Lorem ipsum dolor
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent finibus mollis nisl et posuere. Praesent nec purus faucibus, tincidunt mi ac, rhoncus dui. In hac habitasse platea dictumst.
Register TodayWatch the Recording
EVENT RECORDING
Fraud Counterattack—How to Protect Your Business from Financial Threats
| Access the Presentation |
WEBINAR REGISTRATION
Webinar Title
Webinar sub title
Weekday, Month __th | __ pm ET
Webinar Description
Details
Protect your business from financial fraud and scams
Explore the methods used by today’s financial fraudsters and how you can launch an effective counterattack for your business.
Our panel of fraud specialists discuss navigating the increasingly sophisticated scams targeting businesses of all sizes by addressing the following topics:
Our panel of fraud specialists discuss navigating the increasingly sophisticated scams targeting businesses of all sizes by addressing the following topics:
- How today’s fraudsters operate.
- Who’s liable for fraud against your business.
- Implementing proactive fraud-fighting strategies.
- How to prepare for financial threats in the future.
| Contact Us |
Featured Panelists
- Kristen Saranteas, First Citizens Bank Treasury Management Services Executive, brings her deep expertise in fraud mitigation to help businesses defend against evolving financial threats.
- Sharon Crabbe, First Citizens Bank Financial Crimes Senior Manager, will share more about how fraudsters operate and proactive measures you can take to prevent financial losses.
- Ishanaa Rambachan, McKinsey & Company Partner, will help you shield your business from fraud drawing on her experience helping organizations improve their operational risk and risk-identification.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent finibus mollis nisl et posuere. Praesent nec purus faucibus, tincidunt mi ac, rhoncus dui.
Name
Company
Transcript & Disclosures
Kristen Saranteas: Welcome, everyone.
We are thrilled that you are here to join us on today's webinar that's entitled “Fraud Counterattack: How to Protect Your Business from Financial Threats.” We're thrilled that you're here to listen to such a great topic. And with that, let me introduce my fellow panelists that are joining me today. We are thrilled to have Sharon Crabbe. She's the Financial Crimes Senior Manager here at First Citizens Bank, and she's joined us to share more about fraudsters, how they operate, what they do, and the proactive measures you can take to prevent financial losses. We're also thrilled to have Ishanaa Rambachan, who's a partner at McKinsey, joining us today. She's going to help us explore how to shield your business from fraud, drawing on her experience helping organizations improve their operational risk and risk identification measures.
I am Kristen Saranteas. I'm the Treasury Management Service Executive here at First Citizens Bank. And many who know me, know that fraud prevention and the education of our clients has been a passion of mine throughout my career. So, I'm really looking forward to today's discussion.
So, what are we going to do today?
Let's look at the agenda. We're going to start with where we are. Given the number of people that have joined today's webinar, hundreds and hundreds of you know that today's landscape includes very huge threats. So, we're going to talk about what that looks like. We're going to also help you identify where and when and how fraud takes place. But more importantly, we're going to talk about how you can build up your defense against those threats.
But, like many things, we are building defense against fraud we know. We're also going to try and look at the future of fraud. Where is fraud heading? Because those fraudsters, they're always trying to be one step ahead of us.
If you do have questions, please put them in the Q and A tab and include your email, so that if we don't get your question answered today, we will follow-up with you with an answer. We'll be reviewing the questions as they come in and do our best to get to as many throughout today's discussion.
Likewise, many of you are here for continuing education credits. Specifically, the AFP has CTP or CCM credits. This webinar has been approved for 1.2 two credit hours. And, in order to qualify for those credit hours, there will be a quiz at the end of today's presentation, and we will prompt you for that at that time.
So, let's get going. We're going to start with a poll because we'd like to understand exactly what you think are your top fraud challenges. So, in a moment, you're going to be prompted with a pop-up on your screen with a poll, and please tell us what you've been thinking about. That'll help guide our conversation. So, I'll give you a minute to do so.
So, let's see how those results are coming in.
Just one more minute as we tally more of the votes.
Okay. Are we able to show those results?
Across the board.
Obviously, the future of fraud, getting one step ahead, has led the pack in some of the discussion. But obviously, you can see there's a really great distribution among every other category that's going to help guide our conversation today. So, we're going to start with Sharon. And, Sharon, I'm going to turn it over to you. Again, we're going to start with today's landscape and what you're seeing as today's biggest threats. So, Sharon, I'll turn it to you.
Sharon Crabbe: Thank you, Kristen.
So, twenty twenty-five is definitely proving to be both challenging but an interesting year for fraud.
Fraudsters are targeting victims using tried and trusted methods.
Like you mentioned, the fraud, you know, check fraud, BECs, but then they're also using newer, more digital, tactics as well. Unfortunately, fraudsters always seem to be one to two steps ahead. And so it's important that you're aware of fraud schemes and that you stay vigilant to protect yourselves and your businesses.
Some highlights to look for in the fraud space:
Businesses are increasingly becoming targets of fraud over consumers because fraudsters know that businesses are where all the money is. Learning to protect your business, in addition to yourself personally, is very important.
And with check fraud, I know I thought by 2025 we would be done with checks maybe as a payment method, but they are still commonly used by businesses and also commonly targeted for fraud.
Mail theft is the number one reason for check fraud, showing the need to find other, safer, electronic forms of payment.
Business email compromise is another type of fraud that continues to be an issue. Business email compromise – BEC - is where fraudulent emails that appear to be from a trusted source are received. Emails that appear to be from a trusted source are received, maybe from a client or a vendor. It appears to be valid asking for payment, but then it turns out that that email is fraudulent, and that payment request is fraudulent. Many businesses don't have protocols in place to be able to protect themselves against BECs.
And finally, discovering that you have been a victim of fraud can be a challenge. And this is why it's really important to stay on top of your bank accounts, making sure you're reconciling them regularly.
Time is of the essence in most fraud situations when it comes to recovery and being able to quickly identify and report fraud is important, to ensure that you're not in a loss position.
And so, just to give you some highlights of some of the different fraud schemes that we are seeing, we have some case studies for you to go through. And the first one involves bank impersonators.
Unfortunately, impersonator scams are becoming very popular.
We all maybe have received a text from time to time from our bank asking us to verify a transaction, and the fraudsters know that and they try to exploit it. And so, in this case study, business owner John, he receives a text that appears to be from his bank asking him to verify a debit card charge. And John believes that it's from his bank, he's received texts before from his bank asking him to verify charges. He responds to the text, “no”, that he did not initiate this charge.
Then all of a sudden, he receives a phone call from someone claiming to be with his bank's fraud department. And the phone number on the caller ID is his bank's phone number, and he believes that he is truly being contacted by someone from his bank offering to help him. So, while he's on the phone with the supposed representative from his bank, John receives a text during the call with a link. He's told that some information is needed to authenticate his identity and get his claim processed.
And so, John opens the link, and it takes him to what appears to be his bank's online banking login page. So, John enters in his user ID and his password, again, believing that information is needed to process his dispute.
He also received several texts during the call with codes. Again, the caller tells him these codes are needed to verify his identity. He provides the codes to the caller, and then he ends the call, believing that the dispute that he was notified of has been filed.
It's only later John learns that, while he was on the line with the fraudster, the information that was provided, his user ID and password for his online banking, the codes that he received, it was actually that the fraudster was using that information to log in to his online banking account and initiate fraudulent wires.
And so, it turns out these codes that were being received were codes that were one-time passcodes used to authenticate the online banking sessions and the initiation of the wires.
And so, some key takeaways from this case study:
If it's important, your bank may send you a text message asking you to verify a charge, but they would never call you right after you respond and offer to file a dispute for you. If you receive a call that appears to be from your bank, even if the caller ID matches your bank, best thing you can do is hang up and call your bank back. Call your banker, ask if you've had fraud, and then they can help you file a dispute, if there has been fraud.
Never click on a link in a text. You know, go to trusted links, and then also take advantage of any alerts in online banking, so you can identify if someone is trying to get in without your knowledge.
And so, the next, case study involves check fraud. And, again, check fraud is something that's been around a while and continues to be an issue. In this case study, office manager Samara receives and reviews her employer's account daily, reconciling activity, and making sure that there's been no unauthorized transaction.
Samara suddenly goes on medical leave and then accounts reconciliation is neglected. There's really no one else that knows how to log in or is regularly checking the account. And, unfortunately, several counterfeit checks pay on the account and go undetected, until Samara returns from medical leave.
When she comes back and tries to reconcile the account, she identifies the fraudulent checks and files a dispute with her bank.
But unfortunately, her claim is denied. The counterfeit checks had paid more than thirty days prior to the statement showing the checks, and they are unable to recoup the funds from the checks.
And just some key takeaways. Again, obviously, Samara was a single point of failure in this business.
She, you know, was the only one that knew how to reconcile the account. Make sure that there are others within a business that have that ability and can step in if the main designee is out of the office.
Kristen Saranteas: You know, Sharon, I thought I'd jump in here for a second because, as you can imagine, we're getting a lot of questions in the Q and A related to check fraud because it is so rampant. There is one pre-submitted question from the Q and A that I thought would be really helpful for you to explain, based on someone listening. How do you protect your account from check washing even when premium security checks and mobile deposit are used by the fraudster?
Sharon Crabbe: That's a great question. And, unfortunately, you know, I know that there used to be, you know, paper that would prevent washing, prevent alterations.
You know, that's really just not the case anymore. And then especially with the mobile deposits being mentioned. When a mobile deposit is made, no one is holding the check, touching it to actually examine it. And so, it is very easy to alter a check and make a deposit, via mobile banking. And this is why it's just so important to stay on top of your account, looking at checks, not only looking at the check number and the dollar amount, but also looking at the actual item itself to verify the payee.
Because, again, especially with the remote ways that the deposits can be made through mobile and ATMs, there really is just no way to protect yourself against alterations, except carefully monitoring your account.
And so, I want to go over types of check fraud:
Check fraud is not created equal. There are different types of check fraud that can occur.
And then also, the liability around the different types of check fraud is different. Counterfeit check is a check that resembles a legal check, but it's actually fraudulent.
Altered and washed check is a legal check. It's a valid check, but the payee name, the dollar amount has been changed.
Forged maker signature, the signature on the front of the check is forged. And then forged endorsement is a good check, but the endorsement on the back of the check is forged. And, again, each check fraud type has different guidelines as far as filing disputes. And so, again, just understand that if you have counterfeit checks one time and then a year later, you have a forged endorsement claim, they may not be treated the same way.
And the last case study involves business email compromise. And, again, business email compromise has been around for a while but continues to be a problem.
In this situation, Donovan, he's a doctor at a medical practice, he receives an email from Rita, who is the office manager of a local hospital.
He regularly corresponds with Rita via email. He receives an email telling him that the hospital's payment instructions have changed, that they're no longer going to accept checks, that they want to accept ACH, and provides ACH instructions for future payments.
Donovan forwards the email to the accounts payable department at his medical practice and asks that they update the payment instructions for the hospital.
And then, as invoices are being received from the hospital, payments are dispersed using the ACH instructions provided in Rita's email. The hospital later contacts Donovan and reports that they've not been receiving any payments from his medical practice for several months. And then Donovan realizes that the email he received from Rita months prior was actually not valid. Rita reports that she did not send the email and that the ACH payment instructions were fraudulent.
And just some key takeaways from this case study: don't accept emails at face value. It's important that you call the sender of the email, and you verbally verify instructions. And it's a good idea with your vendors, your clients, whoever you may send payments to, that you make it clear to them that you are going to have to verbally verify instructions from them, that you will not accept just an email.
And, Kris, I'll hand it off to you.
Kristen Saranteas: Yes. We're going to turn this now over to Ishanaa, and Ishanaa's going to tell us a little bit about the fraud management playbook. So, Ashana, welcome to the dialogue.
Ishanaa Rambachan: Thank you so much for having me. Absolutely. And so, when we think about the overall fraud management playbook, a lot of what Sharon describes is consistent with what we see across industry.
And so really beginning with, you know, beyond simply knowing your customer, wanting to see institutions are all working through putting in place today a set of interventions which are passive authentication routines. So, looking at behavioral analytics and biometrics. Is there a space between when, you know, the OCA verify token, or coin comes through email and when you respond. Is there any shift in the speed at which you engage, to determine if the transaction is actually performed by you or by someone else?
Device, IP server recognition, geolocation.
There's also, in addition, a whole set of transactional monitoring that we see institutions doing that are identifying where there is this out-of-pattern usage at the customer level. And that's looking at a set of consortium models, customized both with institutional data and any other data that they can provide and augmented with better rules detection.
In addition to that, we see institutions are looking across the full set of customer interactions and life cycle and determining where are the biggest points of risk and being able to tag appropriately. So that we, that institution can work with you all to speed through and really lower frictions for customers that we know are the appropriate and right ones.
And finally, we're seeing across the board, institutions using comprehensive analytics to both look at where are controls working or not working, where is the process itself exploited, or in particular broken by fraudsters, and then how can we, in the most seamless way possible, take an ID and authenticate customers as fast as possible?
Back to you all.
Kristen Saranteas: Well, thank you so much.
And we're now going to, now that we've properly scared everyone with the background and the platform on which fraud is taking place, we're going to talk a little bit about why and how you can protect yourself.
There's a lot that Sharon went through related to the timing which different transactions have, in order to more seamlessly be able to return those transactions.
All of it is dependent on the fact that your business is monitoring your accounts on a daily basis, or at least a frequent basis, and that you have appropriate checks and balances across your team members. But know that consumers, of course, have different levels of protection, stronger levels of protection under regulations, that businesses do not have. So, the time frames with which businesses are beholden to be looking at their account and being able to call the bank and report on fraudulent transactions, in order to have them more seamlessly returned, are really quick. ACH in particular, if you're looking at your bank on a daily basis and you see a fraudulent electronic debit to your account, that transaction typically happened as at close of business yesterday.
What that means is you have that day to call your bank to more seamlessly initiate a return. Certainly, there's legal ways in which you can dispute transactions, but to have more seamless ways of pushing those transactions out of your account, it has to happen that quickly. Certainly, for wire transfers, there's no coverage at all.
Therefore, you need to really be on top of these things. Checks certainly are still the most predominant form of transaction type for fraud.
However, you can see more and more the growth of fraud is happening in the electronic space. Why? Because there's very short windows to be able to claw back those funds.
So, let's go into some of the tools that we can use to protect ourselves.
So, what are we talking about with tools?
These are insurance policies, essentially. They can really ring fence your business accounts, in order to prevent any transactions hitting your account that you have not pre-authorized. They are certainly very effective, and you can see the degree to which these things are effective. I will say that Positive Pay, either through ACH Positive Pay or Check Positive Pay, is one of the most ubiquitous tools that is used by businesses.
It is only as good, however, as those businesses interacting with that tool. When it comes to Check Positive Pay, that means that you as a business are uploading a file of the checks that you've issued.
When those checks come in for clearing, the bank is cross-referencing those checks against that file and only authorizing payment if it matches what you've told us you've authorized to pay.
Payee Positive Pay takes that to the next level because, instead of just looking at the checking account, the dollar amount, and the check number, we're also going to do best case, to look at the payee name of that check as well, so that if it was washed, like Sharon spoke of in the beginning, we have a better chance of checking that the person or company that it was made out to has been altered. Those are extremely effective.
You also could block your account completely from debits, or you can have a filter to make sure that only some of the transactions that you've authorized get through.
So, we're going to also talk about some other best practices to protect your company, not just from external, but also, sadly, internal fraudsters. There are some times that employees are also the perpetrators of fraud against their own company.
So, let's jump into some of those practices.
We'd like to proffer the idea that you should treat fraud like any other disaster or issue that could happen to your company.
Why would you need fraud to have a disaster recovery plan?
The point of any disaster recovery plan, whether it is a fire drill or any sort of plan that helps you recover after a natural or other kind of disaster, is to help you go through those plans with the least amount of emotion as possible. It's something you've practiced. You know where all the exits are, and you know how to get yourself back on your feet.
When financial fraud has hit your company, it is an emotional time. There's no question. You feel violated.
Someone has stolen from you. And so, you could react really emotionally, or not know where those exit plans are. Or you could have a plan that you've put in place long before fraud ever hit your account, and you walk through those plans with your trusted advisers, such as your attorney, your accountant, your insurance professional, other people that will come to bear in that moment. And certainly your bank, with Treasury Management input, should be part of that plan. We all play various roles to help support you in a very non-emotional way and get you back up on your feet.
You prepare those procedures. You will practice those procedures. They don't just become part of a manual that goes back up on a shelf that you'd never dust off. This is something that you should be refreshing and have triggers in your system, in order to make sure that if there's any key change in your organization, that you are refreshing this disaster recovery plan so that you're prepared.
Sharon Crabbe: Hi, Kristen. We have a question that's come in for you. Great.
What are best practices for keeping employees aware and educated of the newest types of fraud?
Kristen Saranteas: It's a great question. Thank you to whoever submitted that. I think coming to a session like this is really great. Like I said in the beginning, I've been talking to our clients and other professionals about fraud mitigation for the majority of my career.
Why? It doesn't go away, and those tactics keep advancing. And so, we need to be constantly vigilant about what those practices are to protect ourselves. So, talk to your bank.
Attend classes like this. Make sure that you're keeping up to speed on those security enhancements.
Make sure that you're talking to your insurance professionals also about how you are protecting yourselves, should there ever be losses that you need to recover from. Every one of those professionals that I mentioned in the disaster recovery plan will give you their vantage point of what they've seen in the industry and their version of what protection looks like. So, keeping up with that is really, really important.
So how can you implement controls in order to mitigate against those external factors?
You want those outside professionals to help test your plan and see if you have the appropriate controls in place. Dual control. No single source of failure, like Sharon mentioned. Have your accounting firm make sure that they're reviewing and looking for any anomalies that you might not see.
You need your IT professionals and any outside support that you may have to keep you up to date on those protections of your hardware and software. Don't let those updates lapse. Those updates are usually putting patches in place in order to plug the holes, the ways people can get into your network.
Make sure you're not just locking up your own check stock if you're still using checks. But if you have your client's check stock around, make sure you are shredding that information. You need to make sure that you're preparing and protecting as much about your own financial information as you are the clients around you. And then make sure that for those procedures, you know who you're calling. Do you know who your vendors are? Do you know how you're protecting yourself? If something should happen, and you need to issue all-new bank accounts and have all- new payment methods set up, you need to have that back-up information for how you stand yourself back up.
We're going to little bit talk about internal fraud.
Many of you have probably seen the fraud triangle before, but, essentially, internal fraud only takes place if all three of these things are evident.
There needs to be a pressure in one of your team member's lives, whether it's a financial pressure, their pressure from home, pressure from bills, pressure from any sort of, maybe there's a gambling issue or an addiction, medical bills, whatever it might be. There has to be a pressure that would start the idea that they would be taking from their employer.
There has to be opportunity.
Do they have keys to the kingdom so that they would be able to perpetrate a transaction without someone quickly knowing about it. But that's only going to take place if there's also a rationalization of those two things. Meaning, “oh, they owe me, or I'll pay them right back. I only need the funds for a week.” Whatever it might be, all three of those elements need to take place for someone to finally attempt something.
However, if you are staying on that vigilance of observing any strange behavior, or even just the reconcilement of both your AR and your AP, through daily reconcilement, you would be able to get ahead of those transactions.
If it's electronic, it's very easy to move from paper to electronic, to have approval chains, in order to make sure that more than one person throughout your organization approves. If one group is initiating, another has to approve, so that things at least have two different areas touching them before transactions go out the door.
That segregation of duties is so important.
You need to test those processes, but you may want to consider establishing a fraud hotline. Sometimes that's through a third party. But often, it is not through those mesh methods of reconciliation that fraud is caught. Often, it's another employee that sees one that is taking advantage of either a situation where there's an opportunity, or they themselves are catching someone else in the act.
The average internal fraud typically is going on for eighteen months before it's caught. So, make sure that you have different ways, in order to have people ring that bell to say that they think something is happening.
So, let's move to the next slide.
Sadly, if you look at the AFP, the Association for Financial Professionals’, most recent survey, they do surveys of companies to say who has been a victim or an attempted victim of fraud. And in the most recent survey, eighty percent of the companies that they surveyed, that's eight zero percent of the companies they surveyed, saw fraud attempted or perpetrated against their company in the last year. So, sadly, it's more a matter of when fraud takes place, not just if.
So, what are you going to do? First, look out for those warning signs. Make sure that you've got those steps in place in order to verify. If information internally is not being shared, or vendors or others are calling you about service issues or payment issues, you need to be digging into those things. If reports aren't being prepared on time, you need to look into those things. But if we look at the next slide, what should you do?
You should not be reacting emotionally. However, you should implement that recovery plan. You're going to contact those trusted advisers, your accountant, who may bring in a forensic accountant to trace transactions.
You're going to certainly call your bank relationship manager and or people like us in the Treasury Management space. You're going to contact your attorney and your insurance company. Everyone has different time frames and policies to follow, in order to make sure that they help you in that recovery effort. For instance, most insurance policies need to know that there is a police report filed and that they are notified inside of thirty days of you knowing that a fraud took place. But, again, you need to know your policy, in order to understand what your policy says.
Legal counsel will be the one that will counsel you about calling, and who should call, that law enforcement, and what level of law enforcement should be involved.
This one always gets a question:
Why do I say do not have your IT personnel attempt to find or fix the problem?
You do not want your IT professionals poking around inside of your network itself. They could change date stamps. They could change the flow of being able to follow the tea leaves of what happened inside of your network.
Instead, you want to be working with a computer forensics person who's going to take an image of your network, and they're going to do the investigation of that vulnerability on the image of your network, not your network itself. Because of the fact that they could compromise the evidence of what has taken place.
Certainly, though, you need to make sure that you're plugging those holes. If those vulnerabilities are found, and or you realize that it was because of your own break in control or lack of control that caused that vulnerability, you plug those holes and you put those new controls immediately in place. And you're standing up those protections, so that you are steeled from anything happening to you again in the future.
So that's a lot about what's going on right now, but we are going to pivot back to Ishanaa who's going to talk to us a little bit about what's next for fraud, and fraud prevention. So, Ishanaa, I'll bring you back to the dialogue.
Ishanaa Rambachan: Wonderful. Thanks for having me again.
So, I think, you know, when we look at fraud overall, it is an ever-changing landscape, and many institutions that we see have been playing whack-a-mole, in terms of just trying to keep up with the type of fraud in the rear of your mirror. But, of course, fraud is changing and evolving ever more quickly.
We see that fraud is continuing to grow twice as fast as transaction volume growth.
And the FTC estimates in the US, for example, that fraud losses have grown sixty percent year- on-year since 2019.
When we look at types of fraud, account takeover was very much the type of fraud in the past two years.
We see that that is still up, but also in addition to it, account opening fraud. So, really, creating full mule accounts as well as APP fraud. An APP fraud is critical to note and is much of what has been discussed already today. This is customers being fooled into sending money by someone that they believe is a genuine ask or genuine connection, which is linking to the rise of scams that we're just seeing across the board.
And then, we are also seeing this interesting evolution in first party fraud, where customers who are legitimate are denying transactions that they've executed. And there's this whole sort of TikTok and Reddit phenomenon that is describing to customers how to do that, and that type of fraud is also up.
And finally, we're seeing continued use of merchant networks, as online commerce has just grown, misrepresenting products, and that type of fraud and therefore the rise of in many payments, various merchant protections, chargeback protections that are being awarded to customers.
From a control perspective, we're seeing also a shift to really put in place capabilities to target exactly these types of fraud.
One is from a scam perspective. Both adjusting the modeling itself to incorporate this type of fraud, but also to engage customers in the fraud fighting themselves. And so, if that's with email and account alerts with the latest fraud trends, it's that scam pop-up messages across the checkout or transaction flow, or having, you know, mandatory pre-checkout or transaction approval for scam-likely transactions that a user has to read and agree to. Many are putting in place that type of in-the-moment prevention, given the rise of scams.
The rise of the detection models as noted here is also important to create scam risk scores, to look at beliefs for decision engines. For example, to integrate with other risk scores and decisioning and to create a summation score that's looking at likelihood of scam and being able to identify that quickly in real time against what is a good transaction.
We're also seeing just increased focus on bringing together all of these control and risk signals and then ways to continue across the board to authenticate, in an active way across the sequence.
So, there's always something new in fraud, and it's been an interesting space to continue to watch our evolution as we all try to fight, and protect each other from, fraud.
Kristen Saranteas: Ishanaa, that's great. And as you can imagine, there's a number of questions coming in related to this. And just to double down on one that you mentioned in the beginning, under threats, there was a question that came in related to how AI is impacting fraud and what your opinion is around what they have to look forward to, as it relates to that against banking, and how are companies defending against those AI or deepfakes?
Ishanaa Rambachan: Yes. It's quite interesting because I think, you know, one of the questions that we've asked is, is AI or generative AI going to help us usher in a new era in battling fraud?
And we are seeing some interesting experiments across industry on that, all of which are public you know. There's now up to ninety nine percent accuracy in detecting deep fakes by some of the generative AI speech firms.
We're also seeing some institutions, JPMorgan, Cap One, really trying to experiment, for example, with reduction in false positives using a Gen AI and traditional algorithms.
However, what unfortunately you were seeing, which is a bit of the question I'm sure, is that the adverse use of Gen AI or AI is probably higher than the controls using Gen AI and AI to fight fraud. And so, in just the first two months of this year, for example, we've seen a hundred- and thirty-five percent increase in phishing emails, using AI to generate.
We're seeing, you know, the rise of, this is some scary talk for you all, but a rise, for example, fifty-one to seventy-three percent of more correct password guesses by some of these Gen AI tools.
And so, really, this deep fake-empowered fraud as well has been just continuing to jump. And so, we need to continue to make sure that both the controls stay ahead, but also it goes back to some of this very traditional employee awareness, customer awareness of what this may look like, to help prevent and mitigate the vulnerability to these scams.
Kristen Saranteas: That's great, Ishanaa, and thank you so much. I think that was a perfect way for us to say “thank you” to everyone for joining us today. Because it is through this education, this really grassroots, one-by-one or, in this case, one by many, to make sure that we are educating folks on the latest trends and the things that we're seeing, and the ways in which they can help to protect their businesses from the next generation of fraud.
So, I just want to wrap up today and say “thank you” to everyone for a great discussion. Thank you, specifically, to Ishanaa and Sharon for joining me in today's discussion. And we will be sending over the slides for today to anyone that registered for this webinar. And you can feel free to use those slides, to send those slides to anyone that you think will benefit. Because, as we mentioned, education is the way, the best way, that we are going to help to combat this. For those of you that are interested in getting the 1.2 credit hours for CTP and CCM, we did just drop the link to the quiz in the chat. Again, you need eighty percent, and I hope that the quiz was such, and our presentation was such, that you will get one hundred percent, in order to pass and get those credits.
Also, in order to make sure that you get your specific question answered, make sure if you've put it in the Q and A that you've added your email address, so that we can respond to you directly if there's something that we didn't get to you today. And if you have a unique situation, you've got our contact information on the screen today. I'll thank you again for joining. I'll thank Ishanaa and Sharon once again, in order to just appreciate the information from our different vantage points that we can help bring to bear. Because, again, the best fraud protection starts with knowledge. And so, we applaud you for taking that time today, to join us in the fight against fraud. So, I hope you enjoy the rest of your day and thank you once again.
***
Transcript:
Kristen Saranteas: Welcome, everyone.
We are thrilled that you are here to join us on today's webinar that's entitled “Fraud Counterattack: How to Protect Your Business from Financial Threats.” We're thrilled that you're here to listen to such a great topic. And with that, let me introduce my fellow panelists that are joining me today. We are thrilled to have Sharon Crabbe. She's the Financial Crimes Senior Manager here at First Citizens Bank, and she's joined us to share more about fraudsters, how they operate, what they do, and the proactive measures you can take to prevent financial losses. We're also thrilled to have Ishanaa Rambachan, who's a partner at McKinsey, joining us today. She's going to help us explore how to shield your business from fraud, drawing on her experience helping organizations improve their operational risk and risk identification measures.
I am Kristen Saranteas. I'm the Treasury Management Service Executive here at First Citizens Bank. And many who know me, know that fraud prevention and the education of our clients has been a passion of mine throughout my career. So, I'm really looking forward to today's discussion.
So, what are we going to do today?
Let's look at the agenda. We're going to start with where we are. Given the number of people that have joined today's webinar, hundreds and hundreds of you know that today's landscape includes very huge threats. So, we're going to talk about what that looks like. We're going to also help you identify where and when and how fraud takes place. But more importantly, we're going to talk about how you can build up your defense against those threats.
But, like many things, we are building defense against fraud we know. We're also going to try and look at the future of fraud. Where is fraud heading? Because those fraudsters, they're always trying to be one step ahead of us.
If you do have questions, please put them in the Q and A tab and include your email, so that if we don't get your question answered today, we will follow-up with you with an answer. We'll be reviewing the questions as they come in and do our best to get to as many throughout today's discussion.
Likewise, many of you are here for continuing education credits. Specifically, the AFP has CTP or CCM credits. This webinar has been approved for 1.2 two credit hours. And, in order to qualify for those credit hours, there will be a quiz at the end of today's presentation, and we will prompt you for that at that time.
So, let's get going. We're going to start with a poll because we'd like to understand exactly what you think are your top fraud challenges. So, in a moment, you're going to be prompted with a pop-up on your screen with a poll, and please tell us what you've been thinking about. That'll help guide our conversation. So, I'll give you a minute to do so.
So, let's see how those results are coming in.
Just one more minute as we tally more of the votes.
Okay. Are we able to show those results?
Across the board.
Obviously, the future of fraud, getting one step ahead, has led the pack in some of the discussion. But obviously, you can see there's a really great distribution among every other category that's going to help guide our conversation today. So, we're going to start with Sharon. And, Sharon, I'm going to turn it over to you. Again, we're going to start with today's landscape and what you're seeing as today's biggest threats. So, Sharon, I'll turn it to you.
Sharon Crabbe: Thank you, Kristen.
So, twenty twenty-five is definitely proving to be both challenging but an interesting year for fraud.
Fraudsters are targeting victims using tried and trusted methods.
Like you mentioned, the fraud, you know, check fraud, BECs, but then they're also using newer, more digital, tactics as well. Unfortunately, fraudsters always seem to be one to two steps ahead. And so it's important that you're aware of fraud schemes and that you stay vigilant to protect yourselves and your businesses.
Some highlights to look for in the fraud space:
Businesses are increasingly becoming targets of fraud over consumers because fraudsters know that businesses are where all the money is. Learning to protect your business, in addition to yourself personally, is very important.
And with check fraud, I know I thought by 2025 we would be done with checks maybe as a payment method, but they are still commonly used by businesses and also commonly targeted for fraud.
Mail theft is the number one reason for check fraud, showing the need to find other, safer, electronic forms of payment.
Business email compromise is another type of fraud that continues to be an issue. Business email compromise – BEC - is where fraudulent emails that appear to be from a trusted source are received. Emails that appear to be from a trusted source are received, maybe from a client or a vendor. It appears to be valid asking for payment, but then it turns out that that email is fraudulent, and that payment request is fraudulent. Many businesses don't have protocols in place to be able to protect themselves against BECs.
And finally, discovering that you have been a victim of fraud can be a challenge. And this is why it's really important to stay on top of your bank accounts, making sure you're reconciling them regularly.
Time is of the essence in most fraud situations when it comes to recovery and being able to quickly identify and report fraud is important, to ensure that you're not in a loss position.
And so, just to give you some highlights of some of the different fraud schemes that we are seeing, we have some case studies for you to go through. And the first one involves bank impersonators.
Unfortunately, impersonator scams are becoming very popular.
We all maybe have received a text from time to time from our bank asking us to verify a transaction, and the fraudsters know that and they try to exploit it. And so, in this case study, business owner John, he receives a text that appears to be from his bank asking him to verify a debit card charge. And John believes that it's from his bank, he's received texts before from his bank asking him to verify charges. He responds to the text, “no”, that he did not initiate this charge.
Then all of a sudden, he receives a phone call from someone claiming to be with his bank's fraud department. And the phone number on the caller ID is his bank's phone number, and he believes that he is truly being contacted by someone from his bank offering to help him. So, while he's on the phone with the supposed representative from his bank, John receives a text during the call with a link. He's told that some information is needed to authenticate his identity and get his claim processed.
And so, John opens the link, and it takes him to what appears to be his bank's online banking login page. So, John enters in his user ID and his password, again, believing that information is needed to process his dispute.
He also received several texts during the call with codes. Again, the caller tells him these codes are needed to verify his identity. He provides the codes to the caller, and then he ends the call, believing that the dispute that he was notified of has been filed.
It's only later John learns that, while he was on the line with the fraudster, the information that was provided, his user ID and password for his online banking, the codes that he received, it was actually that the fraudster was using that information to log in to his online banking account and initiate fraudulent wires.
And so, it turns out these codes that were being received were codes that were one-time passcodes used to authenticate the online banking sessions and the initiation of the wires.
And so, some key takeaways from this case study:
If it's important, your bank may send you a text message asking you to verify a charge, but they would never call you right after you respond and offer to file a dispute for you. If you receive a call that appears to be from your bank, even if the caller ID matches your bank, best thing you can do is hang up and call your bank back. Call your banker, ask if you've had fraud, and then they can help you file a dispute, if there has been fraud.
Never click on a link in a text. You know, go to trusted links, and then also take advantage of any alerts in online banking, so you can identify if someone is trying to get in without your knowledge.
And so, the next, case study involves check fraud. And, again, check fraud is something that's been around a while and continues to be an issue. In this case study, office manager Samara receives and reviews her employer's account daily, reconciling activity, and making sure that there's been no unauthorized transaction.
Samara suddenly goes on medical leave and then accounts reconciliation is neglected. There's really no one else that knows how to log in or is regularly checking the account. And, unfortunately, several counterfeit checks pay on the account and go undetected, until Samara returns from medical leave.
When she comes back and tries to reconcile the account, she identifies the fraudulent checks and files a dispute with her bank.
But unfortunately, her claim is denied. The counterfeit checks had paid more than thirty days prior to the statement showing the checks, and they are unable to recoup the funds from the checks.
And just some key takeaways. Again, obviously, Samara was a single point of failure in this business.
She, you know, was the only one that knew how to reconcile the account. Make sure that there are others within a business that have that ability and can step in if the main designee is out of the office.
Kristen Saranteas: You know, Sharon, I thought I'd jump in here for a second because, as you can imagine, we're getting a lot of questions in the Q and A related to check fraud because it is so rampant. There is one pre-submitted question from the Q and A that I thought would be really helpful for you to explain, based on someone listening. How do you protect your account from check washing even when premium security checks and mobile deposit are used by the fraudster?
Sharon Crabbe: That's a great question. And, unfortunately, you know, I know that there used to be, you know, paper that would prevent washing, prevent alterations.
You know, that's really just not the case anymore. And then especially with the mobile deposits being mentioned. When a mobile deposit is made, no one is holding the check, touching it to actually examine it. And so, it is very easy to alter a check and make a deposit, via mobile banking. And this is why it's just so important to stay on top of your account, looking at checks, not only looking at the check number and the dollar amount, but also looking at the actual item itself to verify the payee.
Because, again, especially with the remote ways that the deposits can be made through mobile and ATMs, there really is just no way to protect yourself against alterations, except carefully monitoring your account.
And so, I want to go over types of check fraud:
Check fraud is not created equal. There are different types of check fraud that can occur.
And then also, the liability around the different types of check fraud is different. Counterfeit check is a check that resembles a legal check, but it's actually fraudulent.
It's not on your check stock. It was not printed in your office or by your check maker. It is a completely bogus check.
Altered and washed check is a legal check. It's a valid check, but the payee name, the dollar amount has been changed.
Forged maker signature, the signature on the front of the check is forged. And then forged endorsement is a good check, but the endorsement on the back of the check is forged. And, again, each check fraud type has different guidelines as far as filing disputes. And so, again, just understand that if you have counterfeit checks one time and then a year later, you have a forged endorsement claim, they may not be treated the same way.
And the last case study involves business email compromise. And, again, business email compromise has been around for a while but continues to be a problem.
In this situation, Donovan, he's a doctor at a medical practice, he receives an email from Rita, who is the office manager of a local hospital.
He regularly corresponds with Rita via email. He receives an email telling him that the hospital's payment instructions have changed, that they're no longer going to accept checks, that they want to accept ACH, and provides ACH instructions for future payments.
Donovan forwards the email to the accounts payable department at his medical practice and asks that they update the payment instructions for the hospital.
And then, as invoices are being received from the hospital, payments are dispersed using the ACH instructions provided in Rita's email. The hospital later contacts Donovan and reports that they've not been receiving any payments from his medical practice for several months. And then Donovan realizes that the email he received from Rita months prior was actually not valid. Rita reports that she did not send the email and that the ACH payment instructions were fraudulent.
And just some key takeaways from this case study: don't accept emails at face value. It's important that you call the sender of the email, and you verbally verify instructions. And it's a good idea with your vendors, your clients, whoever you may send payments to, that you make it clear to them that you are going to have to verbally verify instructions from them, that you will not accept just an email.
And, Kris, I'll hand it off to you.
Kristen Saranteas: Yes. We're going to turn this now over to Ishanaa, and Ishanaa's going to tell us a little bit about the fraud management playbook. So, Ashana, welcome to the dialogue.
Ishanaa Rambachan: Thank you so much for having me. Absolutely. And so, when we think about the overall fraud management playbook, a lot of what Sharon describes is consistent with what we see across industry.
And so really beginning with, you know, beyond simply knowing your customer, wanting to see institutions are all working through putting in place today a set of interventions which are passive authentication routines. So, looking at behavioral analytics and biometrics. Is there a space between when, you know, the OCA verify token, or coin comes through email and when you respond. Is there any shift in the speed at which you engage, to determine if the transaction is actually performed by you or by someone else?
Device, IP server recognition, geolocation.
There's also, in addition, a whole set of transactional monitoring that we see institutions doing that are identifying where there is this out-of-pattern usage at the customer level. And that's looking at a set of consortium models, customized both with institutional data and any other data that they can provide and augmented with better rules detection.
In addition to that, we see institutions are looking across the full set of customer interactions and life cycle and determining where are the biggest points of risk and being able to tag appropriately. So that we, that institution can work with you all to speed through and really lower frictions for customers that we know are the appropriate and right ones.
And finally, we're seeing across the board, institutions using comprehensive analytics to both look at where are controls working or not working, where is the process itself exploited, or in particular broken by fraudsters, and then how can we, in the most seamless way possible, take an ID and authenticate customers as fast as possible?
Back to you all.
Kristen Saranteas: Well, thank you so much.
And we're now going to, now that we've properly scared everyone with the background and the platform on which fraud is taking place, we're going to talk a little bit about why and how you can protect yourself.
There's a lot that Sharon went through related to the timing which different transactions have, in order to more seamlessly be able to return those transactions.
All of it is dependent on the fact that your business is monitoring your accounts on a daily basis, or at least a frequent basis, and that you have appropriate checks and balances across your team members. But know that consumers, of course, have different levels of protection, stronger levels of protection under regulations, that businesses do not have. So, the time frames with which businesses are beholden to be looking at their account and being able to call the bank and report on fraudulent transactions, in order to have them more seamlessly returned, are really quick. ACH in particular, if you're looking at your bank on a daily basis and you see a fraudulent electronic debit to your account, that transaction typically happened as at close of business yesterday.
What that means is you have that day to call your bank to more seamlessly initiate a return. Certainly, there's legal ways in which you can dispute transactions, but to have more seamless ways of pushing those transactions out of your account, it has to happen that quickly. Certainly, for wire transfers, there's no coverage at all.
Those funds are gone. Yes. Your bank can work with you to try and recover or retrieve those funds but there's no return window for a wire.
Therefore, you need to really be on top of these things. Checks certainly are still the most predominant form of transaction type for fraud.
However, you can see more and more the growth of fraud is happening in the electronic space. Why? Because there's very short windows to be able to claw back those funds.
So, let's go into some of the tools that we can use to protect ourselves.
So, what are we talking about with tools?
These are insurance policies, essentially. They can really ring fence your business accounts, in order to prevent any transactions hitting your account that you have not pre-authorized. They are certainly very effective, and you can see the degree to which these things are effective. I will say that Positive Pay, either through ACH Positive Pay or Check Positive Pay, is one of the most ubiquitous tools that is used by businesses.
It is only as good, however, as those businesses interacting with that tool. When it comes to Check Positive Pay, that means that you as a business are uploading a file of the checks that you've issued.
When those checks come in for clearing, the bank is cross-referencing those checks against that file and only authorizing payment if it matches what you've told us you've authorized to pay.
Payee Positive Pay takes that to the next level because, instead of just looking at the checking account, the dollar amount, and the check number, we're also going to do best case, to look at the payee name of that check as well, so that if it was washed, like Sharon spoke of in the beginning, we have a better chance of checking that the person or company that it was made out to has been altered. Those are extremely effective.
You also could block your account completely from debits, or you can have a filter to make sure that only some of the transactions that you've authorized get through.
So, again, use your bank tools as those insurance practices. They are way more effective and don't cost that much money and are certainly going to cost much less than the debit transactions that could be hitting against your account.
So, we're going to also talk about some other best practices to protect your company, not just from external, but also, sadly, internal fraudsters. There are some times that employees are also the perpetrators of fraud against their own company.
So, let's jump into some of those practices.
We'd like to proffer the idea that you should treat fraud like any other disaster or issue that could happen to your company.
Why would you need fraud to have a disaster recovery plan?
The point of any disaster recovery plan, whether it is a fire drill or any sort of plan that helps you recover after a natural or other kind of disaster, is to help you go through those plans with the least amount of emotion as possible. It's something you've practiced. You know where all the exits are, and you know how to get yourself back on your feet.
When financial fraud has hit your company, it is an emotional time. There's no question. You feel violated.
Someone has stolen from you. And so, you could react really emotionally, or not know where those exit plans are. Or you could have a plan that you've put in place long before fraud ever hit your account, and you walk through those plans with your trusted advisers, such as your attorney, your accountant, your insurance professional, other people that will come to bear in that moment. And certainly your bank, with Treasury Management input, should be part of that plan. We all play various roles to help support you in a very non-emotional way and get you back up on your feet.
You prepare those procedures. You will practice those procedures. They don't just become part of a manual that goes back up on a shelf that you'd never dust off. This is something that you should be refreshing and have triggers in your system, in order to make sure that if there's any key change in your organization, that you are refreshing this disaster recovery plan so that you're prepared.
Sharon Crabbe: Hi, Kristen. We have a question that's come in for you. Great.
What are best practices for keeping employees aware and educated of the newest types of fraud?
Kristen Saranteas: It's a great question. Thank you to whoever submitted that. I think coming to a session like this is really great. Like I said in the beginning, I've been talking to our clients and other professionals about fraud mitigation for the majority of my career.
Why? It doesn't go away, and those tactics keep advancing. And so, we need to be constantly vigilant about what those practices are to protect ourselves. So, talk to your bank.
Attend classes like this. Make sure that you're keeping up to speed on those security enhancements.
Make sure that you're talking to your insurance professionals also about how you are protecting yourselves, should there ever be losses that you need to recover from. Every one of those professionals that I mentioned in the disaster recovery plan will give you their vantage point of what they've seen in the industry and their version of what protection looks like. So, keeping up with that is really, really important.
So how can you implement controls in order to mitigate against those external factors?
You want those outside professionals to help test your plan and see if you have the appropriate controls in place. Dual control. No single source of failure, like Sharon mentioned. Have your accounting firm make sure that they're reviewing and looking for any anomalies that you might not see.
You need your IT professionals and any outside support that you may have to keep you up to date on those protections of your hardware and software. Don't let those updates lapse. Those updates are usually putting patches in place in order to plug the holes, the ways people can get into your network.
Make sure you're not just locking up your own check stock if you're still using checks. But if you have your client's check stock around, make sure you are shredding that information. You need to make sure that you're preparing and protecting as much about your own financial information as you are the clients around you. And then make sure that for those procedures, you know who you're calling. Do you know who your vendors are? Do you know how you're protecting yourself? If something should happen, and you need to issue all-new bank accounts and have all- new payment methods set up, you need to have that back-up information for how you stand yourself back up.
We're going to little bit talk about internal fraud.
Many of you have probably seen the fraud triangle before, but, essentially, internal fraud only takes place if all three of these things are evident.
There needs to be a pressure in one of your team member's lives, whether it's a financial pressure, their pressure from home, pressure from bills, pressure from any sort of, maybe there's a gambling issue or an addiction, medical bills, whatever it might be. There has to be a pressure that would start the idea that they would be taking from their employer.
There has to be opportunity.
Do they have keys to the kingdom so that they would be able to perpetrate a transaction without someone quickly knowing about it. But that's only going to take place if there's also a rationalization of those two things. Meaning, “oh, they owe me, or I'll pay them right back. I only need the funds for a week.” Whatever it might be, all three of those elements need to take place for someone to finally attempt something.
However, if you are staying on that vigilance of observing any strange behavior, or even just the reconcilement of both your AR and your AP, through daily reconcilement, you would be able to get ahead of those transactions.
If it's electronic, it's very easy to move from paper to electronic, to have approval chains, in order to make sure that more than one person throughout your organization approves. If one group is initiating, another has to approve, so that things at least have two different areas touching them before transactions go out the door.
That segregation of duties is so important.
You need to test those processes, but you may want to consider establishing a fraud hotline. Sometimes that's through a third party. But often, it is not through those mesh methods of reconciliation that fraud is caught. Often, it's another employee that sees one that is taking advantage of either a situation where there's an opportunity, or they themselves are catching someone else in the act.
The average internal fraud typically is going on for eighteen months before it's caught. So, make sure that you have different ways, in order to have people ring that bell to say that they think something is happening.
So, let's move to the next slide.
Sadly, if you look at the AFP, the Association for Financial Professionals’, most recent survey, they do surveys of companies to say who has been a victim or an attempted victim of fraud. And in the most recent survey, eighty percent of the companies that they surveyed, that's eight zero percent of the companies they surveyed, saw fraud attempted or perpetrated against their company in the last year. So, sadly, it's more a matter of when fraud takes place, not just if.
So, what are you going to do? First, look out for those warning signs. Make sure that you've got those steps in place in order to verify. If information internally is not being shared, or vendors or others are calling you about service issues or payment issues, you need to be digging into those things. If reports aren't being prepared on time, you need to look into those things. But if we look at the next slide, what should you do?
You should not be reacting emotionally. However, you should implement that recovery plan. You're going to contact those trusted advisers, your accountant, who may bring in a forensic accountant to trace transactions.
You're going to certainly call your bank relationship manager and or people like us in the Treasury Management space. You're going to contact your attorney and your insurance company. Everyone has different time frames and policies to follow, in order to make sure that they help you in that recovery effort. For instance, most insurance policies need to know that there is a police report filed and that they are notified inside of thirty days of you knowing that a fraud took place. But, again, you need to know your policy, in order to understand what your policy says.
Legal counsel will be the one that will counsel you about calling, and who should call, that law enforcement, and what level of law enforcement should be involved.
They will help you with that.
This one always gets a question:
Why do I say do not have your IT personnel attempt to find or fix the problem?
You do not want your IT professionals poking around inside of your network itself. They could change date stamps. They could change the flow of being able to follow the tea leaves of what happened inside of your network.
Instead, you want to be working with a computer forensics person who's going to take an image of your network, and they're going to do the investigation of that vulnerability on the image of your network, not your network itself. Because of the fact that they could compromise the evidence of what has taken place.
Certainly, though, you need to make sure that you're plugging those holes. If those vulnerabilities are found, and or you realize that it was because of your own break in control or lack of control that caused that vulnerability, you plug those holes and you put those new controls immediately in place. And you're standing up those protections, so that you are steeled from anything happening to you again in the future.
So that's a lot about what's going on right now, but we are going to pivot back to Ishanaa who's going to talk to us a little bit about what's next for fraud, and fraud prevention. So, Ishanaa, I'll bring you back to the dialogue.
Ishanaa Rambachan: Wonderful. Thanks for having me again.
So, I think, you know, when we look at fraud overall, it is an ever-changing landscape, and many institutions that we see have been playing whack-a-mole, in terms of just trying to keep up with the type of fraud in the rear of your mirror. But, of course, fraud is changing and evolving ever more quickly.
We see that fraud is continuing to grow twice as fast as transaction volume growth.
And the FTC estimates in the US, for example, that fraud losses have grown sixty percent year- on-year since 2019.
When we look at types of fraud, account takeover was very much the type of fraud in the past two years.
We see that that is still up, but also in addition to it, account opening fraud. So, really, creating full mule accounts as well as APP fraud. An APP fraud is critical to note and is much of what has been discussed already today. This is customers being fooled into sending money by someone that they believe is a genuine ask or genuine connection, which is linking to the rise of scams that we're just seeing across the board.
And then, we are also seeing this interesting evolution in first party fraud, where customers who are legitimate are denying transactions that they've executed. And there's this whole sort of TikTok and Reddit phenomenon that is describing to customers how to do that, and that type of fraud is also up.
And finally, we're seeing continued use of merchant networks, as online commerce has just grown, misrepresenting products, and that type of fraud and therefore the rise of in many payments, various merchant protections, chargeback protections that are being awarded to customers.
From a control perspective, we're seeing also a shift to really put in place capabilities to target exactly these types of fraud.
One is from a scam perspective. Both adjusting the modeling itself to incorporate this type of fraud, but also to engage customers in the fraud fighting themselves. And so, if that's with email and account alerts with the latest fraud trends, it's that scam pop-up messages across the checkout or transaction flow, or having, you know, mandatory pre-checkout or transaction approval for scam-likely transactions that a user has to read and agree to. Many are putting in place that type of in-the-moment prevention, given the rise of scams.
The rise of the detection models as noted here is also important to create scam risk scores, to look at beliefs for decision engines. For example, to integrate with other risk scores and decisioning and to create a summation score that's looking at likelihood of scam and being able to identify that quickly in real time against what is a good transaction.
We're also seeing just increased focus on bringing together all of these control and risk signals and then ways to continue across the board to authenticate, in an active way across the sequence.
So, there's always something new in fraud, and it's been an interesting space to continue to watch our evolution as we all try to fight, and protect each other from, fraud.
Kristen Saranteas: Ishanaa, that's great. And as you can imagine, there's a number of questions coming in related to this. And just to double down on one that you mentioned in the beginning, under threats, there was a question that came in related to how AI is impacting fraud and what your opinion is around what they have to look forward to, as it relates to that against banking, and how are companies defending against those AI or deepfakes?
Ishanaa Rambachan: Yes. It's quite interesting because I think, you know, one of the questions that we've asked is, is AI or generative AI going to help us usher in a new era in battling fraud?
And we are seeing some interesting experiments across industry on that, all of which are public you know. There's now up to ninety nine percent accuracy in detecting deep fakes by some of the generative AI speech firms.
We're also seeing some institutions, JPMorgan, Cap One, really trying to experiment, for example, with reduction in false positives using a Gen AI and traditional algorithms.
However, what unfortunately you were seeing, which is a bit of the question I'm sure, is that the adverse use of Gen AI or AI is probably higher than the controls using Gen AI and AI to fight fraud. And so, in just the first two months of this year, for example, we've seen a hundred- and thirty-five percent increase in phishing emails, using AI to generate.
We're seeing, you know, the rise of, this is some scary talk for you all, but a rise, for example, fifty-one to seventy-three percent of more correct password guesses by some of these Gen AI tools.
And so, really, this deep fake-empowered fraud as well has been just continuing to jump. And so, we need to continue to make sure that both the controls stay ahead, but also it goes back to some of this very traditional employee awareness, customer awareness of what this may look like, to help prevent and mitigate the vulnerability to these scams.
Kristen Saranteas: That's great, Ishanaa, and thank you so much. I think that was a perfect way for us to say “thank you” to everyone for joining us today. Because it is through this education, this really grassroots, one-by-one or, in this case, one by many, to make sure that we are educating folks on the latest trends and the things that we're seeing, and the ways in which they can help to protect their businesses from the next generation of fraud.
So, I just want to wrap up today and say “thank you” to everyone for a great discussion. Thank you, specifically, to Ishanaa and Sharon for joining me in today's discussion. And we will be sending over the slides for today to anyone that registered for this webinar. And you can feel free to use those slides, to send those slides to anyone that you think will benefit. Because, as we mentioned, education is the way, the best way, that we are going to help to combat this. For those of you that are interested in getting the 1.2 credit hours for CTP and CCM, we did just drop the link to the quiz in the chat. Again, you need eighty percent, and I hope that the quiz was such, and our presentation was such, that you will get one hundred percent, in order to pass and get those credits.
Also, in order to make sure that you get your specific question answered, make sure if you've put it in the Q and A that you've added your email address, so that we can respond to you directly if there's something that we didn't get to you today. And if you have a unique situation, you've got our contact information on the screen today. I'll thank you again for joining. I'll thank Ishanaa and Sharon once again, in order to just appreciate the information from our different vantage points that we can help bring to bear. Because, again, the best fraud protection starts with knowledge. And so, we applaud you for taking that time today, to join us in the fight against fraud. So, I hope you enjoy the rest of your day and thank you once again.
***
Disclosures:
This information is provided for educational purposes only and should not be relied on or interpreted as accounting, financial planning, investment, legal or tax advice. First Citizens Bank (or its affiliates) neither endorses nor guarantees this information, and encourages you to consult a professional for advice applicable to your specific situation.
Member FDIC