Timeless Threats: Why Old-School Fraud Tactics Still Succeed

Recently, Allied Irish Bank (AIB) released the 5 most common fraud methods for 2024 (Jan – Oct) that presumably it has witnessed. At positions, 5 to 3 were Money Mules, Purchase Scams, and Investment Fraud respectively.

Highest Ranked Fraud Methods

In terms of customer authentication strategies, the two highest ranked frauds are where it gets interesting. Ranked 2 was Phone Call Fraud, a form of impersonation scam which includes the criminals trying to take control of the customer’s device, also known as a remote access scam.

Ranked 1 was Text Messaging Fraud, also known as Smishing, which accounted for a staggering 94% of all fraud cases. As described by AIB, these messages are usually followed by a phone call from the purported “bank”. And as AIB also stated, “a bank will never request security codes sent by text message, push message or from your card reader”.

Fraudsters Don’t Hesitate to Take Advantage

So, while a bank may not, a fraudster most certainly will. Smishing has been around for years but has certainly become more advanced and convincing, with messages being able to be displayed in line with legitimate bank SMS messages, which has been heightened by the use of sophisticated AI.

However, the simple reason it is successful, and evidently so prevalent with such a high percentage of total fraud events, is because many banks persist with outdated and insecure One-time Passcodes (OTPs) as their customer authentication strategy.

As we have said in numerous blogs, an OTP is simply a piece of information, albeit intended for the legitimate customer only. But if a piece of information can be intercepted, hijacked, or inadvertently shared or given up, whoever is now in possession effectively becomes the proxy legitimate customer. If a piece of critical information can be unlawfully obtained, it will be obtained. And therein lies the reason for 94% of all fraud events being smishing-based.

As we have also said in numerous blogs, there is a simple method to make these very same OTPs, regardless of how they are delivered, secure, even if intercepted, hijacked, or inadvertently shared or given up.

From Typing to Speaking

The answer is overlaying voice biometrics on the OTP. Rather than typing the OTP back into the browser, which is what an OTP is used for, speak it back into the browser. Only in this user-friendly fashion can the coupling between the OTP and its intended legitimate customer occur. Anyone but the intended customer who has possession of the OTP will fail the biometric test, rendering the OTP useless.

At ValidSoft, we’ve reimagined OTP security by integrating voice biometrics into the authentication process. Our patented See-Say® technology allows users to speak their OTPs instead of typing them. This innovative approach permanently binds the OTP to the legitimate customer through their unique voiceprint. Even if the OTP is intercepted or shared, it remains unusable by unauthorized individuals. This ensures a seamless yet robust authentication process, addressing vulnerabilities like smishing and replay attacks. With See-Say®, organizations can confidently migrate from traditional OTP systems, significantly reducing fraud incidents while delivering an effortless and secure user experience.

The same applies to remote access scams or any other scam involving pieces of supposed secret information where possession is currently all that’s required.

It seems that if ever there was a case to make for a Return on Investment, it would be the eradication of 94% of fraud events by the migration from typing to speaking, a trend we already accept as part of our everyday lives. Hey Google, do you think speech as a User Interface will catch on?