According to McKinsey & Company's data, AI-based identity fraud has become the fastest-growing type of financial crime in the United States and is on the rise globally. Research from the UK's GDG indicates that over 8.6 million people in the UK use false or others' identities to obtain goods, services, or credit.
The US Department of the Treasury recently emphasized in a report titled "Specific AI-Enabled Custodial Cybersecurity Risks in the Financial Services Industry" that AI's development makes it easier for cybercriminals to use deepfakes to impersonate financial institution clients and access accounts. The report states, "Generative AI can help existing threat actors develop and test more sophisticated malicious software, providing them with complex attack capabilities previously available only to the most resourceful actors. It can also help lower-skilled threat actors develop simple but effective attacks." According to Deloitte's data, 91% of cyberattacks start with phishing emails.
Undoubtedly, in today's digital environment, AI has altered the nature of identity fraud. In mainstream scenarios, AI poses a significant threat to digital trust and integrity and has the potential to disrupt the relationship between customers and financial institutions.
Attackers: Five Common AI Attack Methods
AI provides new tools for all threat actors, and attackers are using AI to target employees, create phishing emails, impersonate supply chain partners, and even create deepfake chief financial officers for video conferences. Analysis from the Dingxiang Defense Cloud Business Security Center has identified the following five types of AI-based attacks used by attackers for forging digital identities, credit card theft, forging documents, and other financial fraud.
1. AI Cloned Voice for Phone Scams:
Attackers mimic the voices of company executives or colleagues, requesting victims to transfer funds or provide account passwords, potentially resulting in theft of enterprise funds or leakage of sensitive information, causing financial losses and reputational damage to the company.
2. AI Face Swapping for Online Meetings and Video Calls:
Attackers engage in remote business meetings or video calls using forged identities, requesting victims to transfer funds or provide account passwords, potentially resulting in theft of personal or enterprise funds, leakage of information related to significant contracts or transactions, and subsequently affecting business interests and reputation.
3. AI-Generated Fake Financial Websites and Clone Financial Apps
: Victims may provide personal bank account information or credit card information under the mistaken belief that they are accessing legitimate financial institution websites or apps, resulting in theft of funds or identity theft, causing significant financial losses and credit crises.
4. AI-Enhanced Phishing Emails:
Attackers use AI to generate more realistic email content, making it easier to deceive victims' trust, such as spoofing emails from legitimate institutions, requesting victims to click on malicious links or download attachments, thereby disclosing sensitive information or controlling victims' computers, leading to financial losses.
5. AI-Generated Fake Images, Text, and Videos:
False financial information may spread widely on social media, news websites, and other platforms, misleading consumers into purchasing fraudulent financial products or insurance, resulting in investment losses or purchasing unsecured fake insurance, leading to significant financial losses.
These fraudulent methods pose extremely serious financial risks, exploiting people's trust in identity recognition and information authenticity, resulting in issues such as financial losses and personal information leaks.
Banks: Defense Strategies Needed
The Intelligence Special Issue "AI Face-Swapping" Threat Research and Security Strategies believe that to prevent and combat AI fraud, it is necessary to effectively identify and detect AI-generated content while also preventing the exploitation and spread of AI fraud. This requires not only technical countermeasures but also complex psychological warfare and an increase in public awareness of security. Therefore, enterprises need to strengthen digital identity recognition, review account access permissions, and minimize data collection. At the same time, enhance employee awareness of how to detect AI threats.
1. Preventing Business-Focused Fraud Activities Based on AI:
AI can monitor and analyze various aspects of the process from supplier interaction to payment, providing real-time risk assessments and trust scores, issuing alerts to warn of potential fraudulent activities, and seamlessly integrating into current processes. AI can also automatically monitor and analyze large amounts of transaction data, allowing human investigators to focus more on actual fraud events. This automation can reduce manual workload, decrease the likelihood of errors and fraud, and ensure faster response times. By analyzing received invoices, new supplier requests, emails, documents, and bank statements in real-time, AI can help prevent fraud and detect abnormal communication patterns, payment details, and document structures.
2. Building a Multi-Channel, Comprehensive, and Multi-Stage Security System:
Dingxiang's latest upgraded anti-fraud technology and security products can help enterprises establish a multi-channel, comprehensive, and multi-stage security system to combat new threats posed by AI. This includes securing apps with app reinforcement, preventing malicious registration and login with atbCAPTCHA, identifying AI-forged devices with device fingerprinting, uncovering potential fraud threats, preventing complex AI attacks with Dinsight, and intercepting "AI face-swapping" attacks with a comprehensive facial security threat perception solution. Through a multi-channel, comprehensive, and multi-stage security system based on threat perception, security protection, data accumulation, model construction, and strategy sharing, various security services can meet different business scenarios, possess industry-specific strategies, and achieve accumulation and iteration based on their own business characteristics, enabling precise control and protection of the platform to effectively respond to AI attacks and provide personalized protection.
3. Strengthening Identity Verification and Protection:
This includes enabling multi-factor authentication, encrypting data at rest and in transit, and implementing firewalls. Strengthen frequent verification for activities such as account logins from different locations, device changes, phone number changes, and sudden activity on dormant accounts to ensure consistency in user identity during usage. Comparing device information, geographic location, and behavioral operations can identify and prevent abnormal operations.
- Strengthening Account Authorization Control: Limit access to sensitive systems and accounts based on the principle of least privilege, ensuring access to only the resources required by their roles, thereby reducing the potential impact of account theft and preventing unauthorized access to your systems and data.
5. Continuously Understanding Latest Technologies and Threats
: Stay updated on the latest developments in AI technology as much as possible to adjust safeguard measures accordingly. Continuous research, development, and updates to AI models are crucial for maintaining a leading position in an increasingly complex security situation.
6. Continuously Educating and Training Employees on Security
: Continuously provide training on AI technology and related risks, help employees identify and avoid AI attacks and other social engineering risks through simulated attacks, vulnerability discovery, security training, etc., remain vigilant, report anomalies quickly, and significantly improve the organization's ability to detect and respond to deepfake threats.