RESOURCES / THE EVOLUTION BLOG

How Darwinium Catches Authorised Push Payment Fraud in Real Time

Natalie Lewkowicz

Natalie Lewkowicz

Sr Marketing Manager

Catching a Scam in Real Time: Inside Darwinium's Authorized Push Payment Demo

Watch Ed and Steve walk through a live “safe account” fraud scenario and see exactly how edge-based behavioral profiling stops it before the money moves.

How Edge-Based Journey Profiling Is Redefining Fraud Prevention for Banks and Fintechs

Authorized Push Payment (APP) fraud has evolved into something far more insidious than simple social engineering. Today’s fraudsters don’t just trick users, they guide them step by step, often sitting invisibly beside them via screen sharing.

In a recent live demo, Darwinium showcased how modern fraud unfolds in real time and, more importantly, how it can be stopped.

Let’s break it down.

The Scenario

Authorized push payment (APP) fraud is one of the fastest-growing threats facing banks and fintechs today.

In this demo, Ed plays the fraudster, calling Steve (the victim), convincing him his account is under attack, and walking him through a transfer to a “safe account” via screen sharing. The tools could be Microsoft Teams, AnyDesk, TeamViewer, WhatsApp, or FaceTime. The script is always the same.

The trust-building phase is skipped for time, but in the real world, this social engineering can unfold over hours or even days before the victim ever opens their banking app.

What Darwinium Detects

The moment Steve begins the payment journey, a cascade of signals fires simultaneously:

Account Drain

  • The payment falls into the top 25% by value
  • It equals the full account balance
  • A clear anomaly compared to Steve’s historical behavior

Screen Sharing Detected

  • Live screen sharing and an active call are identified
  • Detection works regardless of the tool being used

Device & Network Intelligence

  • IP reputation analysis
  • Device familiarity scoring
  • Additional context layered into the risk profile

Journey Profiling

  • Hesitation and pauses
  • Backtracking
  • Long dwell times
  • Re-entered data

All strong indicators of a user acting under pressure.

The Anatomy of a “Safe Account” Scam

Picture this.

A fraudster calls a customer and calmly explains that their bank account is under attack. They offer reassurance, authority, and a solution: move your money to a “safe account.”

To make things easier, they suggest screen sharing.

This isn’t hypothetical. It’s happening every day across:

  • Microsoft Teams
  • AnyDesk
  • TeamViewer
  • WhatsApp and FaceTime (with built-in screen sharing)

Once trust is established, the victim is guided through the payment process in real time.

At this point, traditional fraud controls often fail.

Why?

Because the transaction appears legitimate.

The Signals Hidden in Plain Sight

While the payment may look normal at first glance, the surrounding context tells a very different story.

Darwinium captures and analyzes a rich set of signals, including:

1. Transaction Anomalies

  • Payments in the top 25% of a user’s historical activity
  • Transfers involving the full account balance
  • Indicators of account-draining behavior

These red flags only emerge when viewed against historical patterns.

2. Device & Environment Intelligence

  • IP address analysis
  • Device familiarity and history
  • Indicators of new or unusual environments

These signals help determine whether the session aligns with expected behavior.

3. Screen Sharing & Live Call Detection

One of the most powerful indicators in modern scams.

Darwinium detects:

  • Active screen sharing sessions
  • Live calls in progress
  • Remote access tools in use

Regardless of platform.

This matters because screen sharing fundamentally alters user behavior and intent.

The Game-Changer: Journey Profiling

Here’s where things get interesting.

Most fraud solutions operate like a camera taking snapshots. They analyze a single moment, such as login or payment.

Darwinium operates more like a continuous film reel 🎞️

It profiles the entire user journey in real time, capturing:

  • Hesitation and pauses
  • Repeated data entry
  • Backtracking between pages
  • Changes in navigation patterns
  • Dwell time anomalies

These behavioral cues often reveal uncertainty or external influence, classic signs of social engineering in progress.

Why Most Banks Struggle to Do This

Full journey profiling sounds powerful, because it is.

But historically, it’s been difficult to implement due to:

  • Heavy engineering requirements
  • Complex integrations
  • Performance concerns

So many organizations settle for partial visibility.

Enter the Edge: Fraud Detection via CDN

Darwinium flips this model on its head.

By deploying at the edge via existing CDNs like:

  • Cloudflare
  • Akamai
  • AWS CloudFront

…it enables rapid, low-friction implementation.

What This Means in Practice

  • No heavy backend integration
  • Dynamic deployment across endpoints
  • Immediate signal capture across user journeys

In many cases, teams can begin profiling simply by configuring their CDN integration.

It’s like installing a security system without rewiring the entire building.

Why the CDN Edge Matters

Most fraud tools analyze a single point in time, a snapshot at the moment of transaction.

Darwinium continuously profiles the entire journey.

The reason this is practical comes down to deployment: rather than a lengthy engineering project, a plugin integrates directly with whichever CDN the bank already uses. Configuration can be replicated in minutes, and profiling begins immediately across every defined endpoint, from registration to payment confirmation.

Copilot: Fraud Strategy Without the Bottleneck

The final piece of the puzzle is Darwinium Copilot 🤖

An embedded LLM designed specifically for fraud and risk teams.

Instead of relying on engineering resources, teams can:

  • Generate fraud rules
  • Build detection queries
  • Create strategies

…using natural language.

Example

“Identify screen capture activity on iOS devices”

Copilot generates the query instantly, ready to deploy.

No coding. No delays.

And because it operates at the edge, updates go live in real time.

Darwinium Copilot: Turning Fraud Strategy into a Conversation

If traditional fraud tooling feels like assembling furniture with no instructions, Copilot is the expert sitting beside you saying, “Just tell me what you want to build.”

At its core, Copilot is a domain-trained LLM embedded within Darwinium’s data model and signal framework.

From Idea → Rule → Deployment in Seconds

In most organizations, creating a fraud rule looks like this:

  • Risk team identifies a threat
  • Requirements are documented
  • Engineering gets involved
  • Queries are built and tested
  • Deployment is scheduled

By the time it goes live, the fraud pattern has already evolved 🫠

Copilot compresses that entire cycle into a single step: asking a question.

Built for Fraud, Not Generic AI

Copilot understands:

  • Device intelligence signals
  • Behavioral biometrics
  • Journey-level events
  • Risk indicators like velocity, anomalies, and intent

So when you ask:
“Detect account-draining behavior with hesitation signals”

…it knows exactly what that means.

Democratizing Fraud Strategy

Copilot changes who can build fraud logic:

  • Fraud analysts can test hypotheses instantly
  • Risk teams can iterate without engineering delays
  • Product teams can explore behavioral signals directly

Fraud prevention becomes a living system instead of a queue of tickets.

Real-Time Changes at the Edge

Once Copilot generates a rule, it can be:

  • Added directly into the control center
  • Deployed instantly via the CDN layer
  • Applied across live user journeys in real time

No release cycles. No downtime. No lag.

It’s like editing the rules of the game while the game is still being played 🎮

Real-Time Defense for Real-Time Threats

This demo highlights a fundamental shift in fraud prevention:

From:

  • Static checks
  • Point-in-time decisions

To:

  • Continuous journey intelligence
  • Real-time adaptive responses

Darwinium enables organizations to understand not just what a user is doing, but how and why they’re doing it.

And in APP fraud, that context is everything.

The Bigger Picture

Fraud isn’t standing still. It’s improvising, adapting, and scaling.

Copilot gives teams the ability to do the same, but with precision and speed.

Instead of reacting weeks later, teams can respond in the moment, shaping defenses as signals emerge.

In a world of real-time scams, speed isn’t a luxury.

It’s the difference between stopping fraud… and explaining it after the fact.

Final Thoughts

Fraudsters are no longer operating in the shadows.

They’re guiding users, influencing decisions, and exploiting trust in real time.

To stop them, organizations need:

  • Deep behavioral insight
  • Full journey visibility
  • Instant, flexible deployment

That’s exactly what Darwinium delivers.

Live Demo: Detecting Screen Share & APP Fraud with Behavioral Biometrics

Live Demo: Detecting Screen Share & APP Fraud with Behavioral Biometrics