How Behavioral Biometrics Thwart Social Engineering Attacks

November 30, 2021

(Note to readers: This is the second part of a new blog series about how behavioral biometrics detects and stops specific cyber threats. Today’s blog focuses on social engineering.)

A few weeks ago, I talked about credential stuffing and the challenge of separating friend from foe. While that can be challenging, at least without behavioral biometrics, it is nowhere near as difficult to stop as social engineering.

Social engineering scams are happening all over the place: Three-fourths of financial professionals say their organization was the target of payment scams in 2020, and 90 percent reveal that these incidents have either grown in frequency or have remained consistent with the number of schemes in 2019. Verizon’s 2021 Data Breach Investigations Report found social engineering to be the most common breach pattern, and that 85% of breaches involved a human element. Whether it’s business email compromise (BEC), email phishing, voice phishing, help desk fraud, or coaching scams – social engineering provides criminals with a cost-effective method of bypassing most traditional defenses.

For cyber criminals, social engineering allows them to bypass credential checks, tokens, step-ups, and other protective methods, as they manipulate the victim to pass the security steps on their behalf. It has gotten so bad that UK phone networks recently decided to block all online calls from abroad if made to look like a UK number, and regulators are even considering requiring ID when buying multiple SIM cards.

For the victims, social engineering is an especially vicious type of attack. We mainly hear about lonely elderly people being targeted, but social engineering can happen to anyone. In fact, the idea that this only happens to particularly vulnerable people is part of the problem, as victims often feel great shame once they realize they have been made a fool. This makes them less likely to report the crime, and if they do, more likely to accept no-to-minimal restitution.

For CISOs and security professionals, this is an extremely challenging attack vector to stop as their traditional tools, device fingerprinting, geolocation, credentials, and step-ups, are all bypassed. Most fraud systems give zero indications of social engineering scams taking place, until the money is long gone or if the criminal is extremely unlucky and the mule account is already flagged by anti-money laundering systems.

To make matters more urgent, the massive increase in this type of crime has forced regulators to take action and the fraud liability from social engineering has begun to shift from victim to the financial institutions.

That’s why CISOs and their teams should consider behavioral biometrics as a critical component of their security strategy and solutions portfolio. Behavioral biometrics deliver an additional layer of defense that unfailingly thwarts social engineering as it can detect subtle signs of manipulation before its too late. Instead of relying solely on information a criminal can steal or manipulate their way around, behavioral biometrics builds user profiles based upon how employees or customers physically interact with devices. This creates a distinct, physical signature for the profile that hackers simply cannot imitate.

What’s more, if a fraudster has gained enough trust (even temporarily) to coax a victim into unwittingly making a large payment to the fraudster, our technology will intervene. Out solution picks up on various traits that victims exhibit when in this situation. They may, for example, demonstrate behaviors of hesitation because they have misgivings about what they’re doing, perhaps taking unusually long pauses as they wait for the criminal’s instructions. Or they could pick their smartphone up and down while going back and forth with a criminal, who is directing the victim to set up a transfer, like in the figure below. Our behavioral biometrics will recognize these deviations from normal interactions with devices and send alerts to security teams.

Figure 1 Comparison of mobile device acceleration between a coached victim and genuine customer

Ultimately, our behavioral biometrics not only confirms that you really are you – it’s also possible to spot when you are acting out-of-the-ordinary, like during a scam. If you’d like to find out how we can help your company achieve this level of optimal, user experience-friendly cyber protection, then please contact us. Meanwhile, look for the next blog in our series that will be published soon to address OTP hijacking & SIM swaps.