Behavioral intelligence and device risk are now bank controls

At a glance

What this is: This is a banking fraud analysis arguing that behavioral intelligence and client-device risk signals are now necessary because transaction-level controls miss APP scams and remote-access fraud.

Why it matters: IAM, fraud, and identity teams should read this as a shift from authenticating the user to verifying session intent, device state, and behavioural consistency across human and non-human transaction journeys.

By the numbers:

• Fraud detection and prevention spending is projected to rise 85% by 2030, from 21 billion dollars in 2025 to 39 billion dollars in 2030.
• In the UK, 77% of APP fraud cases started online and 17% began through telecommunications networks.
• Investment scams were the largest consumer-fraud category by losses, with 5.7 billion dollars reported in 2024, up 25% year over year.

👉 Read OneSpan's analysis of behavioral intelligence and client-device risk in banking fraud

Context

Banks usually think about fraud as a problem of weak authentication or suspicious transactions, but APP fraud breaks that model because a legitimate customer can be manipulated into authorising the payment. In that environment, the primary identity problem is not whether the user is real, but whether the session reflects genuine intent and an uncompromised device.

Behavioral intelligence and device risk turn the focus from static checks to live session evidence. That matters for human IAM, because the same identity can be authentic and still act under coercion, and it matters for NHI governance because banks increasingly need machine-readable signals that can be evaluated continuously during an active transaction.

The article's starting point is typical for digital banking: strong controls exist on paper, but they are tuned to stop impostors, not to detect legitimate users being steered by fraudsters. That mismatch is now a structural governance gap rather than a tuning issue.

Key questions

Q: Why do traditional fraud controls miss APP scams even when MFA succeeds?

A: Because MFA proves that the user authenticated, not that the payment decision was genuine. APP scams succeed when a real customer is coached, pressured, or remotely controlled into approving the transaction. The login looks valid, the device may look familiar, and the rules engine sees an authorised transfer, but none of those signals prove authentic intent.

Q: How should banks combine behavioral intelligence with device-risk signals?

A: Banks should score the session as a whole, not the transaction in isolation. Behavioral patterns show whether the customer is being guided, rushed, or controlled, while device-risk telemetry shows whether the endpoint is manipulated by overlays, malware, or remote access. Used together, those signals tell a more accurate story than transaction rules alone.

Q: What signals indicate that a banking session is likely being manipulated?

A: Common indicators include unusually slow step-by-step navigation, repeated hesitation or backtracking, precise and rapid device interactions that do not match the user baseline, active screen sharing, overlay behaviour, and a live call occurring during the payment flow. One signal alone is not proof, but the combination should raise fraud confidence quickly.

Q: Who is accountable when a customer is tricked into authorising a fraudulent payment?

A: Accountability is shared across fraud operations, digital banking, and control owners, because the failure is usually one of detection design rather than a single missing control. Regulators increasingly expect banks to show they can identify coercion, device compromise, and anomalous behaviour during the transaction lifecycle, not after the loss is settled.

Technical breakdown

Why rules-based transaction monitoring misses APP fraud

Rules-based fraud controls work well when the attacker is trying to look abnormal. APP fraud is different because the transaction can be technically valid: the customer logs in, passes MFA, uses a familiar device, and authorises the payment themselves. The failure is contextual. The system sees a permitted action, but not the coercion, guidance, or device manipulation that shaped the decision. That is why amount thresholds, new payee rules, and geography checks catch only part of the problem. They detect anomalies in the payment object, not the behavioural chain that produced it.

Practical implication: fraud teams need session-level evidence that captures how the payment was made, not just whether the payment matched a rules profile.

Behavioral intelligence as a session-authentication layer

Behavioral intelligence in this context means learning the normal patterns of a user across a session, then comparing current cadence, navigation, pauses, corrections, and interaction rhythm against that baseline. It does not replace authentication; it adds a second layer that helps distinguish a confident self-directed session from one driven by pressure or step-by-step instruction. This is especially relevant when the same user, same device, and same credentials are present in both legitimate and fraudulent scenarios. The differentiator is sequence and tempo, not identity proof alone.

Practical implication: model user interaction baselines at the session level and feed deviations into real-time fraud decisions before authorisation completes.

Device risk signals reveal manipulated endpoints

Device intelligence extends the view beyond human behaviour into endpoint condition. Overlays, remote-access tools, accessibility abuse, active screen sharing, and mobile malware can all create a false sense of normal banking activity while the device is being steered by an attacker. In banking fraud, device state is often the missing control plane because the transaction may originate from a trusted endpoint that is no longer trustworthy. When endpoint manipulation is visible, the fraud model can stop treating a successful login as evidence of legitimate intent.

Practical implication: combine device telemetry with behavioural signals so the fraud decision can reflect compromise, not just authentication success.

Threat narrative

Attacker objective: The attacker wants to obtain an authorised payment that looks legitimate to the bank while bypassing conventional fraud detection.

1. Entry: The attacker establishes trust through a phone call or messaging contact that impersonates bank fraud staff or another trusted party.
2. Credential_harvested: The victim is guided to log in, approve a transfer, or install a remote-access tool that gives the attacker live control of the session.
3. Escalation: The fraudster manipulates the screen, inputs, or device state to shape the authorisation path while keeping the transaction looking legitimate.
4. Impact: Funds are transferred under valid credentials and apparent customer approval, making the fraud invisible to rules-based monitoring alone.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Behavioral identity is now part of payment governance, not just fraud tuning. The article shows that banks can authenticate a customer and still miss the fact that the customer is being directed by an attacker. That means the identity event is no longer the login alone, but the interaction pattern that leads to authorisation. Practitioners should treat behaviour as a control surface, not a post-event signal.

Device compromise turns legitimate identity into an attack vector. The important shift here is that fraud no longer depends on stealing the account first. A compromised phone, overlay, or remote-access session can keep the credentials valid while changing the meaning of the action. That is why device telemetry belongs alongside identity assurance and transaction approval in the same governance model.

Behavioral intelligence is a named control gap, not an optional enhancement. The article makes clear that static rules cannot see guided navigation, pressure-driven hesitation, or remote control. Those are not edge cases, they are the failure mode. The implication is that banks need to reclassify behavioural analysis from a differentiator into a baseline requirement for digital payment oversight.

Intent verification is the real boundary, and current controls were built for authenticity verification. MFA, device fingerprinting, and sanctions-style transaction checks all answer whether the user is known and the payment is allowed. They do not answer whether the decision was autonomous, coerced, or machine-mediated. Practitioners should recognise that the control objective has changed, even if the authentication stack has not.

Identity blast radius now includes the customer session itself. Once a fraudster can steer the session, every downstream approval becomes part of the compromise path. That broadens the governance problem from account access to session integrity, device trust, and decision provenance. Teams should design fraud programmes around that wider blast radius, not around isolated transaction events.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, which shows how often policy assurance diverges from real operational behaviour.
• That same gap is why behavioural evidence matters here too, and why the CI/CD pipeline exploitation case study is a useful next read for teams connecting identity, device, and session trust.

What this signals

Behavioral identity is becoming a governance requirement for banks that want to separate valid authentication from coerced authorisation. The practical shift is from transaction screening to session assurance, which means teams will need fraud telemetry, identity telemetry, and endpoint telemetry to land in the same decision path.

OneSpan's analysis also points to a broader control-plane problem: static rules are weakest exactly where human manipulation is strongest. The more the user is guided in real time, the less effective amount and destination thresholds become. That makes behavioural baselines and device signals the operational hinge for modern digital banking fraud programmes.

With 27 days as the average remediation time for a leaked secret in our research, banks and security teams should assume that visibility gaps persist long enough for fraud patterns to compound. The programme question is no longer whether to add behavioural signals, but how quickly they can be wired into live decisioning without creating unusable false positives.

For practitioners

• Instrument session-level behavior baselines Measure typing cadence, navigation rhythm, pause patterns, backtracking, and step timing so fraud models can spot guided or coerced activity before a transfer completes.
• Fuse device telemetry with authorisation decisions Feed overlay detection, remote-access indicators, accessibility abuse, and active screen-sharing signals into the same risk engine that scores the payment request.
• Treat new payees as context, not proof Use destination, amount, and country as supporting signals only, because legitimate transfers can still be fraudulent when the customer is being manipulated.
• Add fraud workflows for live coercion events Escalate when external contact, especially a live call, appears immediately before or during a high-risk session so analysts can intervene before authorisation closure.

Key takeaways

• APP fraud bypasses conventional fraud controls because the customer can authenticate successfully while still acting under coercion or remote control.
• Behavioral cadence, device telemetry, and session context are now the deciding signals for separating legitimate banking activity from manipulated payment flows.
• Banks that keep relying on transaction rules alone will miss the attack path that starts with trust and ends with authorised loss.

Key terms

• Behavioral Intelligence: Behavioral intelligence is the use of session patterns to judge whether an action looks normal for a specific user. In banking, it compares cadence, navigation, pauses, and correction patterns against prior sessions to detect coercion, guidance, or automation that authentication alone cannot reveal.
• Device Risk Intelligence: Device risk intelligence is telemetry that assesses whether an endpoint is healthy enough to trust during an identity event. It includes signals such as overlays, malware, remote-access tooling, accessibility abuse, and unusual connectivity, all of which can change the meaning of an otherwise valid transaction.
• Authorized Push Payment Fraud: Authorized push payment fraud is a scam in which the victim personally approves the payment, but does so under deception, pressure, or manipulation. The transaction is therefore authorised in form, while the intent behind it is fraudulent, which makes traditional rules-based detection incomplete.
• Session Assurance: Session assurance is the practice of continuously evaluating whether an active digital session still matches the expected identity, device, and behaviour profile. It goes beyond login verification and asks whether the current interaction still deserves to remain trusted before a payment or privilege change is completed.

Deepen your knowledge

Behavioral intelligence and device-risk analysis are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building identity and session governance for high-risk digital transactions, it is worth exploring.

This post draws on content published by OneSpan: Why behavioral intelligence and client-device intelligence are now non-negotiable for banks. Read the original.