Human-proofing digital account security

Every company should look to implement dynamic data into their risk decisioning to prevent account takeover as a result of social engineering.

Why does account security still rely heavily on customer vigilance? 

Despite the large and growing fraud prevention market, social engineering continues to be the biggest threat to digital accounts. Security professionals often blame this on users or employees, pointing to humans as the biggest security vulnerability given their susceptibility to error and manipulation. While it’s true that humans aren’t perfect, they will likely always play some role in account security. That said, reducing the over-reliance on static information offers the opportunity to human-proof it.

Many companies use static identifiers, such as usernames and passwords, as well as knowledge-based questions, to play an outsized role in security. Fraud techniques, particularly social engineering, highlight the weaknesses of this approach and point to the need for dynamic behavior-based solutions as an additional check point. 

The key to a successful social engineering scam is credibility and trust. Exposed personally identifiable information (PII) from over 100,000 data breaches, as well as seemingly innocuous data, like social media posts and shared photos, create a guidebook for hackers. This information enables fraudsters to generate call scripts, emails, text messages and social posts that trick their victims and allow them to execute successful phishing scams.

Social engineering is a large and growing problem. Nearly one-third of all cyber incidents in 2019 were associated with a malicious email or phishing attack, according to IBM. Today, fraud operators are taking advantage of the chaos of COVID-19, leading to a 667% increase in phishing attacks since February and Google reports that roughly 240 million coronavirus-related spam emails alone are sent each day. Additionally, the communication channels that have become so critical to remote work have been targeted. So far, over 1,700 new domains containing the brand name “Zoom” have been created and 25% of them were registered in just one week in March. Out of these registered domains, 5%+ have been found to contain suspicious characteristics.

The credentials and information stolen through these phishing campaigns lead to account takeover attacks which have affected companies large and small. Depending on the account taken over, hackers either use account access to commit financial fraud or go on to phish for information or money from the contacts of the email or messaging account owner, such as in the case of WhatsApp in Brazil. 

Through billions of successful social engineering campaigns, fraudsters have proven that it isn’t enough to educate consumers or train employees. These schemes have become so professional that oftentimes the messages sent by fraudsters are indiscernible from legitimate ones, even by a computer. But social engineering only works because of a reliance on static information for identification and authentication.

To get ahead of social engineers, companies should look to human-proof security by implementing dynamic data into their risk decisioning. Behavioral data, including scrolling, typing and location behavioral patterns, are a great option. Behavioral biometric solutions measure and analyze the unique patterns in human behavior in order to detect anomalies that may indicate fraud. The behavioral behavior patterns that are created for each user are constantly changing making them incredibly difficult to predict or replicate. And most run silently in the background, without interrupting the user experience or introducing friction. This added layer of dynamic behavioral data minimizes the impact of social engineering attacks by detecting the resulting account takeover and financial fraud.

By layering behavioral data with multi-factor authentication, companies leverage a unique identification layer that can transform users from the biggest security vulnerability into a companies strongest defense against fraud.

Learn more about Incognia’s location-based behavioral biometrics for account takeover prevention here

Learn about our Account Takeover Solution

Most recent

New Developer Edition of Incognia for Mobile Developers

Incognia offers free developer edition putting frictionless authentication and address verification into the hands of all mobile developers.

Five Ways Fraudsters Spoof Location

Location spoofing is now a standard technique used by fraudsters to easily defeat fraud detection systems using GPS and IP addresses for location.

How should location fit into a mobile authentication strategy?

For mobile users, understanding user context, from device, network and location data, can contribute directly to reducing friction during authentication.