No Phishing: How Biometric Authentication Can Prevent Phishing Attacks, Fraud Losses, and More

by John Duggan, SVP, ANZ & SEA
October 3, 2023

When you hear the word phishing, you most likely think of SMS scams – when fraudsters send fake text messages impersonating a service provider to a genuine customer’s mobile device, asking for either PII (personally identifiable information), funds, that the user perform a transaction, or a combination of the former.

But phishing isn’t just SMS scams. There are all kinds of phishing strategies used by bad actors both online and through social engineering. Any action that is designed to trick someone into willingly sharing their PII under false pretenses qualifies as phishing.

According to AAG IT, “The most common cyber threat facing businesses and individuals is phishing.”  The Asia-Pacific region, especially, continues to be inundated with financial services phishing scams, causing organizations to be held responsible for their customers’ losses – even if the business had no knowledge of a scam being conducted under their name.

In Australia, there’s a cyber attack every 10 minutes (on average) – and cybercriminals have been targeting consumers to the tune of over 3 billion dollars in 2022 alone. This means the organization with which the consumer’s account is associated – whether it’s a bank, insurer, investment firm, or mortgage lender – is deemed liable for thousands, and sometimes millions, in losses, with little being done by government and regulatory agencies to eliminate the actual source of fraud: weak authentication systems.

While it would be impossible to prevent all instances of phishing from happening, financial services organizations in APAC can arm themselves against cybercrime and make their account access phishing-proof by using secure, convenient, and modern biometric authentication solutions.

Case study: Singapore SMS phishing scam

Biometric authentication is seeing increased adoption across industries – and for good reasons. Its inherently unphishable nature makes it the ideal account access process for organizations dealing with highly sensitive data, like banks.

A particular bank, Singapore’s OCBC, lost S$13.7 million to phishing scams in December of 2021. Fraudsters sent texts to OCBC customers, claiming their accounts had been deactivated and requesting that they click a link embedded in the SMS to reactivate their accounts.

Upon clicking the link, customers were redirected to a fake website that asked for their OCBC login credentials, like account usernames and passwords. The scammers then used those login credentials on OCBC’s real website to transfer money, which initiated 2FA (two-factor authentication) and OTPs (one-time passwords) being sent to customers’ registered mobile phones.

Since SMS texts aren’t encrypted, these messages were intercepted by the same scammers, and the funds transfers were successfully completed.

Once customers received notifications about unauthorized transactions on their bank accounts, they started calling OCBC’s hotline; but by the time the bank was able to take action, it was too late: the scammers had already siphoned out most of the monies in the compromised accounts.

OCBC was forced to pay back S$13.7 million to customers and regulators also asked them to keep an additional S$330 million ($240 million USD) in capital for managing such operational risks.  Additional damages incurred by OCBC included major hits to brand reputation and plummeting stock prices.

The hidden cost of phishing
Whether you’re a financial services organization in Singapore, Australia, New Zealand, or the UK, the hidden (and obvious) costs of phishing scams ring true around the world – and customers are carefully listening.

Other than the millions (and sometimes billions) of fraud losses incurred by finservs, the damage to an organization’s brand, fraying customer trust, poor PR, strained investor relations, and stock repercussions can tank even the most established businesses. But more often than not, organizations think too much about the bottom dollar when investing in digital identity security procedures – like authentication – and skimp on security and UX to keep costs low. This is not only dangerous for data privacy, customer identities, and employees, but could end up costing a company more in the long run than the initial investment in biometric authentication would’ve cost up front.

What is biometric authentication?

Biometric authentication is a security process that identifies users by leveraging fingerprints, facial scans, voice prints, retina scans, iris scans, or behavioral biometrics like gait, keystrokes, typing speed or mobile touch, interactions, and swipe.

A user’s biological characteristics – which are immutable, unphishable, and inherently unique – securely authenticate that the user is truly who they claim to be, giving organizations the confidence to conduct transactions with and grant account access to genuine users.

How does it work?
Biometric authentication extracts data points, via AI-powered algorithms, from a user’s biometric factor during an onboarding process like identity verification and stores that data as a secure, biometric template that will be used for future authentications.

The stored biometric credential is compared to the live factor that is presented during authentication – like a selfie, for example, being compared to a face template. By comparing the biometric factor (biological characteristic) a user presents with the verified identity data that has already been stored on the user’s device or in an organization’s database, these two processes, together, form an unphishable strategy for onboarding and account access.

Can’t someone steal my face?
Skeptics of biometrics will often express the concern that their physical characteristics could be stolen. However, even if a biometric template is stolen, it cannot be reverse engineered into a usable representation of a person’s face, fingerprint, or voice – so not only is it unphishable, it’s not susceptible to data breaches, either. When using biometrics, you guarantee the safety of a user’s PII – there are no passwords to steal or guess, security questions to remember (or, often, not remember), or inconvenient, costly account reset processes to worry about.

Types of biometric authentication

As modern users have become more and more comfortable using it to unlock their devices, biometrics has cemented itself as a reliable and secure method of authentication – and a great way to foster accessibility and a convenient user experience. Different biometric factors offer different degrees of practicality for use cases.

• Facial scans
  • Used every day by many smart device owners to unlock their phone, tablet, or laptop, making them ubiquitous in today’s digital world.
• Fingerprint and palm scans
  • Practical and highly accessible; comfortable for many users, as they do not need to use their face (provides a certain level of ‘anonymity’).
• Voice recognition
  • Popularized by voice assistants like Amazon’s Alexa, Microsoft’s Cortana, and Apple’s Siri; most users are accustomed to this technology, though it may be less reliable than non-audio options depending on environment (a noisy or crowded room, for example, may interfere with its accuracy).
• Behavioral biometrics
  • Becoming more and more widely used but is lagging behind the factors listed above insofar as popularity. Mobile devices are rich in behavioral biometric datasets.
• Hand geometry
  • Easy to use: just requires placing your hand in a scanner. Not widely adopted, likely due to the cost of purchasing the specific scanners needed.
• Iris and retina scans
  • Heavy use in the public sector and the travel & hospitality industry (CLEAR, for example) but hardware is limited and costly in the consumer market.

Why is biometric authentication critical in the fight against phishing?

July 2021 to June 2022 saw an 81% increase in Australia’s cyber attack incidence, while network traffic, during that same time, only increased by 38%. This disparity highlights the proliferation of fraudsters and their schemes in Australia – and this example is the rule, not an exception.

Businesses across the Asia-Pacific region (and the world) have experienced exponential growth in the phishing scams they are faced with thwarting or, usually, with compensating customers and regulators for. British banks, for example, were pressured to sign up for the “Contingent Reimbursement Model” (CRM). This model basically holds banks monetarily responsible for consumers who send money to fraudsters, forcing the banks to pay customers back. “This is unsustainable and it cannot be remedied without action on digital identity,” says David G.W. Birch, a Forbes contributor and internationally recognized thought leader in digital identity.

Birch, like many others in the industry, is calling for a more equal distribution of the cost of fraud – a request that is, for the most part, being ignored.

However, there are some efforts being made to address the growing cases of phishing scams. According to Comply Advantage, “The Australian Securities and Investment Commission (ASIC) has announced the imminent introduction of a cross-industry code that will hold banks, telcos, and social media platforms responsible for scam safety and make them liable to reimburse people who lose money through scams.”

Though these are steps in the right direction, the road is long; that’s why the best path forward for businesses is to take matters into their own hands by defending themselves and their customers directly against phishing scams through adoption of a robust biometric authentication strategy.

xAuth, xFace, and the power of MFA

Daon has the solutions your organization needs to stop phishing – before it starts. xAuth, our portfolio of authentication methods, is designed to help you build a customized multi-factor authentication solution to fit the unique needs of your organization and your customers – whether you’re looking to add factors or go passwordless. Created with easy integrations in mind, xAuth can be deployed into existing infrastructure and employ your choice of FIDO-certified authenticators, whether they’re biometric, knowledge, or possession-based factors, to get a perfect-fit solution for your use case. All of these factors can also be integrated with xFace and xVoice to provide the maximum level of identity security.

Multi-factor authentication (MFA) is simple: rather than requiring a single, less-secure form of authentication (like a password), MFA layers multiple authentication steps together, like a security PIN plus a biometric (finger or face print). By using more than one simple authentication method, a stronger, synergistic form of security is created.

Due to their inability to be lost, replicated, or stolen, biometric factors, especially when used in combination as part of an MFA security approach, are the most secure factors that can be used to authenticate a user’s identity. They also provide greater ease-of-use.

No phishing allowed: the benefits of biometric authentication

Biometric authentication is a secure, convenient, and easily integrated solution to help combat the phishing scams that are plaguing organizations across industries. For financial services businesses, especially, the kind of step-up authentication offered by biometrics is unparalleled insofar as safety and in the continual quest of positive UX preservation.

By showing customers that your company values not only their time, but the safety of their information, biometric authentication can be a beneficial tool for building (or bolstering) brand reputation, fostering trust with customers, and making your services accessible for the widest audience possible. By giving users choices when it comes to how they’re authenticated – face, fingerprint, voice, and more – you can empower them to become repeat customers, successfully building a digital relationship that truly lasts: one that’s built on trust.

Learn more about protecting your customers with biometric authentication from Daon here.