Fighting Fraud With Digital Activity

Account takeover and authorized push payment fraud are two of the most common fraud scenarios in the online finance industry, and probably two of the most difficult to detect. Photo by Bermix Studio on Unsplash What is Account Takeover (ATO)? ATO is an online variation of identity theft, a fraud scenario in which the perpetrator gains access to […]

Account takeover and authorized push payment fraud are two of the most common fraud scenarios in the online finance industry, and probably two of the most difficult to detect.

Photo by Bermix Studio on Unsplash

What is Account Takeover (ATO)?

ATO is an online variation of identity theft, a fraud scenario in which the perpetrator gains access to a victim’s online account to commit a financial crime. It can happen in many different spaces, such as eCommerce, governmental sites, or in the banking industry. Also, the fraudster can benefit from it in multiple ways like executing fraudulent eCommerce transactions, selling personal identifiable information (PII) on the dark web, or transferring funds to one or multiple bank accounts.

The perpetrator can change the personal data registered on the account like the email address or phone number to reset the password without the victim even noticing the account has been compromised.

What is Authorized Push Payment (APP) fraud?

APP fraud is the act of criminals tricking their victims into transferring money to their accounts. For instance, these individuals may act as if they were from a legitimate company or entity, such as the victim’s bank. To sound convincing, fraudsters mention personal details about the victim, which they have collected from the victim’s social media and/or other public spaces that show their profiles. Fraudsters then advise the victims to transfer their money to another account (e.g. a safe one), as their current account has been compromised.

After realizing they transferred money to a scammer, the victims may never recover their stolen money. Therefore, it is recommended that they contact their banks as soon as possible.

How does it happen?

Criminals might use a variety of methods to perform these two types of fraud. While ATO can require more hard skills to break into the victim’s account via Software Engineering methods, APP fraud is more about exploiting the individuals’ vulnerabilities through Social Engineering and persuading them to transfer money into an account controlled by the fraudster. This is one of the reasons APP fraud is so hard to detect. The payment is being initiated by the genuine customer, using the habitual device, IP, location, and even successfully authenticating through all the challenges the bank decides to implement, such as password, SMS tokens, or biometrics.

Let’s explore the most common methods used by fraudsters to attempt these two types of fraud.

  • 📞 Social Engineering: In this situation, the criminals claim suspicious activity on the victim’s account and they must take immediate action to stop fraud from occurring. A common scam is to tell victims that they must immediately transfer all their funds to a new safe account that has been open using their names, which is, of course, the fraudster’s account.
  • 💝 Romance scam: Romance scams are popular in social networking sites and dating apps. The criminals create fake profiles and engage with the victims, sometimes for several days. They start by making up a story and then ask for money for specific purposes, like for a plane ticket to meet them.
  • 👮‍♀️ Password Theft. This method can have several variants. For example, cybercriminals can focus on PII information to try to match or reset the victim’s password. They could also develop complex tools to decipher passwords, trying them on thousands of sites expecting the same password is used across multiple accounts. In any case, there is no guarantee that you can keep your password from being stolen, but there are certainly some ways to identify when this happens.
  • 🎣 Phishing. Phishing is the act of sending fraudulent emails, SMS or phone calls to extract account credentials from the victims. In these emails, fraudsters pretend to be from a legitimate source by using an official company logo and wording. Usually, the email content varies in nature (e.g. email compromise, urgent requests, bank account irregular activity, etc.). Fraudsters succeed at phishing when the victims access a seemingly legitimate website, which in reality is a cloned version of the official company’s website. As an illustration, the victim will see but the internal URL of the Call to Action links to a different address.
  • 📲 SIM swap. Also known as phone hijacking or port-out scam, this variety of fraud aims to succeed on two-factor authentication mechanisms where the second authentication happens through an SMS code or mobile phone call. The perpetrator starts by collecting PII data of the victim, either by phishing emails or by buying them from other criminals. Next, they contact the victim’s mobile telephone provider and use social engineering techniques to convince the company to port the victim’s phone number to the fraudster’s SIM. For example, this is done by impersonating the victim using the stolen personal details and claiming that they have lost their phone. This will allow the criminal to take over the victim’s account by intercepting any one-time password used during the login or transfer of funds.
  • 🐞 Malware. Malware is any software intentionally designed to cause damage or perform a fraudulent activity. Malware software can get installed into the victim’s device without them noticing. Once installed, criminals can access troves of useful data such as passwords or PII information to perform ATO or APP fraud.
  • 📱 Fake Apps. Fake mobile apps are Android or iOS applications that mimic legitimate applications’ look and feel to trick unsuspecting victims into installing them. Once downloaded and installed, similarly to the Malware, the fake applications perform various malicious actions benefiting a criminal to perform multiple types of financial crime.
  • 🔨 Brute Force Attacks. This method consists of an attacker submitting many passwords with the hope of eventually guessing the correct combination of characters. The perpetrator can also take advantage of the victim’s PII information by using it in the attempts as part of the password. After successfully guessing the password, the event becomes an ATO scenario.

All these threats can be classified into two categories:

In an era where customers are changing the way they interact with financial institutions, monitoring the identity and behavioural aspects of the customer and its devices during the interactions with the multiple bank’s channels is crucial to detect ATO and APP fraud.

Digital channels, like online banking and mobile banking apps, make these interactions quick and easy. With a generalized adoption of digital channels and the rise of FinTech companies, traditional channels, such as in-branch or phone services, are starting to decrease in usage.

In Insider Intelligence’s UK Mobile Banking Competitive Edge Study it is shown that:

“68% of all UK respondents surveyed use mobile banking. Of those that use mobile banking, 86% said mobile was their primary banking channel and 62% said they would even change banks if the mobile banking experience fell short.”

This rapid adoption of online banking activity increases the digital touchpoints between customers and the banks and it brings important data to be leveraged in the detection of ATO and APP fraud scenarios.

The new data is present at the time the payments are being made and in any digital activity event happening between the customer and the bank. This data allows companies like Feedzai to analyze the digital events earlier in the user journey, turning fraud detection into fraud prevention.

It is possible to analyze the customer’s digital behavior, namely the number and velocity of clicks, navigations, and typing patterns and compare it to the human behavior in the mentioned threats, in order to develop machine learning models that produce highly accurate profiling to detect scenarios of ATO and APP fraud.

Let’s explore how we can use digital activity data to detect fraud in a typical home banking session.

After the registration and account opening process, the user will log in into the home banking or mobile app to interact with the bank. At this point, we need to consider patterns such as:

  • Login frequency
  • Time between username typing and password typing
  • Username entry mode
  • Password entry mode
  • Total login time

Apart from creating a payment, the customer (or the perpetrator) can update part of his personal details. During these Account Updates, it is important to consider:

  • Password changes
  • Multi-Factor Authentication settings
  • Biometric changes such as Face ID or fingerprint settings
  • Customer address change
  • Customer email change
  • Customer phone number change
  • Customer preferred language change

In general, it is also important to look into the following patterns at any stage of the session.


  • Writing patterns, such as the number of keyboard keys pressed or typing speed
  • Mouse patterns, like traveled mouse distance and mouse usage time and clicks
  • Session duration
  • Scrolling patterns such as distance, velocity or time spent on each page

Device Data

  • Language
  • Device type (web vs mobile), brand, model, and OS
  • Browser type and preferred language
  • Screen resolution
  • Page zoom
  • Network used
  • Geolocation

All these data elements are good examples of digital activity that can be analyzed during a banking session to build a genuine customer profile and detect criminals by using digital behavior.

Fighting Fraud With Digital Activity was originally published in Feedzai Techblog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Source: Feedzai