Jonathan Hart
- Generative AI is breathing new life into two more traditional types of fraud: Synthetic Identity Theft and Account Takeovers.
- These fraud types can be difficult to identify in real-time. Behaviour analysis, which includes looking at key metrics related to historical bank account activity and transactions, can help signal fraudulent activity while it’s happening.
AI has breathed new life into traditional fraud
As AI continues its relentless advance, fraudsters are deploying ever-more sophisticated tactics to fleece individuals and businesses of significant sums of money. Developments in generating deepfake ID documents, voice prints, and even selfies, are catching all types of businesses off guard, including the largest financial institutions.
Two traditional fraud tactics have benefitted from the rapid advances in technology and, as a result, present an even greater threat to businesses and consumers: Synthetic Identities and Account Takeover.
$500bn
Estimated cost of fraud scams globally in 2023
Source: Nasdaq & Oliver Wyman
Synthetic Identities (IDs) are created using a mix of real and fabricated personal information and are used by fraudsters to establish bank accounts. Fraudsters hide from financial institutions by processing small, occasional payments to make their accounts look legitimate. Synthetically created accounts are then used to receive and hide funds from many types of scams, including Authorised Push Payment (APP) and Business Email Compromise (BEC).
Account Takeovers (ATOs) occur where the login details to a bank account are compromised and a fraudster assumes ownership of the account. These can be difficult to detect for a variety of reasons:
- Businesses want to avoid creating friction for their users
- Credentials and passwords can be compromised in many ways (brute force attacks, credential stuffing, phishing and more)
- GenAI is becoming increasingly effective at defeating biometrics, such as facial and voice recognition
Beyond having access to a customer’s fund balance, the fraudster can attempt to buy products with the hijacked account, and/or seek refunds, chargebacks, or other payouts illicitly.
What are the impacts of Synthetic Identity theft and Account Takeovers?
Account Takeovers and other fraud types, such as APP and BEC using Synthetic IDs, can financially ruin individuals and businesses before they notice a single dollar missing.
Businesses whose customers are victims of Account Takeover attacks or other similar attacks become responsible for costs of remediation (e.g. refunds) and take a reputational hit, losing revenue from current and potential customers. Additionally, by the time a fraudulent account has been detected and shut down by a financial institution, the fraudster will have moved their illicit gains to Synthetic ID-created accounts or other hidden assets, preventing victims, financial institutions and law enforcement from clawing them back.
If fraudulent accounts haven’t been detected, what can be done?
Synthetic IDs are designed to look and act like a legitimate person or entity. Account Takeover fraud stems from legitimate accounts being used for illegitimate reasons. Running a bank account verification in isolation can help, but it won’t detect a Synthetic ID created in the same name as your payee, or an Account Takeover.
However, one thing a fraudster can’t hide is their behaviour. Fraudsters who have taken over an account or ‘activated’ their Synthetic IDs will move fast to generate as much cash as possible before their financial institution detects their activities.
As an example, a fraudster who has created a bank account with a Synthetic ID may start applying for credit, buy-now-pay-later accounts, or loans with the intention of never repaying any money. They may create dozens of eCommerce accounts with the intention of buying goods with those illicit accounts, to keep or resell goods they haven’t originally paid for. They may use their accounts as part of a BEC scam and direct businesses to pay money to them for work they haven’t done. They may even be able to claim insurance or unemployment benefits.
This is where a consortium-style approach to fraud detection is hugely beneficial. When new payment or payee details are collected and verified, there is the potential to identify risky behaviour across participating businesses quickly, minimizing losses and stopping fraud in its tracks.
The ‘activation’ can be detected by analysing:
- Recency: inquiries for a bank account made in the short, medium and longer term;
- Popularity: number of participating businesses that have seen a bank account; and,
- Velocity: total number of enquires made in short, medium and longer term.
In the aforementioned case, where a fraudster starts multiple credit, buy-now-pay-later or loan applications, or creates eCommerce accounts, their fraud attempts will detectable by reviewing recency, popularity and velocity behaviours of their bank account across participating businesses.
Getting ahead of the fraud landscape: leveraging behavioural signals
The reality is that bad actors, given enough time and effort, can overcome almost every type of individual security product or services available. This threat is amplified in the era of Generative AI.
However, criminals tend to go for the lowest-hanging fruit. If you add enough layers of fraud and security defenses, it will eventually take too much time, effort and expense for a fraudster push through, and they will move on to another opportunity.
Increasingly, a holistic, “always on” approach to fraud prevention, spanning the full customer life cycle, is recommended. This is based on consistent and continuous risk monitoring and rests on three pillars:
- Trust the identity of the client, via data-based verification to supplement document verification and biometrics;
- Trust the accounts, via bank account verification and account ownership verification; and,
- Trust the interaction, via account behaviour analysis collected across a consortium and other ID signals, to detect anomalous behaviour.
Behaviour analysis, used in conjunction with robust identity proofing and payments verification, can help strengthen the arsenal organisations need to effectively counter fraud.
Read more about
Legal Disclaimer
Republication or redistribution of LSE Group content is prohibited without our prior written consent.
The content of this publication is for informational purposes only and has no legal effect, does not form part of any contract, does not, and does not seek to constitute advice of any nature and no reliance should be placed upon statements contained herein. Whilst reasonable efforts have been taken to ensure that the contents of this publication are accurate and reliable, LSE Group does not guarantee that this document is free from errors or omissions; therefore, you may not rely upon the content of this document under any circumstances and you should seek your own independent legal, investment, tax and other advice. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon.
Copyright ? 2024 London Stock Exchange Group. All rights reserved.
The content of this publication is provided by London Stock Exchange Group plc, its applicable group undertakings and/or its affiliates or licensors (the “LSE Group” or “We”) exclusively.
Neither We nor our affiliates guarantee the accuracy of or endorse the views or opinions given by any third party content provider, advertiser, sponsor or other user. We may link to, reference, or promote websites, applications and/or services from third parties. You agree that We are not responsible for, and do not control such non-LSE Group websites, applications or services.
The content of this publication is for informational purposes only. All information and data contained in this publication is obtained by LSE Group from sources believed by it to be accurate and reliable. Because of the possibility of human and mechanical error as well as other factors, however, such information and data are provided "as is" without warranty of any kind. You understand and agree that this publication does not, and does not seek to, constitute advice of any nature. You may not rely upon the content of this document under any circumstances and should seek your own independent legal, tax or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither We nor our affiliates shall be liable for any errors, inaccuracies or delays in the publication or any other content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the publication and its content is at your sole risk.
To the fullest extent permitted by applicable law, LSE Group, expressly disclaims any representation or warranties, express or implied, including, without limitation, any representations or warranties of performance, merchantability, fitness for a particular purpose, accuracy, completeness, reliability and non-infringement. LSE Group, its subsidiaries, its affiliates and their respective shareholders, directors, officers employees, agents, advertisers, content providers and licensors (collectively referred to as the “LSE Group Parties”) disclaim all responsibility for any loss, liability or damage of any kind resulting from or related to access, use or the unavailability of the publication (or any part of it); and none of the LSE Group Parties will be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, howsoever arising, even if any member of the LSE Group Parties are advised in advance of the possibility of such damages or could have foreseen any such damages arising or resulting from the use of, or inability to use, the information contained in the publication. For the avoidance of doubt, the LSE Group Parties shall have no liability for any losses, claims, demands, actions, proceedings, damages, costs or expenses arising out of, or in any way connected with, the information contained in this document.
LSE Group is the owner of various intellectual property rights ("IPR”), including but not limited to, numerous trademarks that are used to identify, advertise, and promote LSE Group products, services and activities. Nothing contained herein should be construed as granting any licence or right to use any of the trademarks or any other LSE Group IPR for any purpose whatsoever without the written permission or applicable licence terms.
Related articles
Find out more
Further information about how to buy stocks in pse