Chatbots create new fraudster bait

Make no mistake about it: Facebook wants to replace your apps.

All those mobile apps crowding up your smartphone screen should be banished and replaced by chatbots, according to the tech giant.

That’s the pitch Facebook has delivered to companies across various industries looking to improve their customer engagement. Many companies are buying the pitch—there are now more than 100,000 bots in Facebook Messenger that allow companies to take orders and answer customer inquiries. Mastercard and American Express have already launched Messenger bots, and Bank of America announced that it will as well.

Why chatbots? And why worry?

Chatbots provide a number of key benefits:

• They offer an intuitive and conversational digital interface for quick customer service interactions.

• They drastically reduce the cost of handling those interactions compared to traditional channels.

• Most importantly, chatbots have proven popular with the key millennial demographic.

However, banks must be prepared for fraudsters migrating their efforts over to take advantage of this channel as customers start to use chatbots for banking.

It’s pretty clear why banks are interested in chatbots: They’ve struggled to connect with millennials. Messaging services and chatbots offer a new way to reach this generation. All of the leading mobile messaging services—WhatsApp, Facebook Messenger, and Snapchat—have audiences that skew heavily towards younger demographics.

Messaging services boast incredible engagement that makes them appealing as a platform for businesses to reach customers: 57% of WhatsApp users opened the app multiple times per day, as did 24% of Snapchat users, according to a 2016 survey by the Global Web Index. Messaging apps also cut costs by automating customer service interactions.

Call center interactions typically cost around $4 per call, according to a benchmark study done in 2008, but those same interactions can cost less than 20 cents through online self-service channels today.

Where the risks lie

Moving interactions from mobile apps and call centers to messaging services and chatbots also means shifting risks to this very new channel.

Call centers have been hit with a storm of social engineering fraud over recent years, with call center fraud rising 113% globally from 2016 to 2017, according to a study by Pindrop. These social engineering scams involve fraudsters calling customer service reps, convincing them that they are a legitimate customer, and then getting the rep to facilitate fraudulent transactions or hand over sensitive information.

These schemes have grown more common in recent years as banks improve security in other channels through measures like two-factor authentication and EMV cards.

It would be natural for many of these social engineering schemes to shift over to chatbots as more customer service interactions do so as well.

Rather than duping a customer service agent, fraudsters could use stolen credentials or personal information like Social Security numbers harvested through phishing and other schemes to impersonate real customers. This could allow them to initiate fraudulent transactions or use chatbots to collect more information about real customers to facilitate identity theft schemes.

Is protection available?

Fortunately for banks, customers will primarily interact with chatbots through mobile apps—either banks’ own apps, or messaging apps like Facebook Messenger—so banks can leverage the security capabilities of customers’ smartphones.

Consumers are already starting to use fingerprint and voice biometrics to authenticate themselves for different tasks on their smartphones. Banks should require biometric authentication before initiating any transactions or providing any personal or account information through chatbots. Banks should also verify the location of the device that is being used and ensure that the device is associated with that customer.

Banks will also need to formulate rules governing what customers can do with chatbots, and how they can securely hand customers off to another channel to complete a high-risk request.

Keeping the functionality of chatbots narrowed down to a few tasks like checking balances and paying credit card bills will limit fraudsters’ ability to leverage them. Customers should also provide further verification of their identity using such authentication methods whenever a customer starts an interaction with a chatbot and then switches over to another channel.

Encrypting data will also be paramount in keeping information exchanged through chatbots out of the hands of criminals. Facebook now offers end-to-end encryption for Messenger chats, and any conversation involving any personal, account, or payment information must be fully encrypted. Any data regarding chatbot interactions with customers that is kept for regulatory purposes or later analyses also needs to be encrypted while in storage.

Before the total phony

Lastly, banks need to beware of fake bots impersonating legitimate banking bots in messaging platforms.

Fake mobile banking apps have been an ongoing issue in third-party app stores for some time, and fraudsters will likely try to emulate that scheme with chatbots.

Facebook has said that it evaluates the authenticity of every chatbot in Messenger. However, Apple has long said that it does the same with new mobile apps submitted to its App Store, but that hasn’t stopped malicious apps from getting into the App Store over the years.