As fraud schemes become more prevalent and sophisticated, aided and abetted by AI, fraud mitigation has become a top priority for banks.
What are the most effective anti-fraud tools and techniques for banks to employ, and how are they accounting for the complex threats presented by AI? These were among the key issues addressed during a recent ProSight webinar featuring a trio of fraud experts: Matt Meis, cyber fraud and data manager at Summit Credit Union; Ray Olsen, senior vice president and director of enterprise fraud management at Wintrust Financial Corporation; and moderator Bobbie Paul, managing director of fraud at Huron.
Financial institutions regularly must manage and mitigate a plethora of aggressive AI-driven scams, from identity theft, ransomware, and phishing to account takeovers and business email compromise (BEC) schemes. But exactly how much more susceptible are banks and their customers to scams as a result of AI-driven fraud that looks and/or sounds authentic?
The democratization of cybercrime for entry-level bad actors is perhaps the biggest impact generative AI has had in the online fraud space. “GenAI is lowering the fraud entry barrier for all of those ‘new criminals’ who are looking to scam people,” Meis said, noting that high-level threat actors have been using AI tools like machine learning to perpetrate fraud for years.
Olsen said that AI has enabled cybercriminals to execute fraud at a much faster pace. He pointed to the rapid movement of funds through mule networks as one example. “The speed gap in real-time payments allows fraudsters to quickly empty out mule accounts and move not only non-illicit funds but also illicit funds at the same time,” said Olsen.
To prevent and mitigate fraud, banks must not only monitor transactions in real time but also use data analytics to account for longer-term fraud trends. Financial institutions, said Meis, must figure out what phishing attacks or impersonation scams are the greatest threat to their customers. Data analytics, he added, supplement real-time anomaly detection by evaluating fraud trends that could be “lurking under the hood.”
AI is not replacing any of the anti-fraud systems Summit Credit Union already has in place, but, rather, is adding another layer to the bank’s defenses. “There are multiple layers that a criminal or a fraudster has to get through to move funds or attack our customer base,” said Meis. “Even if we are looking at a new AI tool, we’re not removing any of our other controls.” Wintrust, according to Olsen, is taking a similar approach, using multiple layers of defense—including transaction monitoring, structured query language, data analytics, and multi-factor authentication—to identify and prevent fraud.
Meis, Olsen, and Paul all agreed that AI is strong at summarizing documents and automating workflows. “AI is machine learning, just on steroids. You can consume more data, sort through it, and clean it more,” said Paul.
While the technology has certainly opened the door wider for cybercriminals, AI has also eased the burden on fraud investigators and analysts. “It’s allowing the investigator or the fraud analyst to work a little bit smarter, not necessarily harder, and focus on the things they should focus on, rather than getting bogged down in paperwork,” said Olsen.
Build vs. Buy
One of the key decisions that a bank has to make when attempting to combat cyber fraud is whether to develop systems internally or to rely on solutions from external vendors. Paul said that building systems internally can be time consuming and cost prohibitive. On the other hand, buying tools from an external vendor yields another threat: third-party risk.
Olsen said that when an organization chooses to buy systems, it’s critical for fraud executives to offer their input on any new products from the jump. Product managers, he noted, want the best new product for their customers, and don’t necessarily understand the implications of the product and how fraudsters can potentially attack it. That’s why making your voice heard is an important part of third-party risk assessment. “Make sure that you’re in the room and have a say with the fraud products,” Olsen advised.
Fraud modules for a new product need to be worked into the contract pre-launch, taking into consideration your corporate fraud policy, rather than added later as an afterthought. Coordinating with your risk team is vital to this process. “Having a great relationship with your risk team helps you be able to ask the right questions upfront,” said Meis. “A lot of times there are fraud modules that they can bake into the contract at the time of signing that makes implementation go 10 times better.”
Training, Education, and Information Sharing
To capture and prevent fraud, training is critical—both for customers and employees.
Educational (in-person) forums, webinars, and commercials are among the ways that banks are attempting to keep their clients well informed about scams. Olsen said that last year alone, Wintrust hosted 47 anti-fraud presentations for its commercial and retail customers.
Wintrust is also very active in setting up in-person educational forums. The bank, for example, recently hosted a community forum on text scams that was attended by 100 customers. “This type of event is impactful because people who attend go home and then tell their spouses, their kids, and their friends,” Olsen said. “Statistically speaking, one person will tell five other people.”
Meis said that fraud training is vital, because customers are “85% less likely” to fall for a scam if they are educated about it. Employees must also be trained to keep up with the latest fraud techniques in areas like impersonation schemes and check scams. To educate staff, Summit distributes a monthly threat intelligence report internally. “We’ll bring that into the physical world, too, and show recent checks that were bad or recent IDs that looked authentic, but weren’t,” Meis said. The combination of digital threat intelligence and examples of physical scams is intended to bring fraud into the real world for employees.
As a supplement to training, Olsen said that networking and information sharing—with peers, for example, he’s met via LinkedIn or at industry conferences—can also prove quite beneficial. “I can call people and say, ‘Hey, do you have a copy of a good third-party risk assessment that you’ve done?’” he said. “You’d be surprised how many people will come to your rescue and give you more documents than you ever wanted.”
AI: ROI and Human Impact
As anti-fraud AI solutions become more and more prevalent, banks need to find a way to explain their return on investment in AI. However, that is no simple task.
Indeed, calculating the ROI of anti-fraud tools in numerical terms can be quite a challenge, particularly if, say, a scam is prevented before a transaction actually takes place. But it can be done. “If you can catch fraudsters before they actually submit a Zelle transaction or an ACH, then what was the avoided loss?” Meis pondered. “We look at the risk of the account. If there was $3 million in the account, then $3 million was the risk and the potential loss avoided would be your Zelle limit.”
One other way that AI can yield ROI is by reducing the headcount of an organization’s fraud team. But Meis and Olsen agree that while the technology certainly can make your fraud investigations more robust and improve the efficiency of your existing fraud analysts, banks should not expect the adoption of AI to result in a large-scale reduction of full-time fraud employees.
ROI for AI can be demonstrated if your data analytics show that you’re both capturing and preventing more fraud without significantly adding to your staff. “If you’re having less fraud over more transactions, and if you are employing the same amount of people, that’s impressive,” Meis said.
