Fraudsters aren’t just posing a threat to retail banking, but are now also targeting corporate accounts with large scale schemes that combine phishing and malware attacks, says Beate Zwijnenberg, chief information security officer for ING Group. In this month’s Preventing Financial Crimes Playbook, Zwijnenberg explains how these two-layered attacks are creating a need for AI-powered multi-layered defense systems that can detect anomalous transactions that too often go unnoticed by human analysts.
The financial sector is a prime target for cyberattacks, with financial institutions (FIs) around the world defending against breaches and spending up to $3,000 per employee annually on cybersecurity measures.
These defenses take a variety of forms, ranging from transaction review teams to static rules-based verification measures to biometric authentication processes. Banks are constantly looking for new ways to ensure this annual security budget is spent more efficiently, devoting time and funds toward ever-more-advanced fraud prevention.
Some of the most promising of these innovations are artificial intelligence (AI) and machine learning (ML), which analyze thousands of transactions in real time to look for any anomaly that could be a sign of fraud. One bank harnessing AI and ML in its cybersecurity measures is Amsterdam-based ING Group, with 985 billion euros ($1.2 trillion) in assets in need of protection.
“The real-time aspect of online fraud means that you need to intervene immediately because otherwise, the money is transferred and it’s gone for good,” said Beate Zwijnenberg, ING’s chief information security officer. “So, the real-time element [of AI] is quite important.”
PYMNTS talked with Zwijnenberg in an interview about the financial crime that threatens digital banking systems and how AI and ML form an integral part of multilayered fraud defense systems that can drastically reduce this threat.
The Scope Of The Financial Crime Threat
The objective of financial crime — money — has remained unchanged since the days of Al Capone and Jesse James, but the methods used to turn a profit have become significantly more sophisticated than tommy guns and safecrackers. All fraudsters desire a profit, but some aim for a payday not by stealing cash from the bank itself but by harvesting customer data, either using it to siphon funds from individual bank accounts or simply selling the data online to other fraudsters.
“Fraudsters are after the data or the money, but until recently, the techniques had not changed,” said Zwijnenberg. “If you have a traditional bank branch, they try to get into the safe and physically get the money out, and for digital banks, it’s not much different. It is only the modus operandi that has changed.”
Digital methods like phishing and malware are the most common tools of the trade for fraudsters, according to Zwijnenberg. Cybercriminals often combine the two in large-scale schemes, harvesting customer data through phishing scams, and then leveraging malware to test their stolen credentials in a range of online services in the hopes that their victims use the same usernames and passwords elsewhere.
Another aspect of financial crime that has evolved is fraudsters’ targets. Their typical victims used to consist of retail banking customers and everyday consumers, but corporate accounts have been targeted much more frequently in recent years, Zwijnenberg said. The same fraud tactics that victimize consumers often work just as well on corporate customers.
“Criminals are investing in business cases as well, [changing] from the retail side to wholesale banking and applying techniques to different customers,” she said. “Phishing scams are the ones we see fairly often in business banking and wholesale banking, as well as identity theft.”
The ongoing pandemic has amplified all of these strategies. Fraudsters’ methods have remained largely the same, Zwijnenberg said, but they have increased in volume and have often used a COVID-19-related angle to exploit bank customers’ anxieties and insecurities regarding their personal safety and the precariousness of their financial situations.
“We’ve seen similar types of phishing and scams, but with the COVID theme,” she said. “They’ll say your banking card has expired and you need to log in because COVID has resulted in additional security measures, for instance. We also see a lot of scams [involving] people trying to sell you masks, and of course they will never deliver.”
Fighting this kind of fraud comes down to the use of advanced technologies such as AI and ML. These systems do not operate alone, however, working in tandem with static rules and human analysts in multilayered defense mechanisms.
How AI And ML Help Fight Fraud
The best fraud prevention measures, according to Zwijnenberg, are those that harness multiple layers of protection, starting with user authentication and including systems that analyze transactions to detect signs of fraud. AI plays an important part in this system, but it is not the be-all and end-all.
“You need a layered approach, making sure that you have multiple controls and invest in multiple areas,” she explained. “You make sure that you invest in multiple domains at customer authentication, for instance, and you also make sure that you have the right detection and response capabilities in place. You need to get all the data and profile the customer based on that, and you have to make sure that you detect anomalies if needed.”
AI and ML’s crucial advantage, Zwijnenberg said, is in the sheer quantity of data they can comb through to find anomalous transactions and other signs of fraud. Digital banking’s surge in popularity during the pandemic has given rise to terabytes of new data from customer transactions that would be impossible for a human employee to analyze and too complicated to manage with static rules alone.
“You cannot say it’s always better to have an AI or ML model in place, because sometimes there’s a very simple static rule that works perfectly well,” Zwijnenberg said. “The huge advantage of applying machine learning is that the amount of data is becoming bigger and bigger over time. You need to find the needle in the haystack, and you benefit from applying AI and machine learning to make sure that you really only look into the specific areas that call for it.”
Banks are not on their own in this fight, however. It is important for them to collaborate with other banks to share intelligence and technology because although they may be competing with one another for customers, fraudsters threaten the entire industry.
“You cannot fight this war alone,” Zwijnenberg noted. “It doesn’t make a lot of sense to compete [with] each other in this area. It’s better to work together and to see what we can learn from each other to make sure that we maintain customer trust because that is what banking is all about.”
A breach of customer faith can do more damage to an FI than any fraudster, as the decline in business from customer flight can result in more lost revenue than an individual heist. Maintaining customers’ trust requires letting them know that their data and funds will be kept safe, and AI and ML are key tools in banks’ arsenals to ensure this security.