The cutting edge behavioural analytics NZ banks could use to shut down scammers, and which big bank has signed up

Men tap on their mobile phone screens harder than women.

A scam victim may scroll aimlessly on their mouse while awaiting instructions on where to send money.

On a mobile phone, the phone may be moved up and down from a bank customer’s ear as they get fed a bank account number by a money mule herder.

Behavioural analytics are now being used by banks, including one in New Zealand, to help catch scammers — and how we use our bank’s apps and websites can give away clues that we’re being scammed.

Israeli behavioural biometrics company Biocatch’s technology has been in use at one New Zealand bank for a couple of months, with another set to roll it out.

Biocatch’s Australia and New Zealand head Richard Booth is coy on which NZ banks are Biocatch customers; banks don’t necessarily want scammers to know about the tools they are using to shut down scams, he says. 

In Australia each of the big four are Biocatch customers, and it also boasts UK customers in Barclays and HSBC.

The firm can see patterns or changes in habits which may alert it to whether someone is being conned from a wealth of data we provide by interacting with our bank online, Booth says.

Scammers have shifted from attacking banks to attacking customers, using “social engineering”, or convincing us to make that payment for a scam toll, or invest in a fake term deposit.

They make us feel comfortable, and even confident to hand over our cash, understanding when we’re vulnerable, or building elaborate webs of information to hide the fraud lurking under the surface.

Biocatch puts itself in the middle of that transaction, detecting little clues about how we act during the scam to raise red flags with the banks, who can then decide what to do next, Booth says.

Booth says Biocatch is looking at how we use our bank’s infrastructure. How we navigate around the webpage, or how we are clicking and swiping on an app on mobile.

For example, someone may usually open their bank app and check their balance before they add a new payee, and then make a payment.

Biocatch may detect a deviation from that normal customer behaviour when they log on and go straight to a payment. 

There may be other tells when we make the payment, such as pausing and waiting for instructions from a scammer on where to pay money.

Someone making a legitimate payment would usually have that information at hand, and not need to be coached through the payment process, Booth says.

Swipe, tap and scam

How does Biocatch do this? It can visualise how we use our mobile phones in three-dimensional space.

Our phones give out data on how we move them through gyroscopes and accelerometers, which we might commonly see in action when we rotate our phone screens and the display then flips to match how we’re holding the phone. 

Or we might see them in use if we play games on our phones which require titling or moving the phone to move a ball around, for example.

But instead of us playing a game, Biotcatch is looking at pauses in inputting information, whether we're putting the phone up to our ear, or may even use a lack of swiping and tapping altogether to detect criminal influences.

For example, Booth says, scammers may use software that can mimic 30 mobile phones. Using this sophisticated software a scammer can manage multiple mule accounts used to shift stolen funds offshore, creating a “more operationally efficient criminal infrastructure”.

The so-called mule herders may then shift the funds out in a series of transfers, called hops.

Booth says the first “hop” by a mule herder will typically be into separate accounts, and then once the funds are in accounts that the mule herder controls, they can then consolidate those funds on the second hop or third hop into a single account. 

At that point they will do what's called a cash out, and they will either exfiltrate those funds through a crypto network or through a foreign wiretap or an through an ATM, but that’s a less likely final step in New Zealand.

Then the money is often wired to Southeast Asia or Eastern Europe, he says.

But what Biocatch may see, or detect from such a software programme, is an absence of swiping and tapping to make those transactions, because it’s actually a software programme pretending to be 30 mobile phones, there are no humans there to swipe and tap.

Booth says these “emulators” can pretend to be a physical device, but the scammers will be using a mouse and a keyboard to enter data and to click on things, and so there is no finger press on the screen. 

“So that's the first major giveaway that a criminal is not using physical mobile device.”

Biocatch can also look at how a bank customer usually holds their phone, which hand they use to tap, or two thumbs if you are an old Blackberry user, as Booth is.

“We understand in 3D space, that [the phone] is maybe in the left hand or the right hand. We're going to look at the arcs. Someone that scrolls with their index finger makes longer scroll movements, then someone with their thumbs is shorter scroll movements. And then we also get the pressure on the screen. Scientifically, we've seen that men generally push harder on the screen than women do. And so that force feedback in the surface area of your fingers goes into a lot of detail. We can then differentiate between the one user and another user in the way that they're using their mobile phone.”

They're watching you — or are they?

Booth says it may seem a little Big Brother-esque, but Biocatch knows nothing about you.

It sees only randomised numbers, and never gets detail about who it is observing using a bank website or mobile device.

Biocatch embeds snippets of code in a bank website, from there its analysts are seeing streams of data as we tap, swipe or mouse around the bank’s infrastructure. It is analysing our pauses, or "doodling" on the mouse as we're waiting to be told to make a payment, and working out when we're being ourselves, or being directed by a criminal.

The firm, which was founded in 2011, has data scientists looking at mathematical algorithms and machine learning, but it also has behavioural scientists that deeply understand criminal behaviour and genuine customer behaviour, Booth says.

The behavioural scientists work with the data scientists to visualise human behaviour in a mathematical model.

“That's where a lot of our secret sauce is, or our intellectual property is based. We really distill what makes up a good person behaving normally, from a good person behaving abnormally or a criminal behaving the way they normally behave. And we put that into machine learning algorithms to crunch that data in real time at scale, to provide the banks with the necessary alerts for them to intervene.”

Now, what happens next is up to the bank. Booth says banks are always weighing up intervening against giving their customers a smooth, frictionless experience and allowing customers the freedom to bank how they want to.

Some banks are more conservative than others. He says if banks bombard customers with too many warnings, their effectiveness wears off. It's a tricky balancing act.

And, he says, the banks have more data on top of what they get from Biocatch, which Biocatch is blind to, which they will combine with Biocatch’s data to enrich their decision making process.

Innovating scams

Just as banks are using technology to combat scams, and introducing new programmes or warnings, scammers and fraudsters innovate too.

The United Kingdom's banking industry introduced name and account number checking to help flag to people when they’re paying money into a different account than they thought they were in 2020.

In New Zealand some investment scams have seen payments made for a Citibank term deposit investment, but payments were actually made to an ASB account. Critics say these payments, made to a obviously different account than intended, could have stopped the large financial losses suffered by bank customers.

However, scammers are adept at getting around name and account checking, Booth says, for example making bank account names close to legitimate names, or they might say the account is that of a parent company, or a subsidiary.

He says scammers are skilled at explaining discrepancies in account names and numbers, and invest in building relationships with their victims to overcome their concerns.

“If you look at social engineering scams, the two biggest in terms of value per loss or value per case, they are investment scams and romance scams. The emotional investment that the victim has at the point that they're being asked to make a payment is already significantly high. At that point, they're likely to believe almost anything that the scammer tells them.”

New Zealand’s banking sector recently committed to introducing name and account number checking among a suite of changes to help combat rising scams against their customers including no longer sending links in text messages.

We don't have a timetable for its introduction.

ANZ, the country's largest bank, says it is committed to implementing name and account checking, or confirmation of payee, as fast as practically possible.

"We are currently mapping out the work involved and a timeline. This will be a complex piece of work. Any changes need to be standardised across all banks and will require regulatory and government input regarding privacy laws."

The bank says it's important any new system can be trusted.

"Fraud protection needs to provide a good customer experience, so people see it as a benefit not a hindrance."

ANZ also says it is currently testing "world-leading biometrics as one way to make sure it’s our customers making transactions on their devices".

"This new digital behaviour software will identify patterns in the way customers access and use digital banking and to indicate the likelihood the current transaction was initiated by the customer or someone else."

ANZ says it plans to have this operational in New Zealand in 2024.

Game-changer?

The Banking Ombudsman, Nicola Sladden, said recently introducing confirmation of payee technology, or name and account number checking, would be a game-changer.

The ombudsman's annual report showed almost a third of its annual investigations related to scams, in which victims' average losses were $57,000.

Parliament’s Finance and Expenditure Committee recommended banks bring in confirmation of payee in a report published in August.

It also recommended banks look at a voluntary scheme to reimburse victims who are tricked into making payments to scammers, called authorised payment scams.

At present NZ banks do not routinely reimburse people who have authorised a payment to scammers, although some were offering partial settlements and requiring customers to sign non-disclosure agreements.

Consumer NZ says banks should now pay back authorised payment scam victims, because in announcing they need confirmation of payee to combat scams, it was an acknowledgement they could have done more, but chose not to.

In the UK, its payments regulator will make banks reimburse authorised payment scam victims from next year.

Booth says UK banks are being forced to deal with "the pain of scams in a far more tangible way than banks in other countries".

In some countries banks don't have to reimburse customers for any scams, whether customers have their accounts hacked or are tricked into making payments to scammers.

For the banks without that fear of a financial penalty, investing in fraud protection systems doesn't stack up because they're not losing money, Booth says.

The UK approach has forced banks to invest in fraud protection, he says, and it is leading the world in regulatory change to fight scams, for better or worse. 

The Commerce Commission has warned it may force change on banks to see them adopt new payment types such as low cost account-to-account transactions. It got oversight of payments in 2022.

Industry experts say adopting new payment types and systems would allow the introduction of name and account number checking, and other anti-scam measures.

Commerce Commission chairman John Small says NZ's response to bank scams has been "undercooked".

He says it is an area in which the Commission could do more.

"I think we need a win."

In terms of regulating how banks respond to fraud, it appears no single regulator is taking the lead.

Commerce and Consumer Affairs Minister Duncan Webb refused to say which regulator should be ensuring banks are protecting consumers from frauds and scams.

The Financial Markets Authority, Commerce Commission, Ministry of Business, Innovation and Employment and the Computer Emergency Response Team (Cert NZ) are all involved in protecting New Zealanders from scams, while the Reserve Bank of New Zealand regulates and promotes a “sound and efficient” financial system.

National's commerce and consumer affairs spokesperson Andrew Bayly has suggested the Commission should be the lead agency for scam prevention.

Small says the Commission has been talking to its Australian counterparts about its anti-scam measures, including the newly-opened National Anti-Scam Centre. NZ's banking sector says it supports setting up a similar centre here.

Small says the regulator is also looking at what telecommunications firms can do to thwart scams.

It needs to be nimble and innovate, just as scammers are, Small says.

He says scams will get a mention in the banking market study.

"In order to look at competition properly, we actually have to look at the broader landscape for banks, including the regulatory landscape. And the way that the banks themselves operate."