Preventing Zelle Fraud Through Behavioral Biometrics

By Raj Dasgupta, Director, Fraud Strategy at BioCatch

Raj Dasgupta, Director, Fraud Strategy at BioCatch

The U.S. banking industry made a significant leap forward when the Zelle peer-to-peer (P2P) payment network was launched in 2017. In only three years, Zelle had taken off, announcing in November 2020 it had reached more than 1 billion payments over a 12-month period and had more than 1,000 banks and credits unions contracted to participate in its network. Zelle promised to advance the functionality of P2P payments, and the various ways that consumers could use their platform to access payment services that were previously unavailable.

On the flipside, the rapid adoption of Zelle by consumers in the U.S. has made it a hunting ground for cybercriminals—primarily due to speed and lack of accountability for fraud. Payments are completed almost instantly which makes it challenging for banks to detect and halt a fraudulent transaction. Institutions that have already launched Zelle—ranging from the top five U.S. banks to small credit unions—have reported highly targeted fraud campaigns. Businesses that take action find themselves playing catch up with clever cybercrime rings who are quick to respond to new security controls. According to Javelin Strategy & Research, nearly 18 million Americans were defrauded through scams involving digital wallets and person-to-person payment apps in 2020.

Examining Zelle Payment Fraud

When we examine Zelle fraud, we find attacks typically are different forms of social engineering schemes. Criminals use intimidation or coercion tactics to manipulate the victim into providing access to their personal accounts or convince them to send a payment, unwittingly to the fraudster. In many cases, these scams start with a fake text message or phone call that persuades a user to complete a certain action, often under duress from a wholly fabricated urgent financial situation, such as sharing credentials and making a Zelle payment through their bank account.

Once an attacker has successfully convinced the victim to initiate and complete the transfer, there is often no way to recoup the money. According to Electronic Fund Transfer Act (EFTA), U.S. banks are not required to reimburse victims unless the transfer was unauthorized, i.e. “initiated by a person other than the consumer without actual authority.”

Unfortunately, these schemes are particularly efficient for preying on certain vulnerable groups ––such as older individuals, those who aren’t technologically savvy and are extroverted. While consumer awareness campaigns are an important component of educating the consumer, what is critically needed are active security measures that protect users before fraud takes place, and further, without hampering the customer experience.

Applying Behavioral Biometrics

To effectively combat Zelle fraud, we cannot rely on the traditional methods of account security, authentication and device risk assessments. The social engineering tactics used by attackers are too advanced and rapid to defend in real-time without some form of behavioral biometric technology; as the one thing that stands out is the victim’s abnormal behavior during a scam session.

Rather than passively monitoring accounts, behavioral biometrics can build a profile of the user’s online behavior by gathering data on the user’s online behavior, such as key strokes, mouse movements, device orientation, touchscreen behavior and many other behavioral patterns. Using these attributes, behavioral biometrics is able to flag anomalies in behavior that indicative a high likelihood of an in-progress scam.

This entails examining several key elements, including user behavioral anomalies (i.e. the user does not behave in a normal way), criminal behaviors (i.e. the anomaly looks negative and associated with past fraud behavioral patterns), and non-behavioral risk indicators. It can even include whether the user is accessing the system from a virtual machine or has a time-zone that is inconsistent with the user’s typical location.

Together, these risk indicators provide a complete, real-time picture of how a user is behaving and whether it’s consistent with fraud – a significant step forward from multi-factor authentication and other traditional methods of fraud prevention. This continuous real-time visibility enables financial institutions to keep up with the rapid execution of fraudulent Zelle payments and halt these transactions before they can be completed. Additionally, behavioral biometrics does not require financial institutions to sacrifice customer experience for security as the technology is transparent to the user and does not require them to re-authenticate multiple times – something that leads to sub-optimal customer experience.

The Results

As an example, a top U.S. bank experienced a sustained account takeover attack in which cybercriminals used social engineering tactics to trick customers into sharing their online banking credentials. Once inside the account, cybercriminals would set up new payees within Zelle and initiate real-time fraudulent payments. This was a significant problem and one that was poised to hurt the bank badly in terms of financial fallout and reputation.

However, after implementing BioCatch’s behavioral biometric technology, the bank was able to detect high-risk behavior and prevent more than $170,000 in Zelle fraud losses within the first weekend of the attack, and $300,000 over three weeks. Further, the bank was alerted to a total of 312 Zelle attack sessions with 100% alert accuracy in one month. These results not only point to a significant benefit for consumers’ finances, but also banks’ bottom lines as they save on 1) resources needed to investigate fraud claims, 2) potential reimbursements from unauthorized transfers and 3) reputation damage from scams that attract negative press.

When we look at Zelle fraud, and financial fraud overall, behavioral biometrics brings seamless, proactive solutions that make the difference when traditional technologies prove inadequate – the key is now bringing it to every bank to protect itself and its customer who can fall prey to these schemes.