Fraud Detection: Time is Not on Our Side
Financial institutions are dedicated to providing their customers with a frictionless experience that is also safe and private. Doing both is increasingly challenging, however, especially as fraud and cybercrime move from the banking environment to the consumer environment.
When customers swipe a credit card, transfer funds from one account to another, or perform any transaction that involves their hard-earned money, they trust that they are acting in a safe environment. Whether that is the case is up to their financial institutions, which have mere milliseconds to determine if something is amiss. Indeed, the price of slow or inaccurate fraud detection is very high — to consumers, merchants and financial institutions alike.
There has always been a push and pull between seamless financial transactions and securing those financial transactions, but things are more challenging today because advancements in payment technology, customer behavior and cybercrime are moving quickly and apace.
In my conversations with data scientists and cybersecurity experts at major financial institutions, a few themes have been emerging.
Sophisticated Social Engineering Attacks
For one, there has been a massive change in the last few years in the type of fraud that is being committed against customers. Just a couple of years ago, the large majority of all fraud focused on account takeover in the banking environment. But, as financial institutions became efficient at detecting this type of fraud, criminals shifted gears. Now, their focus is shifting from the banking environment to the customer environment.
In a recent real-world example, a woman’s life savings was wiped out through a carefully executed fraud in which her bank’s security measures were used against her. Scammers tricked the customer into revealing legitimate two-factor authentication codes sent by the bank, enabling them to transfer large sums of money from her account.
It is harder for financial institutions to spot and stop this type of fraud because many of the data points they used in the past are no longer as relevant. For example, a new device popping up on the network or an IP address used in a new location were often harbingers of fraud. Now, however, fraud often takes place through social engineering against customers logging in from where they always log in, from a device they have always used. So, the fraud is happening before it ever reaches the bank environment, and it’s very difficult to detect because all the historic data points are the same.
Generative AI will only make things worse, say the data science and cybersecurity professionals I’ve been speaking with. For example, social engineering fraud traditionally has been perpetrated by a scammer picking up a phone and calling customers. With generative AI, scammers won’t be limited by the number of calls they can physically make. Generative AI systems can do the calling — at scale — and conduct convincing conversations with unsuspecting customers in a much more efficient manner.
New technologies and security measures will need to be deployed to target these new threats.
Culture of Connectedness
Many tools can be put into place to fight this new species of fraud, but the most important offensive and defensive measure an organization can develop is a culture of connectedness. Indeed, more and more institutions are seeing the value in sharing and collaborating to prevent fraud.
At one major financial institution, for example, a network of banks and several teams work together to integrate insights that on their own might not mean anything but could indicate fraud. For example, information shared among authentication, authorization, mass fraud attack and diversification teams may show behavior changes that can then be viewed on a more macro level. With this kind of cross-team collaboration in place, the right data engineers can not only tap into the right data sources but also collaborate with the data scientists who are training fraud detection models in the first place.
There must also be a connectedness of data. Telco information, for example, could reveal fraud being perpetrated when criminals pose as bank associates and ask customers for information, as happened in the case noted earlier. Social media companies could also be a source for relevant data points. The goal is to track insights not just at a single entity but across relationships and to enrich real-time streaming data with historical data so that decisions are made and actions are taken based on rich contextual data.
It’s really about building a platform that enables you to combine and compare what’s known to be “normal” with what’s happening now and using the resulting insight to react — not in a few minutes or even a few seconds, but instantaneously.
This level of data integration requires several different technology systems. Organizations can piece such systems together, but it’s no trivial task because each, more often than not, runs on separate software and infrastructure stacks. In the case of credit card fraud detection, for example, you need a prediction service that accepts fraud prediction requests, retrieves customer and merchant features and calculates recent card use patterns. You also need a fraud detection machine learning model. All of this adds up to more money, more complexity and, most importantly, more time.
Organizations should be looking for platforms and processes that will help them optimize fraud detection so that real-time ML models can be run at scale and the amount of time it takes to gather relevant information and run the fraud detection model can be reduced.
Because, when it comes to fraud, time is something that is not on financial institutions’ — or customers’ — sides.
