Throughout 2023,
we used this powerful
combination of signals to
analyze 270M devices.

Operating systems of devices we analyzed (%)
icon
Android

54.5%
icon
Web

26.2%
icon
iOS

19.3%

In 2023, we returned

3 7 4 0 0 4 2 9 1 8

Risk assessments for events like account creation, login, and transaction.

bck__left
bck__right

In this report, we share some of the insights we learned from these events, as well as some threats you should keep an eye out for in 2024.

bck__left

Fraud Prevented in 2023

In 2023, our clients leveraged Incognia’s combination of device and location signals to prevent fraud across a number of industries.

By placing Incognia’s device and location signal as the first step in their fraud prevention, authentication, and user verification flows, our customers significantly reduced instances of fraud and the associated business impacts, while also reducing friction and operational costs from less reliable and more expensive signals, like 2FA.

bck__right

Delivery

In the Incognia delivery network in 2023

img__right

Fake accounts

1.2M prevented

Fake accounts and payment fraud are fraudsters’ bread and butter across industries, and they’re very popular methods for fraudsters who target food and grocery delivery apps in particular.

When a bad actor is operating under an expendable fake account without their real name attached, they can commit fraud against a food delivery service without fear of meaningful consequences. A fake account may not seem like a big deal, but fake account creation is just the tip of the iceberg.

bck__right
bck(2)

Downstream impacts of fake accounts


  • Increased liability from unverified drivers
  • Collusion between diners/drivers/merchants
  • Financial losses due to fraud
  • Damage to platform reputation
  • Decreased diner satisfaction
  • Promotion abuse from drivers or diners
  • Increased trust & safety risks
  • Drivers evading bans for bad behavior
bck__right--downstream

Common Fraud Types in Delivery

Some of the fraud types our team sees most frequently in this industry:

Driver fraud

Collusion

Chargebacks

bck__left

Financial Services

In the Incognia financial services network in 2023

img__right

Mule Accounts

1.6M prevented

Mule accounts are another big challenge right now for financial institutions, particularly given the rise of faster payments fraud; these accounts help fraudsters process fraudulent funds without revealing their true name or personal information. The account belongs to an individual who is recruited by the fraudster to help move illicit funds, often unwittingly.

If financial institutions want to prevent fraud,

stopping mule accounts and ATO attacks is table stakes.

bck__left--top
bck__left--bottom

Risk Indicators

Across all 3.74B risk assessments, only 6.5% were assessed as a high risk for fraud.

risk
bck__right

For high risk events, here are some of the most common attributes and behaviors we saw at three different points in the flow:

Onboarding, Login and Transaction

img__right(2)

Onboarding

For suspicious onboarding events, here’s how frequently each risk indicator appeared.

42.86%

of risky onboarding events
Address not verified

32.86%

Multiple accounts

6.95%

Chargeback detected

6.24%

Multiple app installations

8.97%

Tampering* * Device, app, and/or location
Incognia’s results

A P2P marketplace reduced new user abandonment rate by 84%

Read more
img__right--bullet
bck__left
bck__right
bck__right--bottom

Login

For suspicious login events, here’s how frequently each risk indicator appeared.

20.22%

of risky login events
Multiple accounts accessed

18.72%

Suspicious activity

16.78%

Tampering* * Device, app, and/or location

14.97%

Policy violations

13.98%

Multiple app installations
img__right
Incognia’s results

A financial services enterprise reduced authentication costs by 30%

Reduced biometric authentication, which reduces costs and also user friction
img__right--bullet
bck__left--botom

Transaction

For transaction risk assessments, Incognia relies on a machine learning (ML) model which references hundreds of data points that change based on the specific transaction scenario. This means we can’t share specific numbers, so instead we’ve listed a few examples below to give you a sense of the kind of risk indicators our model considers:

Risk indicators
User involved in past fraud
Previous chargebacks
Tampering* * Device, app, and/or location

How we turn transaction risk indicators into risk assessments

For each transaction, our ML model reviews hundreds of data points related to the user’s past transactions, location history, past fraud events, and device data. After this review, the model assigns the transaction with a high, low, or unknown risk assessment.

High risk means the transaction is more likely to be fraudulent, and low risk means it’s more likely to be a legitimate transaction.

img__right
Incognia’s results

A food delivery app reduced payment fraud by 53%

bck__right

Fraud Methods

In the previous section, we looked at the most common risk indicators for suspicious user activity. Often, these risk indicators are present because the user is actually trying to commit some type of fraud. Next, let’s look at a few specific methods that these fraudsters are using.

Device and app tampering

Device and app tampering are popular fraud methods.

Number of devices Incognia detected engaging in tampering in 2023

img__right--top

Device and app tampering are high indicators of risk. After all, how many regular users need to tamper with app code or hide their device IDs?

Tampering can be the first step of several fraud use cases:

Tampering Behavior

Fraudster's Goal


Delivery drivers spoofing location

Extend routes and
inflate earnings


Cloning an app to
create multiple accounts

Promo abuse
or ban evasion


Jailbreaking or rooting

Manipulate signals shared with
app alter app functionality


Fraudster spoofing location

Defeat automated fraud
prevention on logins/transactions
from new location

phone
red flag Here are a few examples of red flags we detect that indicate app tampering:

App debugging

Code injection

Risky installation

Cloned app

Frida

bck__left
bck__right

Multi-Device Deception

In a 2023 analysis, our team identified that 35% of locations associated with fraud had multiple devices in them engaging in fraud.

This points to the fact that many fraudsters leverage multiple devices.

Because of this, cross-device fingerprinting is a must-have tool in the fraud fighter’s arsenal. It prevents fraudsters from simply switching to a new device or performing a factory reset in order to get back to their fraud scheme once their behavior is flagged.

img__right

Location spoofing

Where you are can be a powerful indicator of who you are—and who you aren’t. Fraudsters clearly understand this:

in a 30-day period

between December 2023 and January 2024, we detected 1.07M devices spoofing location.

img__right

People tend to handle important account actions from a location they trust.

For example, in a 2021 analysis we found that 90% of logins on one fintech platform occurred from a trusted location.

When users suddenly start handling transactions away from Trusted Locations, that’s a higher risk indication to us that everything isn’t as it should be.

And even if a fraudster tried location spoofing a fraudulent device to make it look like it was at a Trusted Location, our solution wouldn’t be fooled. Incognia’s advanced location spoofing detection would flag that user as high risk.

location-spoofing-illustration-difr-min
 
bck__right

Fraud trends to watch for in 2024

That’s a summary of what we saw in 2023, but in fraud prevention, looking ahead is just as important as learning from the past.

Here are our picks for attacks and tools to keep an eye out for in 2024:

bck__right

Bypassing biometrics with app tampering

Fraudsters use app tampering to interfere with an app’s attempt to collect biometric data.

Step 1

A fraudster downloads onto their device an app tampering tool and the app they’re targeting.

Step 2

When faced with a biometric check on their target app—for example, requirement to take a live selfie—they use the app tamperer to bypass the check by uploading an existing photo or video from their device, instead of using their camera in real-time as intended.

Step 3

This process can be repeated to create fake accounts without detection. The same process can also enable ATO attacks, especially when used in combination with generative AI deepfakes.


Ghost hand attacks

Part social engineering, part remote access, ghost hand attacks involve a fraudster tricking a bank customer into installing malware on their device.

Step 1

A fraudster calls a bank customer pretending to be a bank representative, and asks them to download an app to review a recent suspicious transaction.

Step 2

Once the customer downloads the app (which is malicious), the fraudster remotely accesses their device and steals their real banking app credentials.

Step 3

Now having access to the victim's bank account, they reach their "ghost hand" into the victim's digital pockets, empty their accounts, and disappear.


Virtualization

What used to require a desktop emulator, fraudsters can now do with a virtualizer on a powerful smartphone. Virtualization is a type of app tampering in which fraudsters run apps in a virtualized environment so they can manipulate certain attributes.

Step 1

A fraudster downloads a virtualizer program to their device and uses it to run versions of their target apps.

Step 2

They use the virtualizer to tamper with the apps or change their device attributes.

Step 3

To avoid being identified and blocked, the fraudster uses the virtualized version of the app to mask information like their device ID.

bck__left
bck__right
bck__left--bottom
bck__right--bottom

Strategies to help you significantly reduce fraud in 2024

Put device and location first

  • Placing device and location signals at the beginning of risk and authentication flows can help you get in front of fraud.
  • Device integrity checks and location verification are accurate, frictionless, and cost-effective ways to filter out bad actors and seamlessly enable good users.
  • If these passive checks can give you a reliable risk signal that saves your platform from further fraud or abuse down the line, why not use that as a first line of defense in your user journey?
bck__right

Ensure risk decisioning signals are trustworthy

  • As much as we keep tabs on them, fraudsters keep tabs on us and the types of tech and signals we’re using to track them.
  • To keep the fraud flowing, fraudsters tamper with devices, apps, location, and browsers, often in advanced ways.
  • Are you basing your decisions off of accurate data that hasn’t been manipulated? Make sure you can detect fraudster techniques like emulators, locating spoofing, and app cloning. If you can’t, your data can’t be trusted.
bck__mid

Generate good friction

  • Our focus is usually on generating less friction. But sometimes friction is good, especially when it’s friction that stops fraudsters from wanting to join your platform. The goal is to find verification and authentication methods that introduce the most friction to the users you want the least—good friction for bad actors
  • For example, requiring users to share geolocation in industries that leverage location data heavily, like food delivery or marketplaces, can be a passive check that presents a much bigger barrier for fraudsters than any good users.
  • On average, 85% of users are willing to share their location when it will be used for fraud and security purposes.
bck__left--bottom