As fraud related to artificial intelligence (AI) becomes increasingly sophisticated and accessible, many legacy lines of defense are no longer able to effectively protect financial institutions and their customers. Financial institutions need to take a more proactive approach to fraud. By collecting and analyzing real-time data and using AI to identify patterns, FIs can quickly detect suspicious activity and clamp down on fraud.
Karen Postma, Senior Vice President of Risk Solutions at PSCU/Co-op Solutions, has long been a leader in detecting and deterring financial fraud. In a recent PaymentsJournal podcast, she sat down with Jennifer Pitt, Senior Analyst in Javelin Strategy & Research’s Fraud and Security practice, to discuss the nature of the latest attacks against credit unions and their members as well as the scourge of first-party fraud.
The Old Rules Don’t Apply
Consumers have learned that if an email doesn’t sound quite right or contains suspicious punctuation or misspellings, then it may not be legitimate. However, fraudsters are now leveraging generative AI like ChatGPT to create content that more effectively looks like a normal email than a phishing email.
“We can no longer tell consumers to look for those basic things like spelling errors, grammar errors,” Pitt said. “We need to be better at giving more generic advice to consumers about emails. If you’re not intending to get this email, if you don’t know the sender, don’t answer it. Instead, contact the company directly yourself.”
Another way non-technical individuals use AI is with a tool called WormGPT, which effectively writes code or malware with fraudulent intent.
“I don’t have a technical background, but I could leverage these tools to create malware that I could embed in a phishing email or in other content to put keyloggers on a consumer’s computer or other device,” Postma said. “That’s probably one of the most unnerving components of AI utilization by cybercriminals.”
AI is also targeting employees at large companies. Several recent data breaches that Postma has seen have been phishing campaigns targeted at high-level employees whose credentials have been compromised, which can lead to an entire company being compromised.
AI is being leveraged to trick identity verification and circumvent know-your-customer (KYC) protocols via deepfakes using voice, photo and video. Criminals are also using AI to get around multifactor authentication.
“These scams are looking for anything from passwords to financial payment to one-time passwords to absolutely anything that they can get their hands on,” Postma said. “As soon as fraudsters have convinced the consumer that they are their financial institution, those multifactors become very compromised.”
The Fourth Layer
Postma’s team at PSCU/Co-op Solutions has been talking to credit unions about adding a fourth layer to multifactor authentication: the data aspect. This data becomes a validation for the transaction, and that verification at the end offers a red flag that there might be a scam happening.
This is not data that you would typically get in an authorization component; rather, it would be data obtained through online banking, through the contact center, or through various components that will confirm if the IP address is one the consumer has used before, if the consumer has used the device before and/or if the inquiry is coming from overseas or within the geographical location that would be expected for the consumer.
“These likely aren’t variables that most contact centers would have a hard-and-fast yes or no on,” Postma said. “But they would be a red flag that will allow an extra layer of validation or an extra layer of protection for that member.”
Being able to leverage data on the fly, in real time, will be imperative for all financial providers. Leveraging different technologies to be able to use the IP addresses, geolocation, different alerts, and consumer alerts in real time to detect those scams will be crucial.
Another development will be leveraging the technology for KYC and detection techniques. The financial professional can interact with a live likeness to see if it is a real person or a deepfake.
Many consumers are leery of enabling data geolocation because of privacy concerns. Credit unions should educate their members on how they will use that data to help overcome that barrier, while protecting their assets and data.
“Most people want to know why something’s being done,” Postma said. “When consumers are onboarding, you need to tell them not only that this is the data we need, but this is why we need it, and this is what we’re going to do with your data. Some of those privacy issues center on data that we’re collecting for third-party reasons, data that we would like to have. If it’s not a need to have, then allow the consumers to opt out. That will really build consumer trust with financial institutions and credit unions.”
First-Party Fraud
Since the pandemic, the credit union industry has seen a huge influx of what is known as first-party fraud, which entails members either knowingly or unknowingly reporting legitimate transactions as fraud. In the post-COVID-19 environment, a great number of transactions shifted from card present (CP) to card not present (CNP) as consumers deal with merchant aggregators, billing nuances and instances in which they did not receive their merchandise. With all those factors, it’s easy to understand why there’s an increase in fraudulent claims.
Anywhere from 30% to 70% of initially reported fraud is first-party fraud. This volume of first-party fraud is adjusting the scoring models—which is, in turn, changing how institutions address fraudulent claims and processes. The other component of first-party fraud is that credit union members are owners of the credit union. If the institution takes that loss, there is a financial impact on members.
“What financial institutions have to do is balance the upfront experience with verification on the back end,” Postma said. “If you have valid proof and you can do a little investigation as to the fact that that member was engaged in that transaction, you have the ability to make them liable for it.”
Gathering Information
Balancing the needs of member service and fighting fraud is essential. Every interaction or every member contact, whether lasting a minute or an hour, is basically an interview. It’s an opportunity to make a good impression, build trust, and get information from the consumer.
“There are things that you can listen for, like tone changes or hesitation as if they’re talking to somebody else,” Postma said. “There are definitely red flags that investigators can learn to identify if the caller is an attacker. If they are not, trust but verify.”
Financial institutions sometimes think that education is the easy, non-technical part of the equation. “Part of what we need to improve on as a whole in the financial industry realm is being intentional with everything we do, being proactive instead of reactive,” Pitt said. “We’ve been behind the fraud curve because we’re not doing targeted education. We’re not intentional about what we want the consumer to achieve and the outcome that we want to get.”
“Everyone—from your contact center agents to your frontline staff to your back office—needs to be educated on what scams look like, what first-party fraud looks like, and all the different types of technology we use to fight these things,” Postma said. “It isn’t just a small handful of people that fight fraud. It is truly in every channel.”