Detect Remote Access Scams and Prevent Financial Loss Using Behavioral Biometrics

March 22, 2022

Remote access scam is a common form of fraud that has seen a dramatic rise since the start of the COVID-19 pandemic. In 2020 alone, the FBI’s Internet Crime Complaint Center reported receiving 15,421 complaints related to Tech Support Fraud from victims in 60 countries. The fraud losses exceeded $146 million, which means a 171% increase from 2019. According to Aite-Novarica’s most recent report, the numbers don’t look any better in the UK. 2020 losses due to payment fraud grew only by 5% compared to the previous year, but by the first half of 2021, that number increased to a whopping 71%.

Figure 1 Fraud losses due to remote access scams globally and in the UK. Source: IC3 and Aite-Novarica

Since a lot of everyday transactions, such as going to the bank, or holding business meetings, are now almost exclusively performed online, it gives fraudsters a perfect opportunity to deploy their social engineering tactics.

Social Engineering is one of the easiest forms of hacking. It doesn’t require advanced technical knowledge and instead uses psychological tactics to gain access to the victim’s personal information and bank account. According to Verizon’s 2021 Data Breach Investigations Report, up to 95% of remote access scammers have financial gain as their primary goal. Victims get scammed out of substantial amounts of money, which has a devastating effect on them, as many lose their life savings, and even struggle to pay their bills afterward.

Apart from losing their hard-earned cash, the casualties of social engineering suffer from the psychological trauma of falling for the scams. They often feel such shame for believing the criminal’s tricks, that it deters them from reporting the crime to the authorities. The remote access scammers mostly target people over 60, as they are more likely to have sizeable sums of money in their savings accounts. However, the number of younger people falling victim to remote banking fraud has also been on the rise. Young people in their early 20s are less experienced in dealing with authorities and financial institutions and, therefore, can become easy prey for social engineering scammers.

How It Works

The mechanics of a remote access scam are quite simple. The fraudster establishes direct communication with the victim, most commonly via a phone call. For example, by posing as a support representative of a trusted organization, the perpetrator convinces the victim that a critical security issue has been detected and requires immediate action. The imposter then offers to resolve the issue and coaches the victim to download a legitimate remote access program, such as AnyDesk, Team Viewer, or Zoom, and grant the fraudster access to their device. By getting access to the victim’s device the fraudster also gets access to their personal information that can be saved and used in a later attack. The fraudster commonly asks the user to log in to their bank under the pretense of paying for the support service or receiving a refund for the security breach. Once the criminal gets access to the victim’s bank account, the money can be transferred without the victim’s knowledge or, what is more important, further consent.

Our data show that in recent months a new trend is on the rise. Several of our European customers reported cases where “reverse” remote access has been used. Namely, the user was asked to remotely connect to the fraudster’s computer and log in to their bank account there, thus giving the fraudster untethered access to their funds. Criminals constantly evolve their techniques to minimize the costs for themselves and maximize profits. The upside to this particular fraud trend is our ability to detect it even sooner for our clients. In a regular remote access fraud scheme, the login procedure is performed by the legitimate user on their own computer and is no cause for alarm in itself. The warning bells go off when the scammer tries to remotely transfer the funds from the victim’s account. In cases where the user instead logs in to their bank on the scammer’s computer, we detect the use of a remote access tool already at the login stage and flag it immediately.

Another customer was able to detect €500,000 worth of RAT fraud in the first 2 weeks of deploying BehavioSec

How Behavioral Biometrics Hampers Remote Access Scams

Due to the nature of remote access attacks, traditional security measures, such as device fingerprinting and geolocation are simply not effective. Because the legitimate user grants fraudster access and performs the login procedures, in most cases, the attack cannot be detected until after the money is long gone. However, with the help of behavioral biometrics, these attacks can easily be detected and stopped in real-time, that is before the money leaves the victim’s bank account.

Behavioral biometrics not only recognizes the slightest deviations in a user’s behavior but can also detect whether a remote access tool is being used and if it’s a normal pattern of behavior for this user. Most remote access tools create a very distinctive pattern that can be easily recognized by behavioral biometrics.

Our solution uses over 20 distinct remote access detection mechanisms that continuously scan the incoming data for signs of remote access. Beyond detecting when a remote access tool is used during the banking session, behavioral biometrics also help determine whether remote access is something the user normally does. For some users, working on corporate accounts, it can be the norm to always use Remote Desktop. In these cases, we detect the use of a remote access tool but will not flag it as suspicious as long as other behavioral signals match the users’ normal behavior. As our customer data shows, combining the behavioral anomaly detection with other signals, such as the likelihood of the user being coached, allows BehavioSec to reduce the number of flagged sessions and improve the fraud detection accuracy even further. With this implemented, only about 0.1% of all sessions get flagged as suspicious, as shown in the histogram in Figure 2.

Figure 2 The relation between normal use of remote access and anomaly flagged remote access sessions reveals the smaller percentage of the latter. Source: BehavioSec customer

Our customers, among which are several premier retail and wealth management banks, reported that the number of remote access scams’ detected using BehavioSec exceeded 92%. A long-running European bank confirmed that the overall detection rates for current fraud patterns were so good that financially relevant claims towards the bank had stopped almost completely. Another customer was able to detect €500,000 worth of RAT fraud in the first 2 weeks of deploying BehavioSec, ultimately preventing €1m worth of fraud losses in the first 3 months before attacks subsided as the criminal gangs moved on.

To sum it all up, the detection mechanisms described above, combined with behavioral scoring of the user sessions, work so well that these types of RAT fraud attacks can be almost completely mitigated. If you would like to learn more about social engineering scams or how we can protect your customers and help you reduce costs, do not hesitate to contact us.