Notifications
Clear all
Topic starter
07/06/2026 8:21 pm
TL;DR: Banks are expected to add behavioral intelligence and device-risk signals because APP fraud, voice phishing, and remote-access scams can pass MFA, device fingerprinting, and rules-based transaction monitoring while still appearing legitimate, according to OneSpan. Static fraud controls are no longer enough when real customers and compromised devices are part of the attack path.
NHIMG editorial — based on content published by OneSpan: Why behavioral intelligence and client-device intelligence are now non-negotiable for banks
By the numbers:
- Fraud detection and prevention spending is projected to rise 85% by 2030, from 21 billion dollars in 2025 to 39 billion dollars in 2030.
- In the UK, 77% of APP fraud cases started online and 17% began through telecommunications networks.
Questions worth separating out
Q: Why do traditional fraud controls miss APP scams even when MFA succeeds?
A: Because MFA proves that the user authenticated, not that the payment decision was genuine.
Q: How should banks combine behavioral intelligence with device-risk signals?
A: Banks should score the session as a whole, not the transaction in isolation.
Q: What signals indicate that a banking session is likely being manipulated?
A: Common indicators include unusually slow step-by-step navigation, repeated hesitation or backtracking, precise and rapid device interactions that do not match the user baseline, active screen sharing, overlay behaviour, and a live call occurring during the payment flow.
Practitioner guidance
- Instrument session-level behavior baselines Measure typing cadence, navigation rhythm, pause patterns, backtracking, and step timing so fraud models can spot guided or coerced activity before a transfer completes.
- Fuse device telemetry with authorisation decisions Feed overlay detection, remote-access indicators, accessibility abuse, and active screen-sharing signals into the same risk engine that scores the payment request.
- Treat new payees as context, not proof Use destination, amount, and country as supporting signals only, because legitimate transfers can still be fraudulent when the customer is being manipulated.
What's in the full article
OneSpan's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of APP fraud and voice-phishing flows that show how the session is steered in real time.
- The specific fraud-risk signals used by Fraud Risk Suite, including device rotation, tap cadence, and navigation patterns.
- Examples of overlay, RAT, and accessibility-abuse behaviour that banks can map into detection logic.
- A regulatory discussion of why behavioural analysis is moving from optional enhancement to expected control.
👉 Read OneSpan's analysis of behavioral intelligence and client-device risk in banking fraud →
Behavioral intelligence in banking fraud controls: what changes now?
Explore further
07/06/2026 10:13 pm
Behavioral identity is now part of payment governance, not just fraud tuning. The article shows that banks can authenticate a customer and still miss the fact that the customer is being directed by an attacker. That means the identity event is no longer the login alone, but the interaction pattern that leads to authorisation. Practitioners should treat behaviour as a control surface, not a post-event signal.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which shows how often policy assurance diverges from real operational behaviour.
A question worth separating out:
Q: Who is accountable when a customer is tricked into authorising a fraudulent payment?
A: Accountability is shared across fraud operations, digital banking, and control owners, because the failure is usually one of detection design rather than a single missing control. Regulators increasingly expect banks to show they can identify coercion, device compromise, and anomalous behaviour during the transaction lifecycle, not after the loss is settled.
👉 Read our full editorial: Behavioral intelligence and device risk are now bank controls
