Artificial intelligence is fueling a major transformation in the financial fraud landscape. AI has democratized criminal sophistication and fraud at a very low cost of conducting business, generating more malignant actors that financial institutions have to fight against. What can these institutions do to mitigate increasingly sophisticated frauds and scams? In a recent PaymentsJournal podcast, Kannan Srinivasan, Vice President for Risk Management, Digital Payment Solutions at Fiserv, and Don Apgar, Director of the Merchant Payments Practice at Javelin Strategy and Research, discussed how fraudsters are using generative AI to hone social engineering and bypass authentication, and how we can fight back. The Deep-Fake Threat Driven by AI, deep fakes represent a new frontier in fraud. There has been a 3000% increase in deep fake fraud over the last year and 1200% increase in phishing emails since ChatGPT was launched. Synthetic voices have been around for decades. They used to sound like a hollow robot, but recent advances in technology have allowed voices to be cloned from just a few seconds of audio. They are so realistic that fraudsters were able to use a deep-fake voice of a company executive to fool a bank manager into transferring $35 million to them. “In banking, especially at the wire desk, talking to the customer is always considered the gold standard of verification,” said Apgar. “So if somebody sends an e-mail and says I want to initiate a wire, they'll actually have to talk to a banker. But now, if the voice can be cloned, how do bankers know if it's real or not?” In business applications, single-channel communication should not be accepted, said Srinivasan. “If you get a voice call from somebody to do a certain thing, don't just act on that,” he said. “Send an email or a text to confirm that you heard it from that person. Or hang up the phone and confirm through another channel that this is exactly what they wanted. “We hear stories about a phone call coming in and saying your son has met with an accident and they're in a hospital, you need to send $8000 for an emergency procedure. They prey on human emotions. We have to make sure that we step back, think about what's happening, then call your family or friend to make sure that the news is accurate.” A Range of Use Cases Imposter scams have also exploded recently across other use cases. Large language models can take a phishing email, customize the content and iterate it until the scamster gets a successful response from the victim. Sophisticated criminals are creating packages for less-sophisticated criminals to buy. For $100 a month, a would-be hacker can purchase a bot-as-a-service turnkey application. To conduct a fraud operation, they just need to upload the victim's information, such as their phone number and the impersonating business name and phone. The bot will automatically call the victim and impersonate the business, often requesting that they read out the one-time password. Once the criminal gets the OTP, they can do whatever they want with it, including logging into the institution under attack, authenticating transactions, and changing passwords. The entry barrier to committing fraud has come down significantly. “There's almost a multiplier effect on the attack vectors end,” said Apgar, “because AI is not only making it easier to crank out more and more phishing emails more efficiently, but it also makes them more realistic.” How Are We Stopping Fraud?