Share
KEY TAKEAWAYS:
The bill is in the billions. And it’s growing. An industry study found that the fraud losses due to deepfakes totaled about $12 billion in 2023, and that figure is expected to more than triple by 2027 as bad actors figure out how to run their schemes at greater scale.
Voice vulnerabilities. Most of the mainstream attention to deep fakes is focused on altered video, but the greater vulnerability for financial institutions now is more likely to be faked audio that can be shockingly realistic.
Call to action. Three key pieces of advice for banking institutions: First, create a system to keep up with the latest deepfake modes of attack, then set up internal communication process to share intel, and finally, use technology as a force multiplier.
***
BAI: Welcome to the BAI Banking Strategies podcast. I’m Senior Editor Rachel Koning Beals, and my guest is Sara Seguin, principal advisor for fraud and identity risk at Alloy. We’re here to talk about what financial institutions should be doing to prepare for what promises to be a coming surge in deepfakes as bad actors put AI to use in more sophisticated and more malevolent ways. Sara, we’re happy to have you on the podcast.
Sara Seguin, Alloy: Thanks, Rachel. It’s great to be here.
Rachel Koning Beals: Let me start by asking, can you give us a brief overview of your background in financial services, particularly as it relates to the fraud space?
Sara Seguin: Absolutely, Rachel. For 17 years I was in the banking sector, so I’m a former banker and worked for top 25 financial institutions. But I was always within the fraud space, so whether that was helping to create a dispute team or a fraud hotline in the analytics area, and then most recently, before I came to Alloy, running the enterprise fraud strategy as well as a business intelligence team. And then I moved over to Alloy and I’ve been with Alloy about two years, and as you said, as a principal advisor. So, it’s been great to be able to continue down the fraud path as we really have a battle on the fight against fraud.
So, as you look out broadly at where things stand today, how would you characterize the risk level that financial institutions face when it comes to fraud, especially those bad actors using deepfake technology?
Whether it’s in the headlines, you are hearing it in content panels, whenever you go to conferences, that deepfake and the technology there, it’s definitely moving into our space. It has already started. The timing of us talking is great because FinCEN actually just put out an alert on fraud schemes involving deepfake media that is targeting financial institutions, and it’s just very timely because this alert was actually a result of an increase in reports that they have received, but actually going back to 2023. So, I think what it really shows us is, going back to 2023, now in 2024, that there is an increase moving into the financial sector, so I really only see it increasing at this point.
Sara, can you provide a little color on what cost FIs are facing when it comes to some of these deepfake-related incidents? Certainly on the individual level it’s costly, for individual banks it’s costly, but as an industry, we’re talking about racking up quite a bit of cost here, aren’t we?
We definitely are. When I think about the increase, and especially as it relates to dollars and cents, it reminds me of a report that Deloitte had put out. And I mean, we are talking, they said in 2023 it was roughly $12 billion from a fraud loss perspective, and they are saying that, and predicting that Gen AI could enable the fraud losses to reach $40 billion in 2027, so well over a 30% compound annual growth rate. I mean, it’s substantial. It’s the deepfake technology that really helps the fraudsters to commit more complex schemes, but then at scale. And I think that’s the key, right, is when you can commit more fraud at scale, that’s when you start to really see the dollars increase, from a loss standpoint.
Let’s talk about what this looks like a little bit. First thing that comes to mind, certainly video deepfakes, but there’s a rise in audio-based fraud, such as voice cloning. We call that vishing. What’s the state of technology there, and what do you see as far as fraud perpetrators that are specifically targeting … What are they specifically targeting when they deploy faked voices?
Yeah, I mean, I would say that the audio threat is real, but the targets can vary. So, when you think of a fraud group that is targeting a financial institution, and they could be committing the voice cloning as they call into the contact center to really impersonate a client from a voice cloning standpoint. But then there’s also where bad actors are impersonating maybe a client’s niece or nephew and they are calling the client and pretending that they are in trouble, or they need money. And maybe then again, the initial contact isn’t to the financial institution. It’s to the client, but then ultimately that client wants to go send a large sum out of the financial institution. So, all of that to say that the threat of audio is definitely real. The targets can vary, but there is technology. Now with that said, and what I think is interesting, NPR did actually a test. It was earlier this year where they tested three different deepfake detection providers, and varying results. But I think what’s interesting about it is the solution providers that are out there, they’re really trying to give a probability of, “Is this cloned? Is this who the person should be? How does it compare to prior calls?” So, the technology is there, but I think there’s definitely room for improvement as an industry and what solutions are out there.
Can we talk a little bit about what some banks are trying to do, though? Even as we’re aiming for improvement, I hear you loud and clear, I feel for front-line, for first-line workers, because customer service, customer engagement is so important. They’re trying to make the right decisions in real time. Now we’re talking deepfakes. At what level are banks and credit unions giving deepfakes a priority? Are they providing first-line workers with these defenses? What kinds of technology are you seeing out there that is effective? And where are some of those growth areas, then, when it comes to the technology?
I would say, at least from my viewpoint, it varies. I mean, you have some financial institutions that already have voice detection-type biometrics in place, and then you have other financial institutions that are in the process of moving from a role-based, batch type detection to a real time, so they’re not even looking at the deepfake and voice yet because they are really upgrading their existing tech stack from a fraud standpoint, so varying levels. I think what’s challenging, especially when we talk about the deepfakes and the voice cloning, is from a financial institution perspective, if you don’t have something in place today, do you proactively make the investment in advance with the thought process of, “We may have it happening to our institution today? Or if we don’t, then we want to invest before it occurs,” or do you wait until it happens and then you have the reactive investment? I think from a leader perspective, it’s very challenging if they feel that they don’t have evidence that it has occurred at their institution yet – what is giving them the baseline to make the investment? But you certainly don’t want to be on the reactive side either. So, I think I agree, it’s very challenging times on when is the right time to make the investment, because as the bad actors see success with the deepfakes and voice cloning, which we know that they have already, that will continue to translate and they will move across multiple FIs. As soon as they see success with one, they will try different type of schemes with others.
Along with the technology, any effective fraud prevention effort has its human side for sure, right, both internal fraud teams and external customers and members. What are some vulnerabilities there, and how can they be reduced or even eliminated? So, that education and training consideration.
There is a continuous focus from financial institutions to educate their external customers on the threats that are out there, the schemes that are out there, to not trust the text or the call if someone calls and asks you for a code, right? There’s a lot of education out there. But equally as important is the human component internally and the internal education. And I’m not thinking of this as a baseline-type education from a compliance, check-the-box perspective. I think it’s beyond that. It is, what are the schemes and trends that you are seeing within your FI? Ensuring that collectively, internally, the fraud teams especially are aware of those, but then also, what is being written about? So, I brought up some of the articles in the FinCEN alert. Ensuring that the red flags from FinCEN on that latest alert, that the internal teams within the financial institution, they have those and they’re aware of them. So, I think it’s even internal education, it’s twofold. It’s not only what you’re seeing, but it’s what others are seeing as well that you should ensure that you’re prepared for and you know what to look for.
The push in our industry certainly has been toward speed, because speed is equated with convenience, being able to transact in near-real time. That invites vulnerabilities. Deepfakes are certainly a part of that. That brings in all the associated safety challenges. So, is there a case to be made for rethinking going faster? I’ve had some intel with some of the people that I’ve talked to where customers are kind of backing away from demanding their transaction to be faster because ‘safety-first’ is kind of re-emerging. Are you seeing that?
I think in the U.S., FIs are building based on what their competitors are building, in client demand to some extent, over the years, where clients have demanded faster, more real time. But I am aligned with you on this. I think especially with the deepfakes and the audio, and certainly that the pressure from the regulators, and who knows, where policies that could be forthcoming from a loss perspective, that could change in the banking sector. That could have institutions rethink, “Fastest is still good, but maybe not as fast. We receive it in real time, but what does your interdiction process look like, that you can detect it in real time, but maybe you release it within an hour?” I do think financial institutions at some point will have to take a stance to say, “We need to protect the consumer and the institution, and we can continue to layer on a lot of different technologies to perform that detection, but the instantaneous movement can bring risk,” and so how can they think about that in the future? And so, I do think we’ll see a shift. I don’t think it will be necessarily sudden, but I think we might see a slight shift.
Here’s a huge question, I think, for the industry. Is the fraud fight a competitive differentiator, or something that for scalability, institutions really need to collaborate on? When there is a threat, do we share that in real time? Should that be a priority?
Whether it’s a bank, it’s a credit union, when you are in the fraud space, it’s a community, and more of the mentality of “we’re all in this together.” I think you kind of sit in a sweet spot when you’re in fraud because we aren’t necessarily competing with one another. If you’re in a bank and you’re a bank leader, you may not necessarily be competing with another fraud leader at another institution. At the end of the day, if you’re passionate about fraud, you want to really not only avert the risk for your customers and your bank, but you want to avert the risk for the industry as well. And being on the solution side, in risk decisioning, I think it’s important that we are positioned where we can help to share information on what we are seeing, because I really, again, think the fight against fraud, it’s going to take a lot of us putting things together to be successful, so I think the more sharing we can do, the better.
Another area that’s still developing and fascinating for our industry, including in the fraud fight – generative AI. It’s getting a lot of headlines. Does Gen AI stand to change the deepfake-related risks for institutions?
I’m going to go back to that point earlier about the fraud at scale. I think what Gen AI does is it can help to create more, maybe faster, in a shorter amount of time, at larger scale. So, when you just even think about what it could do in that sense, pulling the data together and what it can create, the faster at a larger scale, that does, I mean, that increases the risk there alone, and certainly more complexity, too. So, beyond the volume and the scale, how it can have more elaborate fraud schemes that institutions are either seeing for the first time or that they may see in the future. So, I think it’s a great question. I definitely see it being impacted. But Rachel, I think one of the other things you said was, “What can they do?” I think it’s really important to survey what you have in place today, and what you have in place today, where are your gaps, what you may need to fill in the future if you see this risk really continue to prevail.
You’ve covered a lot of territory for us. I can tell you’ve been in this industry for a while. You know a lot about fraud. As we wrap up, what is your best advice for banks and credit unions to deal with the deepfake rise now, given the tools they have, even as they look to grow and expand but are minding their budgets. How can they best prepare for a future, determining what’s real and what’s not? It’s only going to get even harder to detect.
Yeah. That’s a great question, Rachel, and I think if I really had to sum it up, there’s probably three top things that come to mind. First, education, second, probably being communication, and the third, technology. And what I mean by that is, when you think about the education and the knowledge, ensuring that as an institution you are up to date on what the industry is seeing, what the various consultants are predicting, what news articles are out there where you already see some of the deepfake and AI and cloning schemes occurring, and then ensuring you have that education internally. It isn’t just that you perform education one time internally and then everyone goes about their day. It is this ongoing “who is responsible for it?” And really across the institution from a communication perspective, I would say share early and often with your executive team. I think what’s really important, I am certain the executive team is well aware of hearing and seeing the risks that are out there, but what does that mean specifically to your financial institution? And ensuring that you can help to build a story around that for them. The last one, maybe this one should have been first, but technology. Really survey these solutions you have in place today, and do you need to make an investment? Do you already have a solution that can help? Is it the right solution? Is it a platform that can quickly help you to thwart an attack? Ultimately across all three of these, I think it’s really ensuring the risk is understood, and ensure the risk is understood, and that you have the right players aligned to your approach on how to combat the threat.
Sara Seguin, former banker and now principal advisor for fraud and identity risk at Alloy, thanks so much for sharing your insights and advice with us on the BAI Banking Strategies podcast.
Great. Thank you so much, Rachel.
Join our community to unlock exclusive content, connect with industry experts, and gain access to valuable resources that will help you stay ahead.
