How can bank determine that a user interacted with a flagged URL?

This is one of the most sensitive aspects of bank anti-fraud. Banks have three main technical methods for linking a user’s browser actions to an in-app transaction.

  1. HTTP Referer Analysis (via mobile banking or web version)
    If a user clicked a link from an SMS/messenger and then immediately opened a bank page (or was redirected to a 3DS page):
    How it works: The Referer is often passed in the request headers. If the bank detects that the visit to the payment page or personal account originated from a domain that was just flagged as phishing by your webhook (or from your shortener that leads to such a domain), the anti-fraud system marks the session as “compromised.”
  2. IP Address Correlation (Correlation Logic)
    This is the most common method in modern anti-fraud systems (e.g., RSA Adaptive Authentication or Feedzai):
    Scenario: A user clicks on a short link (which we’ve already marked as fraudulent). Our server records their IP address (e.g., 1.2.3.4).
    Signal: We send a webhook to the bank: “URL xyz is fraudulent, it was just clicked by a user with IP address 1.2.3.4.”
    Bank Action: The bank checks its logs. If, two minutes later, a request for a large transfer comes from the same IP address 1.2.3.4, the system compares these facts. The combination of “Click on a fraudulent link + Instant transaction from the same IP address” is a 99% probability of an attack.
  3. Client-Side Intelligence (SDK in the mobile app)
    Large banks integrate special SDKs into their apps (for example, LexisNexis ThreatMetrix or Kaspersky Fraud Prevention):
    How it works: The SDK monitors the phone’s environment. If a user clicks a malicious link, the browser may leave traces in the cache or history, which the SDK can read (within the permissions).
    Deep Links: If a phishing link attempts to call a mobile app via intent:// or Universal Links, the banking app records the source of this call. If the source matches our webhook, the transaction is blocked.
  4. DNS Query Logs (For corporate clients)
    If a bank serves the corporate sector, it can see logs of its DNS queries (through secure gateways):
    How it works: The banking system sees that an employee’s device requested an IP address for the domain we sent in the webhook 5 minutes ago.