Let’s consider a scenario. A customer receives an urgent call from their bank advising that there’s an issue with their account. The representative requests remote access, and persuades them to install anti-virus software to protect themselves. A little later on, they discover that all of their accounts have been cleaned out...
If this sounds familiar, it’s because it’s not only a fraud vector that’s on the rise, it’s an approach that has become endemic. But because it’s one that blurs the lines between first- and third-party fraud, it’s one that’s still largely not on the radar of most victims – both businesses or their customers. And that’s a major cause for concern. See how an attack like this plays out in our video.
Fraudsters will spend days or weeks planning a social engineering campaign – a bank may only have seconds to react.
The rise of the RAT
The lynchpin of this fraud strategy is the RAT. Originally, this stood for Remote Access Tool, a legitimate technology used to help remotely manage and resolve IT problems quickly and effectively. But as with so many digital technologies, bad actors quickly found ways to turn it to their own needs, giving birth to the Remote Access Trojan.
The first stage in a RAT attack is social engineering, where the fraudster persuades their victim to install the malicious software onto their computer. They use a wide variety of approaches to do this – in addition to social engineering, other approaches include email attachments or links, or even popups in insecure websites. Once installed, the scene is set for the next step in the scenario, bearing the same initials: remote access takeover.
In the example above, that’s exactly what happened. The cybercriminal used deception to get the customer to install the RAT and because the user thought that they were a genuine bank representative, they didn’t hesitate to provide the additional details that they needed – such as the SMS OTP that so many businesses use as a possession factor.
Whose fraud is it anyway?
For the customer, this presents a very serious problem once they realize that they’ve been defrauded. In a panic, they’ll call their bank to try and find out what’s happened and set things straight.
But in many cases, the bank may take the stance that it’s actually the customer trying to commit first-party fraud rather than being a genuine victim of third-party fraud.
Because of the approach that the bad actors take, that viewpoint is understandable, given the evidence that the bank has at hand: the transaction was confirmed by an SMS OTP and initiated from the customer’s own device and therefore looks legitimate.
And this is what makes this fraud approach so insidious. Because it’s so difficult to detect that it really is third-party fraud, the customer is not only out of pocket, but may find themselves shouldering the blame, despite being the real victim.
A hidden threat
This is one of the factors that makes RAT-driven fraud difficult to prevent. It’s a tricky situation for legislatory consumer protections; measures such as Regulation E provide protection for account takeover fraud (ATO), but it becomes more of a gray area when it’s hard to pinpoint exactly where the fault lies..
And that’s a particularly tough situation for all concerned. Not only are the majority of customers unaware of the extent or of the problem, the very nature of the approach makes it extremely hard for banks to detect too. It’s very hard to defend against an attack vector when you don’t know it even exists.
That’s particularly the case if a business is relying on usernames and passwords for authentication, even if they’re shored up with SMS OTPs as a possession factor – which as we’ve seen, provide no defense against social engineering.
And it’s worth remembering that fraudsters will spend days or weeks planning a social engineering campaign – a bank may only have seconds to react.
Cover your bases
However, the exponential increase in RAT-driven fraud has not gone unnoticed. Nothing stays still where money is concerned, and legislators are taking note in the sharp rise in complaints from defrauded customers. The CFPB issued stern guidance to banks in 2021 regarding reimbursements under the EFTA and Regulation E, and more is likely to come.
Equally, defrauded customers are not slow to make their displeasure known. Social media is only the starting point for grudges to be aired, and the press is every quick to amplify those discontented voices. The damage to reputation can be far more costly than the actual sums in questions.
It’s imperative that banks and financial institutions start putting measures in place to counter the threats posed by RATs.
How businesses can fight back
Callsign’s solution gives businesses the ability to do that – to take pre-emptive steps to defend against RATs and other forms of fraud. Our device intelligence is constantly vigilant against RATs, passively looking for the signals that a device has been compromised – and alerting the user if it is. That applies to mobile devices too – mobile RATs (mRATs) are also on the rise.
Our Muscle Memory Technology – the highest fidelity form of behavioral biometrics on the market – is able to recognize your customers from their unique patterns of typing, swiping and even how they hold their device.
No RAT, no matter how sophisticated, can ever emulate these signals. Layered with our device intelligence, the fraudsters don’t stand a chance. And because our technology doesn’t rely on outdated cookies, your users will be recognized and protected regardless of whichever browser or device they choose to use.
With fraudsters getting more sophisticated by the day, it’s a lot to expect your customers to smell a RAT. Callsign’s here to make sure they don’t need to.
Find out more about our solution in our RAT video: