Inaugural Edition

Welcome to the inaugural edition of Fraud Thoughts - where I will share insights with you from my day-to-day experience across a multitude of fraud topics such as fraud management leading practices, hot issues (like GenAI, and whatever is next!) and cover top fraud stories and trends from across the globe.

If we haven’t met, it is a pleasure to connect with you here! I am Sophia Carlton, a Fraud Management Expert - I have worked with clients of many shapes and sizes and across many industries throughout my fraud management consulting career. One thing continues to ring true: fraud is a constantly evolving problem regardless of size or industry. It is why I love this field and feel passionate about contributing to the fight against fraud in all its forms to safeguard people and organizations alike.

Fraud Thoughts was conceived long ago when I had the idea for my first article on how the bystander effect impacts fraud management, published in 2019 in the Fraud Examiner – you could say I am not only a fraud fighter but a fraud nerd. I caught the writing bug after that. From there, I have contributed to multiple industry resources, published articles in industry publications such as Fraud Magazine and the AGA Journal, and won two author awards.

In my accounting studies, I rarely had the opportunity to explore my interest in writing. The ability to do so in a field I have dedicated my career to has brought me immense joy. So, thank you for following, and I look forward to connecting with you each month.

This newsletter will be in your inbox on the first Thursday of each month - this month, I have topics separated by what's happening, what's new, and what's next in the world of fraud risk management.

A big thank you to each contributor to this edition of Fraud Thoughts who provided their insights and perspectives - including Suzanne Carlson and Karley Herschelman .

If you have a topic you want to see covered, want to contribute or collaborate on a future edition of Fraud Thoughts, or have questions about any of the content in the newsletter, feel free to reach out to me on LinkedIn or by email - [email protected].

What's Happening? Financial Services Edition

The financial services industry is seeing a rise in specific fraud trends – spanning ATO, ID theft / Synthetic ID, and Check Fraud – in addition to common themes in fraud management approaches – spanning a renewed focus on customer experience, a continued focus on scam intervention, and the ever-present pressure to do more with less. Across these themes, there are consistent trends in how financial services entities tackle the problem. Check out these trends and mitigation themes in the figure below:

[1] Sift Q2 2023 Digital Trust & Safety Index

Across these trends, there is a lot to explore! We may dive deeper into these topics in future editions, but in this edition, we want to hit some highlights…

Check Fraud is BOOMING!

There was an expectation that checks would become a way of the past, which led to less investment in the tools and tech needed to prevent and detect these schemes. This has led to a technology gap. Across institutions, there is a gap in image analysis or forensics capabilities – leading to a reliance on manual review. Manual review means a person performs certain checks to determine the check’s validity and authenticity. These checks may catch certain red flags, but an image analysis or forensic solution will find things the human eye may miss or can’t see.

Image analysis or forensics supplements transaction analytics or monitoring. Transaction monitoring can detect anomalous check writing for the account, such as unusual dollar amounts, atypical check writing velocity, or a serial number significantly out of range and not clustered with other items. Image analysis can detect anomalies for the check itself, such as anomalies indicative of forgeries and alterations. This type of tech has come up at almost every institution we have supported this year – leaders in this space include Orbograph, a provider of check fraud detection and image recognition solutions.

Outside of the tech – there are also new avenues institutions can and should explore to help combat this continuing problem. In commercial banking, tools like positive pay have been around for some time and can be very effective for on-us check fraud…if adopted by customers, but that is another story. A similar approach for retail will help drive down losses. For example, we are seeing a rise in push notifications in the app (check out this article on why push notifications are more important than ever). These notifications can also alert customers when a check is presented for payment – enabling the customer to confirm the details or contact the bank if the check is fraudulent.

Customer Experience is King…

This is not to say that customer experience hasn’t always been top of mind – but with increasing and evolving threat landscapes and ever-present fraud interventions or warnings in place to mitigate those threats, customer experience is having its heyday, and for good reason. If an institution applies too many rules, checks, or restrictions to transactions, good customers will get frustrated or may find another place to bank with more convenience and speed. However, it is a double-edged sword. A recent survey found that two-thirds of customers will switch providers due to fraud experience or for better safeguards.

Where is the middle ground if customers want to be protected but not inconvenienced by those protections? This brings us to a long-time battle between fraud risk management and customer experience. Striking the balance is a delicate act that can have bottom-line impacts if not done correctly. Institutions leading the charge have clearly defined fraud journeys – meaning they know when fraud interventions occur across a specific customer journey, such as initiating an ACH transaction in the banking app - with a focus on gathering active and passive feedback.

Passive feedback here reigns supreme – passive feedback can be gathered without asking your customers a thing. Check out this example below:

The outcome of our example above is insight. With that insight, the bank can determine how fraud controls and interventions must be adjusted across crucial customer journeys to delight good customers while maintaining friction for bad actors.

Is your institution dealing with some of these trends? Let me know what your organization is experiencing and any questions in the comments, or message me directly.

What's New? GenAI Edition

GenAI is a scorching hot topic. Before we dive into the fraud impacts, let’s get grounded in what it is...

Below are some real-world examples across these categories…

What does this all mean for fraud?

It is simple – GenAI is another instrument in the fraudster tool belt.

GenAI accelerates the effectiveness and sophistication of social engineering - spanning phishing, deep fakes, and more!

Social engineering has traditionally been a successful pathway for bad actors to solicit sensitive information or to convince the victim to complete an urgent act, such as sending money.

With GenAI’s help, these attacks will become even more successful - for example, more sophisticated impersonation schemes, phishing messages, or an enhanced ability to bypass voice or facial recognition.

Let's go ahead and explore a few examples below...

AI-Generated Crypto Invoice Scam

This AI-generated crypto invoice scam almost got me, and I'm a security pro

In this article, Jason Perlow shares his experience of almost falling for an AI-generated phishing email scam that closely resembled an invoice from Stripe, a payment processor often used for cryptocurrency transactions. The language and invoice were so well-written and formatted, Jason states....

I'm used to seeing phishing emails that are far less convincing because they have easily detectable formatting, phrasing, and spelling errors.

In this instance, Gmail didn't flag the phishing attempt as spam. The invoice and email language were so well written and formatted that it is very likely that AI was used to mimic what one of these invoices from Stripe might look like to evade Gmail's and human filters. Perlow called the support number in the email, believing it to be PayPal's, and connected to a busy call center in India that knew enough details about him to sound authentic. He sent codes associated with his emails attached to his Amazon account before he 'woke up'; he then hung up the phone and reset his passwords.

GenAI Fraud-for-Hire

On the dark web, there is a fraud-as-a-service industry run by international cyber gangs from all over the world, including Russia, Nigeria, and China, among dozens of others.?

The one depicted in the video is called Mega Darknet Market, one of the world's biggest enterprises.

"Yes, I sell Chase bank accounts. Yes, I am one of the first people to sell fake bank accounts four years ago," the man who calls himself "Sanchez" said. "We started with my partner four years ago. Now we are about 30 people in one office."

This video gave the first glimpse into how these organizations sell "mule accounts," bank accounts set up with stolen identities, and GenAI and "deepfake" tools to other criminals.

Want to dive deeper? Check out this recent article ... 'Hackers Are Weaponizing AI to Improve a Favorite Attack - Phishing attacks are already devastatingly successful. What happens when artificial intelligence makes them even harder to spot?'

How can you protect your business from GenAI-enabled fraud?

GenAI can be compared to other disruptors, such as the COVID-19 pandemic. To prepare for the impact of GenAI, it is crucial to implement a comprehensive anti-fraud strategy that includes an ongoing process to identify emerging risks, like the accelerated threats GenAI poses. This foresight can allow your organization to prepare and implement mitigating actions proactively, both preventive and detective.

In the case of the pandemic, we saw reactive vs. proactive actions or a lack of action entirely. However, proactive steps could have been taken if emerging risks were understood. Similarly, you can proactively prepare for the impact of GenAI by implementing measures now.

Key measures to take include...

Assess Your Risks – Are there areas of vulnerability where AI-enabled fraud could occur across your business? What types of attacks do you see today that will be accelerated with the help of GenAI? Do you have the proper controls to mitigate those risks, and if not, how can you define a path to get there now before a more significant problem arises?

If you don’t have it, now is also an excellent time to implement a process for ongoing monitoring of emerging risks. This is usually a component of a broader fraud risk assessment program – ongoing, ad hoc, and periodic assessment - which feeds into your fraud strategy so the fraud program can adapt swiftly as your threat landscape changes when the next disruption occurs.

Evaluate Your Fraud Tech Stack – Understand your current fraud tech stack and where there may be gaps as GenAI accelerated threats emerge and evolve. It would be best to focus on partners who can adapt as the fraud landscape shifts and those who can integrate into your broader tech ecosystem.

For example, do you use Voice ID (e.g., my voice is my password) to authenticate callers in your call center? How is that partner adapting their technology for enhanced or more sophisticated voice cloning and deep fakes?

Focus on Your Controls - Systematic and operational controls will continue to play an essential role in the fight against fraud - and GenAI-enabled fraud. Ensure you have the appropriate controls across activities with a higher risk or vulnerability to accelerated social engineering attempts or GenAI-enabled fraud.

Update Training – Now is the time to prepare your workforce and customer base for this new threat landscape. Update and roll out further training for your employees and customers that details the accelerated threats GenAI poses and how to keep the business or themselves secure. For example, if misspellings are no longer the tell-tale sign of a phishing email - what other red flags should employees or customers look for?

Accelerated fraud threats...and fraud tools?

GenAI may enhance or accelerate the fraud threats of today and tomorrow. However, it also provides a new tool in the fight against fraud; it can help with the efficiency and effectiveness of investigations, analytics, and models – and support prevention and detection efforts.

For example, GenAI models can help generate new programming code with natural language prompts, complete partially written code with suggestions, or even translate code from one programming language to another. This can lead to more effective fraud models, quicker model development for emerging schemes, or more efficient fraud model tuning and management – all of which can support a more effective fraud management program.

Bottom line? As you think about how to protect your business from GenAI-enabled fraud, you should also consider how GenAI can act as a tool to help you more effectively combat fraud now and in the future.

How can you protect yourself from GenAI-enabled fraud?

Each of us needs to stay vigilant and protect ourselves and our loved ones - here are a couple of tips to keep in mind:

Want to learn more?

Check out Episode 69 of the AFERM Risk Chats podcast - we talked all about #GenAI and the impact on your #fraud risk landscape and broader fraud strategy. This is a federal government-focused podcast, but the advice is industry-agnostic.

Thanks to the Association for Federal Enterprise Risk Management (AFERM), Paul Marshall, CPA, PMP, and Dan Featherly for having me on!

What's Next? Scam Liability Edition

Scams, scams, and more scams. Scams continue to achieve success and show no signs of slowing down - FTC data shows consumers lost $8.8 billion to scams in 2022, up 30% over 2021 losses; I expect 2023 numbers will show continuing growth. And, it's safe to say that we have all been targeted by or fallen victim to a scam - a survey among adults in the US found that 45% of respondents encountered scams daily. Let that soak in.

Unsurprisingly, with skyrocketing losses and the detrimental impact on victims, the question of who is liable has been discussed in the US among public officials...

“The CFPB must update and strengthen regulations governing the obligations of banks to repay customers who are defrauded on Zelle and other peer-to-peer payment platforms.” – Senator Elizabeth Warren

Senator Warren's statement focuses on Zelle fraud - which is part of a broader grouping, push payments. Push payment scams happen when someone is tricked into making a payment to criminals posing as a legitimate organization, such as a bank. Scammers may also pretend to be selling goods or services that do not exist - like Facebook Marketplace.

How are other countries handling scam liability?

This shift has already happened in the UK - the requirement to refund people tricked by scammers will be implemented in 2024. The requirements for banks and other payment companies unveiled by the Payments Systems Regulator (PSR) in the summer of 2023 are designed to ensure more consumers will get a refund if they fall victim to the push payment scams.

The UK is not alone - a September 2023 announcement from Singapore officials stated that next month, they will deliver a consultation paper detailing a split liability scheme that will mean both consumers and banks are on the hook for financial losses from scams.

What is happening in the US?

Regulation E (Reg E) determines the conditions under which financial institutions will reimburse their customers for unauthorized electronic transfers. Updates to Reg E have been issued over the years. However, one thing continues to stand — if the customer performed an authorized transaction - even if they were manipulated into doing so by a scammer - they will not be covered under Reg E, and the bank will not be liable to reimburse customers.

How soon will the US follow in the footsteps of the UK or Singapore?

That is the million-dollar question. The bottom line is that the liability shift is looming. Following the OCC’s 2019 fraud risk guidance and propelled by the significant surge in fraud over the last two years, financial services organizations have experienced a noticeable uptick in regulatory actions against fraud programs.

Regulators are now taking a closer look at how fraud programs are structured and governed. Recent focus areas for regulators have included fraud governance and oversight across lines of business, fraud risk management policy, metrics, and reporting, including board-level reporting, training and awareness for employees and customers, and internal fraud monitoring.

This tells us that the focus on consumer protection through strong fraud management capabilities is paramount, and scam intervention should be top of mind for institutions as we prepare for a potential liability shift in the US.

We will explore this topic more in the next edition, covering historical approaches to scam intervention in the US and fit-for-future solutions.

How is your organization tackling scams? Let me know what your organization is experiencing and any questions in the comments, or message me directly.