Prompt Bombing—a New Fraud Strategy
By Alex Forss, Commercial Director, Callsign
Fraudsters will use every trick in the book to catch their victims, ranging from the technological to the psychological. In the case of the latter, a new twist on an established attack vector has been trending recently – prompt bombing.
People are more vigilant when they are in a ‘cold state’ – when they’re calm and relaxed, they will naturally tend to scrutinize any transaction that they’re processing. That can change when they’re in a ‘hot state’, worried or panicked or, in the case of prompt bombing, frustrated. It’s easier to rush things through and make an error of judgement.
Bad actors know and understand this, and will try and flip their potential victims over from one state to the other, and prompt bombing is the latest method that they’re using.
How does prompt bombing work?
Customers are no strangers to receiving authentication requests via SMS OTP – multifactor authentication is widely used by businesses in every sector to provide additional security.
But prompt bombing turns this on its head. The scammer bombards their target with repeated requests to confirm a login. Declining the requests does nothing to stem the flow; they keep coming. The irritation factor comes into play, nudging the victim into a hot state. They may eventually hit ‘accept’ to stop the messages, reasoning that they’re coming as the result of a system error.
Very often, these attacks happen late at night when the victim may be sleeping, or when they may be distracted and their judgement impaired. It might be many hours later when they discover that their account has been compromised – by which point, the damage is done.
Insecure authentication factors
Prompt bombing is essentially a new coat of paint on one of the oldest approaches used by scammers: account takeover fraud, or ATO. Key to the success of prompt bombing is a reliance on outmoded and insecure authentication factors such as SMS OTPs. It’s a form of authentication that is anything but secure. Scammers are adept at using SIM swap or SS7 attacks to bypass this second authentication factor.
And – as prompt bombing clearly illustrates – by using it, businesses put themselves in the risky situation of authenticating in the exact same channel that threat actors use to defraud their victims. And yet, it remains one of the most widely used authentication factors today.
But any out-of-band authenticators can provide a platform for prompt bombing. OTPs are highly prevalent, but the prompts are also likely to come from third-party or in-house apps. The latter is particularly problematic – the victim is even more likely to trust a prompt that seems to emanate from their workplace, reasoning that it might just be an IT issue.
The business risk of prompt bombing
Prompt bombing, like any form of fraud, has a ripple effect that goes far beyond the initial impact for the victim. Every fraud claim needs to be investigated, and investigating and rectifying fraudulent activity is something that invariably proves to be costly for businesses, both in terms of money and resources.
The reputational impact can’t be ignored either. Whether it stems from an actual instance of fraud, or even the simple irritation factor – or, in the case of prompt bombing, potentially both – trust that may have taken years to build being shattered in moments. Fraud stories regularly make the headlines and customers will likely share their irritations via social media channels. The impact to an organization’s reputation can easily outstrip the actual financial cost of the fraud.
If organizations continue to rely on outdated, out-of-band and insecure authentication methods such as SMS OTP, they put both themselves and their customers at risk of attack from criminals. Indeed, in a Callsign-commissioned report, 95% consumers stated that they did not feel that SMS was a safe channel for communication with banks or retailers.
The steps you can take
The answer to the problem is clear, and well established. By moving away from outmoded and easily compromised authentication methods, organizations can simultaneously increase the level of security that they provide to their customers, and reduce friction in the user journey which in turn reduces frustration.
Digital solutions such as Callsign, which layers device intelligence with Muscle Memory Technology, the highest-fidelity behavioral biometrics on the market, represent a major step forward in the fight against prompt bombing and ATO and indeed, every fraud vector.
Rather than continuously checking for fraud, Callsign takes a positive identification approach that reduces the amount of data ingested, which preserves privacy. By passively identifying and recognizing legitimate customers, the fraudsters are quickly and firmly locked out, and without the need to step up to an out-of-band authenticator, the risk of prompt bombing is removed.
The challenge of evolving fraud
Technology, the online world and customer behaviors are evolving at pace. So too are the techniques of threat actors. The recent rise of prompt bombing as an attack vector is a reminder that businesses need to be constantly vigilant when it comes to fraud and scams. Every new business opportunity that emerges will be rapidly seized upon by criminals.
In today’s digital-first world, businesses need to consider moving beyond analog authentication solutions. If a business is relying on authentication methods such as SMS OTP rather than a layered intelligence combining device and behavioral biometrics with other signals, they are potentially opening themselves up to both fraud and user experience challenges.
One thing is for sure is that the bad actors will not be doing the same. Yesterday’s technologies will not effectively combat tomorrow’s threats.
