54.5%
Fraudsters are constantly developing new ways to up their game and escape detection — but fortunately, so are fraud prevention experts.
Some of the most resilient and accurate signals at our disposal today?Device and location.
Behaviors that identify legitimate and risky users and devices
Trending and new types of threats to watch in 2024
Strategies and tactics to stay ahead of the evolving fraud landscape
Throughout 2023,
we used this powerful
combination of signals to
analyze 270M devices.
In 2023, we returned
Risk assessments for events like account creation, login, and transaction.
In 2023, our clients leveraged Incognia’s combination of device and location signals to prevent fraud across a number of industries.
By placing Incognia’s device and location signal as the first step in their fraud prevention, authentication, and user verification flows, our customers significantly reduced instances of fraud and the associated business impacts, while also reducing friction and operational costs from less reliable and more expensive signals, like 2FA.
In the Incognia delivery network in 2023
Fake accounts and payment fraud are fraudsters’ bread and butter across industries, and they’re very popular methods for fraudsters who target food and grocery delivery apps in particular.
When a bad actor is operating under an expendable fake account without their real name attached, they can commit fraud against a food delivery service without fear of meaningful consequences. A fake account may not seem like a big deal, but fake account creation is just the tip of the iceberg.
Some of the fraud types our team sees most frequently in this industry:
Driver fraud
Collusion
Chargebacks
In the Incognia financial services network in 2023
22.4M prevented
According to Security.org, in 2023 29% of US adults were victims of an account takeover (ATO). Social media accounts were the most vulnerable accounts, representing 53% of ATOs, but online banking followed close behind at 42%.
The consequences of ATOs are severe—Security.org also found that the average financial cost of a successful ATO attack is around $12,000.
1.6M prevented
Mule accounts are another big challenge right now for financial institutions, particularly given the rise of faster payments fraud; these accounts help fraudsters process fraudulent funds without revealing their true name or personal information. The account belongs to an individual who is recruited by the fraudster to help move illicit funds, often unwittingly.
If financial institutions want to prevent fraud,
stopping mule accounts and ATO attacks is table stakes.
Across all 3.74B risk assessments, only 6.5% were assessed as a high risk for fraud.
For high risk events, here are some of the most common attributes and behaviors we saw at three different points in the flow:
Onboarding, Login and Transaction
For suspicious onboarding events, here’s how frequently each risk indicator appeared.
42.86%
of risky onboarding events32.86%
6.95%
6.24%
8.97%
A P2P marketplace reduced new user abandonment rate by 84%
Read moreFor suspicious login events, here’s how frequently each risk indicator appeared.
20.22%
of risky login events18.72%
16.78%
14.97%
13.98%
A financial services enterprise reduced authentication costs by 30%
Reduced biometric authentication, which reduces costs and also user frictionFor transaction risk assessments, Incognia relies on a machine learning (ML) model which references hundreds of data points that change based on the specific transaction scenario. This means we can’t share specific numbers, so instead we’ve listed a few examples below to give you a sense of the kind of risk indicators our model considers:
For each transaction, our ML model reviews hundreds of data points related to the user’s past transactions, location history, past fraud events, and device data. After this review, the model assigns the transaction with a high, low, or unknown risk assessment.
High risk means the transaction is more likely to be fraudulent, and low risk means it’s more likely to be a legitimate transaction.
A food delivery app reduced payment fraud by 53%
In the previous section, we looked at the most common risk indicators for suspicious user activity. Often, these risk indicators are present because the user is actually trying to commit some type of fraud. Next, let’s look at a few specific methods that these fraudsters are using.
Device and app tampering are popular fraud methods.
Number of devices Incognia detected engaging in tampering in 2023
Device and app tampering are high indicators of risk. After all, how many regular users need to tamper with app code or hide their device IDs?
Tampering can be the first step of several fraud use cases:
Tampering Behavior
Fraudster's Goal
Delivery drivers spoofing location
Extend routes and
inflate earnings
Cloning an app to
create multiple accounts
Promo abuse
or ban evasion
Jailbreaking or rooting
Manipulate signals shared with
app alter app functionality
Fraudster spoofing location
Defeat automated fraud
prevention on logins/transactions
from new location
App debugging
Code injection
Risky installation
Cloned app
Frida
In a 2023 analysis, our team identified that 35% of locations associated with fraud had multiple devices in them engaging in fraud.
This points to the fact that many fraudsters leverage multiple devices.
Because of this, cross-device fingerprinting is a must-have tool in the fraud fighter’s arsenal. It prevents fraudsters from simply switching to a new device or performing a factory reset in order to get back to their fraud scheme once their behavior is flagged.
Where you are can be a powerful indicator of who you are—and who you aren’t. Fraudsters clearly understand this:
in a 30-day period
between December 2023 and January 2024, we detected 1.07M devices spoofing location.
People tend to handle important account actions from a location they trust.
For example, in a 2021 analysis we found that 90% of logins on one fintech platform occurred from a trusted location.
When users suddenly start handling transactions away from Trusted Locations, that’s a higher risk indication to us that everything isn’t as it should be.
And even if a fraudster tried location spoofing a fraudulent device to make it look like it was at a Trusted Location, our solution wouldn’t be fooled. Incognia’s advanced location spoofing detection would flag that user as high risk.
That’s a summary of what we saw in 2023, but in fraud prevention, looking ahead is just as important as learning from the past.
Here are our picks for attacks and tools to keep an eye out for in 2024:
Fraudsters use app tampering to interfere with an app’s attempt to collect biometric data.
A fraudster downloads onto their device an app tampering tool and the app they’re targeting.
When faced with a biometric check on their target app—for example, requirement to take a live selfie—they use the app tamperer to bypass the check by uploading an existing photo or video from their device, instead of using their camera in real-time as intended.
This process can be repeated to create fake accounts without detection. The same process can also enable ATO attacks, especially when used in combination with generative AI deepfakes.
Part social engineering, part remote access, ghost hand attacks involve a fraudster tricking a bank customer into installing malware on their device.
A fraudster calls a bank customer pretending to be a bank representative, and asks them to download an app to review a recent suspicious transaction.
Once the customer downloads the app (which is malicious), the fraudster remotely accesses their device and steals their real banking app credentials.
Now having access to the victim's bank account, they reach their "ghost hand" into the victim's digital pockets, empty their accounts, and disappear.
What used to require a desktop emulator, fraudsters can now do with a virtualizer on a powerful smartphone. Virtualization is a type of app tampering in which fraudsters run apps in a virtualized environment so they can manipulate certain attributes.
A fraudster downloads a virtualizer program to their device and uses it to run versions of their target apps.
They use the virtualizer to tamper with the apps or change their device attributes.
To avoid being identified and blocked, the fraudster uses the virtualized version of the app to mask information like their device ID.
Want to learn more about Incognia?
We’re here to help. Get in touch with a member of our sales team today.
Talk to sales