By Anil G. Khilnani, Fraud Education and Awareness Program Lead, Wells Fargo
It can start with an email. A meeting invitation. A phone call or text message. It will seem to be from a trusted source: A regular supplier. A colleague in another city. The company CFO.
There’s a chance, however, that on closer inspection, one or more of the routine communications that you or your team receive every day will turn out to be a sophisticated fake, created by cyber criminals using powerful generative artificial intelligence (Gen AI).
Just as companies are harnessing new Gen AI tools to automate processes and increase efficiency, cyber criminals are also leveraging the technology to advance their fraud attempts.
Watch out for these AI-generated schemes
A recent scam made international headlines when fraudsters netted more than $25 million from a company in Hong Kong. A finance employee authorized a series of payments to the criminals after believing the attendees on a corporate videocall were actual coworkers—including the company’s CFO. These “participants” turned out to be high-tech video deepfakes so realistic the employee was unable to detect the scam.
Unfortunately, situations like these are increasingly common. A recent survey notes that 80 percent of organizations reported being victims of attempted or actual payments fraud in 2023—up from 65 percent in 2022.
Gen AI capabilities make it faster and easier for bad actors to churn out phishing emails and deceptive text messages, calls, and videos—all with much higher quality than in the past. The technology also enables scammers to automate and scale up their attempts so they can target more companies, more often.
These are just a few of the ways bad actors are deploying Gen AI:
- Creating realistic phishing emails and fake websites. It’s no longer enough to check for bad spelling, poor grammar, and sloppy logos; today’s Gen AI versions are highly sophisticated. Better quality increases the likelihood that employees will inadvertently reveal sensitive information, input their credentials, or issue payment to a fraudster.
- Impersonating trusted sources with deepfake calls, images, and videos. These Gen AI elements can sound or look like someone an employee knows, and it takes only a few video clips or digital soundbites to spoof an actual person. Scammers recognize that employees are more likely to process a fraudulent payment if they think the voice on the other end of the line is their boss, a colleague, or the CFO.
- Building connection through complex storytelling. Automated chatbots and other Gen AI tools help criminals build trust with a target. They can quickly gather information from social media and other sources, conduct detailed conversations via multiple communication channels, and use specific details to manipulate an employee. Scams can be more complex and realistic, making it critical for staff to verify a requestor’s identity through a separate channel whenever they suspect a red flag.
Understand the critical importance of employee vigilance
Unfortunately, schemes like phishing and business email compromise can make it nearly impossible for your bank or payment provider to detect unauthorized payments. This is because when an employee authorizes a payment or unintentionally shares bank account details, login credentials, or other sensitive personal data with scammers, the resulting transactions can look just like regular payments.
It makes ongoing employee training a critical element of your company’s fraud prevention strategy.
Help protect your organization with these best practices
Follow these precautions to help improve your organization’s defenses against fraudsters:
1. Strengthen your email filtering technology
The more suspect emails you can catch before they reach an employee’s inbox, the less your staff need to monitor as they do their jobs. Consider implementing an AI-based secure email gateway. These solutions—considered an industry best practice—use behavioral analysis and other techniques to filter out imposter domains and business email compromise attempts.
2. Implement robust payment-verification processes
A fraud attempt often begins with an innocuous communication, like a company leader requesting a one-time payment, or a vendor asking to change their bank account information or payment method. Remind your team to double-check every request by using a different communication method, and with the contact details you have on file.
For example:
- If a vendor emails you to request a payment instruction change, don’t hit “reply”—if it’s a scammer, you’ll respond directly to the imposter. Instead, make a call to your known contact using the phone number in your system.
- If a business leader contacts you with an unusual request, follow up using a different method. Be cautious of any payment you’re asked to keep secret, send to a new country or payee, or that must be done with extreme urgency. These are all red flags for scams.
3. Use dual custody for payments and user administration
Having two employees involved will give you a second opportunity to catch fraudsters in the act. Have one employee initiate a payment or change, and a separate employee—using a different computer—approve the transaction or request. Use the same checks and balances for designating user access and entitlements for your critical internal systems and bank portals. Most importantly, train both the “initiator” and “approver” that it’s their job to ask questions, look for suspicious activity, and ensure proper procedures are followed.
4. Train employees on fraud prevention
It’s vital to create a culture of awareness and cybersecurity at your company. The more you conduct ongoing training on fraud prevention and keep potential risks top-of-mind, the more vigilant your employees can be.
- Communicate best practices and potential fraud risks to all employees. Give extra attention to anyone involved in money movement and vendor management.
- Emphasize security and verification rather than immediacy. Taking even a few more minutes to make sure a payment-related communication is authentic can help prevent loss.
AI will continue to disrupt the way we live and work, with both positive and negative impacts. Businesses that stay current as the technology advances will have the best chance of understanding its potential, using AI wisely, and protecting your organization from fraud and risk.