Case Study

Delivery Hero brands secure over 7X ROI and significant fraud savings with Incognia | Read the case study >>
It's Time to Stop Blaming the User Featured Image

It's Time to Stop Blaming the User

Social engineering is becoming more sophisticated, making it increasingly difficult for users not to fall victim.

September 29, 2021 by André Ferraz

Social engineering has quietly become the most effective fraud technique we’re dealing with today.

It’s behind some of the most common and costly attacks—SIM swaps, credential theft, phishing—and it keeps evolving faster than almost anything else. Fraudsters don’t rely on a single channel anymore. They use phone calls, SMS, email, and social media bots in parallel.

Most companies have already invested heavily in bot detection. That’s table stakes now. The real problem is social engineering carried out by real people who are trained, adaptive, and very good at gaining user trust.

Why blaming users doesn't work

For a long time, the security industry has defaulted to blaming the user.

When fraud increases, we say users “gave away” their passwords. When accounts are taken over, we say users should have spotted a suspicious email or phone call. The implication is always the same: the user helped the attacker.

That mindset is wrong, and it’s holding us back.

Users are not security professionals. They shouldn’t be expected to think like attackers or recognize every new trick. The pandemic accelerated the adoption of digital services by people who were previously hesitant to manage finances or shop online. Many of them aren’t technical, but they are still your customers.

People use technology because it makes life easier. The companies that win are the ones that remove friction, not the ones that lecture users for failing to navigate it.

The internet made life easier—for everyone

Of course, the same thing is true for criminals.

Fraudsters operate like businesses. They work at scale, buy and sell tools, and share knowledge about what works. Over time, this has created a class of highly trained, creative attackers with a clear advantage over everyday users.

Pretending that education alone can close that gap is unrealistic.

Education isn't enough to stop social engineering

Many companies respond to social engineering with customer education campaigns. The intent is good, but impact is limited.

Most people don’t have the time or interest to learn about security. Consumer authentication isn’t the same as workforce training, where education can be enforced and measured. And it becomes even less effective when users are blamed after something goes wrong.

If security only works when users behave perfectly, it doesn’t really work.

Opt-in security changes the equation

So instead of blaming customers, we should change the model.

The industry has already started moving in this direction. Smartphone manufacturers and software developers—especially Apple—have reshaped how data is collected. Opt-in models give users control and transparency. People decide what they share and why, instead of being forced to accept privacy terms they don’t understand.

That shift matters. It turns users from liabilities into participants.

Users will choose security when it’s frictionless

Historically, when users are given optional security features, very few opt in.

In 2018, fewer than 10% of Google users activated optional two-factor authentication. In 2020, less than 2.5% of Twitter users enabled one-time passwords. When users do opt in, they usually choose whatever is most convenient — even if it’s not very secure.

That tells us something important: people don’t want to trade convenience for security. They want both.

Proof from the mobile ecosystem

Mobile shows what’s possible when that tradeoff disappears.

When security is passive and frictionless, more than 90% of users choose to participate. We’ve seen opt-in rates of 94.5% at a major bank with more than 50 million users, 93% at a challenger bank with 2 million users, and 92% at a food delivery app with 40 million users.

The pattern is consistent.

Over a 12-month period, after analyzing hundreds of millions of logins, there were zero account takeovers—and none of the financial losses or stress that come with them. One year after its first deployment, this technology was authenticating more than 400 million people across more than 30 countries.

Stop blaming the user. Start working with them

A new era of online security is already here.

Most users want to protect their accounts. It’s in their best interest. The problem isn’t user behavior, it’s how security systems are designed.

If we stop blaming users and start asking for their permission to work with them, security becomes something people opt into instead of push back against. When protection is frictionless, transparent, and respectful, users don’t resist it. They cooperate.
André Ferraz

André Ferraz

CEO & Co-founder at Incognia
Subscribe

Most recent

Featured image for Incognia’s Network Graph: Persistent Device ID for Faster Fraud Investigations resource

Incognia’s Network Graph: Persistent Device ID for Faster Fraud Investigations

Discover how to combat sophisticated seller fraud in 2026 with layered defenses, early detection, and strategic friction to protect your marketplace from...
Featured image for How Marketplaces Can Outsmart Seller Fraud in 2026 resource

How Marketplaces Can Outsmart Seller Fraud in 2026

Discover how to combat sophisticated seller fraud in 2026 with layered defenses, early detection, and strategic friction to protect your marketplace from...
Featured image for Episode 4: How Rapido Balances Driver Supply with Fighting Fraud resource

Episode 4: How Rapido Balances Driver Supply with Fighting Fraud

Learn how Rapido balances driver supply and fraud prevention, ensuring platform integrity with innovative strategies and automation.