Device and behavioral intelligence are closing banking fraud gaps

At a glance

What this is: This is an analysis of why banks need device and behavioral intelligence to detect APP fraud that passes traditional authentication and transaction rules.

Why it matters: It matters because IAM, fraud, and banking security teams must now govern not just who authenticated, but how a session unfolded, whether the device was compromised, and whether the action reflected genuine intent.

By the numbers:

• Fraud detection and prevention spending by financial institutions is forecasted to surge by 85% by 2030, rising from $21 billion in 2025 to $39 billion in 2030.
• APP fraud is projected to result in global losses of US$331 billion by 2027.
• In the UK, 77% of APP fraud cases started online and 17% started through telecommunications networks.
• Investment scams caused US$5.7 billion in reported losses in 2024 alone, up 25% year-over-year.

👉 Read OneSpan's analysis of device and behavioral intelligence for banking fraud

Context

Banks have spent years hardening authentication and transaction rules, but APP fraud exposes a deeper governance gap in banking security: the customer can be real, the device can be familiar, and the payment can still be fraudulent. The problem is no longer simple account takeover; it is manipulated intent, coerced approval, and device-level interference.

For IAM, fraud, and digital banking teams, this shifts the control question from "did the user pass login" to "did the session, device, and decision path still look legitimate". That is why behavioral telemetry and device intelligence are moving from optional signals to core fraud controls.

The article’s starting position is typical for many banks: strong on authentication and weaker on session and device context. That gap is exactly where modern impersonation and remote-access fraud now operates.

Key questions

Q: How should banks detect APP fraud when the customer is the one authorizing the payment?

A: Banks should look beyond authentication and inspect the full session path. If the user is genuine but coerced or remotely coached, the clues appear in pacing, navigation, recent contact, and device state. Detection works best when behavioural scoring and device intelligence are evaluated before the transfer is completed, not after settlement.

Q: Why do MFA and transaction rules fail against impersonation scams?

A: MFA proves that the account holder authenticated, but it does not prove the payment reflected genuine intent. Transaction rules also fail when the amount, recipient, and device look ordinary. Impersonation scams exploit that gap by manipulating the user in real time, so the control problem is session legitimacy rather than login legitimacy.

Q: What signals indicate a banking session may be under remote control?

A: Look for interaction patterns that are too precise, too fast, or too programmatic for a human session, especially when paired with overlays, remote-access apps, unusual permissions, or screen-sharing behaviour. Remote control often shows up as a mismatch between normal user cadence and what the device is doing on screen.

Q: Who is accountable when behavioral monitoring is used to stop fraudulent transfers?

A: Accountability typically sits across fraud, IAM, and digital banking governance because the control spans identity, device, and transaction approval. If a bank relies on behavioural intelligence, it must define who owns tuning, escalation, exception handling, and regulatory evidence so that missed fraud is not treated as an ambiguous control boundary.

Technical breakdown

Why MFA and transaction rules miss APP fraud

APP fraud is structurally different from classic account takeover. In APP cases, the customer often authenticates successfully and approves the transfer themselves, but they do so under deception, coercion, or remote influence. MFA proves authentication, not intent. Static rules catch obvious anomalies, but they struggle when the user is genuine, the device is familiar, and the transfer looks normal in isolation. That is why rule sets built around amount thresholds or recipient risk often miss coached payments and real-time social engineering.

Practical implication: supplement login and transaction rules with session-level signals that can distinguish genuine consent from manipulated approval.

Behavioral identity models in banking sessions

Behavioral analytics in fraud prevention learns how a user normally interacts during a banking session and compares live activity against that baseline. Signals such as typing cadence, screen navigation patterns, pauses, backtracking, and touch or mouse movement help reveal coaching, stress, or remote control. The useful idea is not biometrics alone, but behavioural identity: the session itself becomes evidence. When those signals are combined with known fraudster patterns, banks can detect when the customer’s actions no longer match authentic intent.

Practical implication: build real-time behavioural scoring into transaction journeys so suspicious pacing, navigation, and interaction patterns can trigger intervention before payment completion.

Device risk intelligence and malware-driven manipulation

Device intelligence extends the model beyond the user to the endpoint. Mobile fraud increasingly depends on overlays, remote-access trojans, accessibility abuse, side-loaded apps, and live screen-sharing tools that alter what the customer sees or controls. A device may still pass basic security checks while being actively manipulated. By monitoring for active remote sessions, overlay behaviour, abnormal permissions, proxy use, and location mismatch, banks can detect the hidden layer that transaction monitoring cannot see.

Practical implication: ingest device telemetry into fraud decisioning so endpoint compromise and remote manipulation become visible alongside session behaviour.

Breaches seen in the wild

• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
• GitLocker GitHub extortion campaign — GitLocker used stolen credentials to hijack GitHub repositories.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Authentication is no longer the decisive trust event in digital banking. APP fraud succeeds because the customer can satisfy MFA, log in on a familiar device, and still be acting under external control. That means the old trust model, which equates successful authentication with legitimate intent, has stopped being reliable for payment approval. Practitioners should treat authentication as entry control, not proof of payment legitimacy.

Behavioral identity is becoming the missing control plane for payment decisions. The article’s strongest point is that fraud is now visible in pacing, sequencing, hesitation, and interaction style, not just in transaction attributes. This aligns with NIST CSF 2.0’s emphasis on detect and respond functions, but the operational lesson is broader: if the session does not look like the customer, the payment should not be treated like the customer’s choice.

Device and behavioral intelligence form a single fraud boundary, not two separate tools. A remote-access app, overlay, or accessibility-abuse chain can make a genuine user look fraudulent or a fraudulent actor look genuine. The named concept here is coerced-session fraud: a legitimate authentication event that becomes compromised when the decision path is manipulated before authorization. Banks should now govern the session path, not just the transaction outcome.

Regulatory pressure is turning behavioral monitoring into baseline governance. The article points to European PSR and PSD3 direction as a sign that device and behavioural intelligence will become expected controls rather than differentiators. For banks, that means fraud prevention is converging with access governance, because the evidence required to justify a transfer now includes human behaviour, device state, and situational context. Practitioners should prepare for control expectations that extend beyond authentication artefacts.

The governance gap is not visibility alone, but context continuity. Traditional controls observe discrete events. Modern APP fraud unfolds across calls, apps, devices, and sessions, so the real failure is losing the thread between those events. Banks that cannot correlate external contact, session behaviour, and device risk will continue to see real customers as clean while fraud slips through. Practitioners should redesign controls around the full user journey.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For the broader identity control picture, see NHI Lifecycle Management Guide for how visibility, rotation, and offboarding close persistent identity gaps.

What this signals

Coerced-session fraud: the next control gap is not login compromise but decision compromise, where a legitimate user authorises a payment under pressure or remote guidance. Banks that only score account or device events will keep missing the point, because the fraud happens in the sequence between trust establishment and final consent.

The practical shift for programmes is toward continuous context stitching. That means tying together authentication, behavioural patterns, device telemetry, and recent external contact so fraud teams can see the whole path to authorisation. Where this is weak, the bank is still operating with event-based security in a journey-based threat model.

For governance teams, this points to a broader identity lesson that also applies outside banking: once an actor can be manipulated in-session, security has to measure intent, not just access. The same pattern will shape NHI and autonomous governance as systems become more interactive and less deterministic.

For practitioners

• Correlate session behaviour with payment approval Track typing cadence, navigation paths, pauses, and backtracking during transfer journeys, then compare them with historical user baselines before approving high-risk payments.
• Add device-state telemetry to fraud decisions Feed signals for overlays, remote-access tools, side-loaded apps, accessibility abuse, proxy use, and location mismatch into the same risk engine that evaluates the transaction.
• Treat external contact as a fraud signal Ingest recent inbound calls, messaging, or screen-sharing activity as part of the payment decision path when the customer is about to authorise a transfer.
• Tune interventions to the stage of coercion Use softer friction for low-confidence anomalies and stronger intervention when the session shows coached pacing or live remote control before the transfer is finalised.

Key takeaways

• APP fraud now bypasses many bank controls because the customer can be authentic while the intent is compromised.
• Behavioural and device signals matter because the decisive evidence often sits in session pacing, device manipulation, and recent external contact.
• Banks need to govern the full payment journey, not just authentication and transaction thresholds, if they want to limit coached and remote-access fraud.

Key terms

• Authorized Push Payment Fraud: A payment fraud pattern where the real customer authorises the transfer, but does so because of deception, coercion, or manipulation. The payment is legitimate at the channel level and fraudulent at the intent level, which makes it hard for authentication and transaction rules to detect.
• Behavioral Identity: A risk model that evaluates how a person interacts during a session rather than relying only on credentials or device reputation. In banking, it uses timing, cadence, navigation, and interaction style to determine whether the live session matches the expected user pattern.
• Device Risk Intelligence: Signals derived from the state and behaviour of the endpoint that may affect trust in a transaction. It includes malware, overlays, remote access tools, screen-sharing, permission abuse, and environment anomalies that can change what the user sees or controls.
• Coerced Session: A live session in which a genuine user is being guided, pressured, or remotely manipulated into taking actions they would not otherwise choose. The identity is valid, but the decision path is not independent, which makes this a governance and detection problem, not just an authentication one.

Deepen your knowledge

Behavioral analytics and device intelligence for banking fraud are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is extending identity governance into session and device risk, it is worth exploring.

This post draws on content published by OneSpan: Beyond authentication, why device and behavioral intelligence are now non-negotiable for banks. Read the original.