U.S. consumer spending averaged 36% of total spending in December 2020, up from 26% in March 2020, she adds.

While e-commerce was growing well before the pandemic hit, the shuttering of bank branches meant that formerly digital-hesitant banking customers began putting their credit cards or bank information online. All this new activity made remote authentication scams even “more attractive to fraudsters,” Crowe says.

New research reveals that 2020 was a time for significant increases to fraud with a number of types of credit. Between 2019 and 2020, there were notable increases in fraud in the areas of car loans, mortgage lending, personal loans and lines of credit, according to a 2021 report from Javelin Strategy & Research (see sidebar, above).

The best defenses against fraud

Multifactor authentication (MFA) is a critical weapon in the war against remote authentication fraud. That’s because MFA requires a few separate types of authentication, typically requiring customers to provide something they know (such as a password), something they have (such as a one-time passcode sent to their phone) and something they are (such as a facial or fingerprint scan).

With multifactor authentication, a criminal who enters the right password might be denied access for not using a registered device or for failing a biometric screening.

Crowe says MFA is a fraud protection best practice. “We know multifactor authentication is not being done consistently across the industry, so there’s definitely room for improvement here,” she adds.

Experts says third-party verification can make a huge difference, too. When it comes to combating synthetic identifications, look to solutions that compare data provided electronically with the Social Security Administration’s database in real time, says Joel Williquette, ICBA’s senior vice president of operational risk policy. These systems, he adds, make sure that the Social Security number, name and birth combination match and that the individual in question is not deceased.

High-tech and low-tech solutions

For community banks with growing digital services, scrolling through the sheer volume of customer information can be a herculean task. That’s why an artificial intelligence (AI) solution that analyzes behavioral metrics can be useful for some banks.

Urbelis says behavioral metrics are becoming more sophisticated, going beyond the basics, such as transaction history, to “more esoteric information,” such as how long it takes a consumer to perform a routine task like wiring money or adding a new payee. These timing issues matter because “scammers often take longer to figure out how to do that kind of thing,” he adds.

On the other hand, while technology holds enormous promise, so does a lower-tech approach: educating employees and customers.

Scammers disproportionately target those 65 years old or older, so seniors should be taught to immediately disconnect from a remote session whenever they become suspicious, Urbelis says. If disconnecting seems tricky, they could simply unplug the router, instantly terminating a session.

Meanwhile, Williquette cautions community bankers against relaxing their know-your-customer (KYC) practices.

“Don’t assume that even if someone has been a customer for a long time that they are an actual person or the person they say they are,” he says. “Many criminals build up a history with a bank over a period of time so that they can go in for a bigger score later.”

An ecosystem problem

To that end, Urbelis describes remote authentication fraud as “an ecosystem problem,” so he suggests community bankers team up with others to thwart it. For example, he suggests banks could share anonymized behavioral analytics with remote access services.

Community banks may also hunt for scammers and terminate the services and infrastructure they use, Urbelis says. “Many scammers use domain names that are confusingly similar to a bank’s domain name,” he adds. “It’s possible to track and trace these domains before they’re even put to illicit use.”

Every prevention victory makes criminal activity less appealing. “If the community banks come together and create a consortium to proactively hunt for, find and terminate these threats, that’s going to take a significant bite out of the returns these fraudsters were expecting,” Urbelis says.

“Until we change the calculus for these threat actors [and] until we reduce the return on investment that the fraudsters are making,” he says, “we’re going to see these scams proliferate.”