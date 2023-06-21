AI: More than Human exhibition invites you to explore our relationship with artificial intelligence. — © Tim Sandle

Generative AI has become widely popular and recent news stories show a rise in the fraud resulting from the use of this type of AI. For those who have been in the fraud business, generative AI is important because it can be used to impersonate or socially engineer legitimate consumers. Beyond this, a much deeper threat is the development and rollout of increasingly automated and sophisticated underlying synthetic identities that have been created specifically to dupe consumers and businesses.

Synthetics are often the staging ground for a long line of future attacks, are much more difficult for businesses to detect, and allow fraudsters to seek more lucrative gains.

The widespread availability of generative AI has dramatically and exponentially amplified the depth and speed with which bad actors can acquire the underlying identity data of an individual from mass compromises, then synthesize lifelike consumer records with a full historical dossier of personal information, including fabricated physical and digital identity artifacts, and supported by a comprehensive digital footprint across social media, employment records, tenured addresses, phones, emails, and more.

To gain an insight, Digital Journal caught up with Mike Gross, Experian’s vice president of Applied Fraud Research & Analytics for the Global Fraud & Identity group. Gross is an expert in fraud analytics, identity and payment authentication technologies, strategic partnerships, understanding emerging fraud threats and optimizing fraud performance strategies.

Digital Journal: What effect has AI-enabled fraud tools had on creating synthetic identities?

Mike Gross: In the past, fraudsters manually created synthetic IDs by piecing together various elements of existing identities, often requiring extensive research and time to establish and groom those new “Frankenstein IDs.” Today, AI technology enables bad actors to perform the same in-depth work at scale to completely fabricate identities, produce lifelike documents, and interact like a human across thousands of digital touchpoints.

Generative AI can directly create synthetic IDs by automatically scraping the internet, social media, and the Dark Web to obtain valid fragments of identities such as names, addresses, phone numbers, email addresses, social security numbers, and photos. Once these fragments are gathered, the AI system combines them to create convincing synthetic IDs, complete with contact points like email, phone numbers, and physical addresses, and able to pass format validation and geographic verification controls. It’s conceivable that such AI tools could even pass Captcha tests and other authentication step-up controls to further substantiate these fake identities.

DJ: What other materials or assets can generative AI create to mislead fraud prevention technology?

Gross: The sophistication of generative AI can go well beyond creating believable identities. It can accelerate the development of full synthetic profiles that include “proof of life” documents, such as fake bank statements, personal records, utilities or other bills, tax documents, and more. It can produce near-perfect fake government documents (e.g., driver’s licenses and high-quality biometrics). This means that previously complex fraud attacks to undermine mortgage or commercial application risk controls are now much easier. Business email compromise (BEC) also has increased risk as fraudsters can use generative AI to mimic the voice or writing style of a company executive to convince employees to perform financial transactions or provide access to confidential information.

Similarly, in a government setting, AI enabled attackers posing as a state or federal official may try to get access to top-secret materials from high-ranking officials. Some advanced models might even be capable of creating realistic deep-fakes that interact with organizations using scraped photos and videos, potentially bypassing verification and authentication systems that rely on biometric data.

Identity verification becomes more complicated when generative AI is used to establish a social media and “proof of life” trail for synthetic IDs. They can create a digital footprint that can mislead fraud detection systems and operational review processes that often scour the internet and social media for evidence of an established identity with typical behaviours. This planting tactic can make it exceedingly difficult for systems and human reviewers alike to discern between real and synthetic identities.

DJ: How do companies and organizations combat this level of sophisticated AI fraud?

Gross: The most concerning aspect of these AI systems is the capacity to quickly learn from past failures. With each failed fraudulent attempt, AI can refine its approach, understanding each target’s fraud controls, learning the strengths and weaknesses of the fraud detection systems and refining the characteristics of the synthetic IDs that it generates. This makes them progressively more difficult to detect over time.

As bad actors deploy sophisticated biometric attempts using deep-fake voice, image, and video to pass facial or voice identity authentication routines, companies and organizations should start with these three priorities:

Educate Consumers: Perform ongoing consumer education programs across all communications channels (including email, websites, social media, video tutorials, etc.) to raise awareness of the latest attacks and encourage consumers to be active participants in their own protection against attackers.

Fight AI with AI: Deploy AI-enabled fraud protections with visibility to cross-industry data and fraud signals. This will help them quickly detect new patterns or inconsistencies in consumer or business behaviours on their own channels, as well as across their peers. Organizations should also leverage solutions that scan for sites and apps that are spoofing the corporate brand.

Consolidate Fraud Defences: Companies must break down any siloed fraud-prevention and identity-protection processes, consolidating security and cyber control data into systems that aggregate and analyse that data, employ holistic decisioning logic, build models that are continuously trained on legitimate and fraudulent transactions, and centralize visibility into monitoring and alerting for anomalies.

DJ: How can companies further safeguard their systems?

Gross: As companies integrate their bot, behavioural, biometric, offline and online, transactional, and other cross-industry sources of data, they will quickly spot early signals of potential fraud or attackers that are testing the strength of their controls.

While generative AI can help fraudsters generate thousands of lifelike synthetics in seconds, fraud-prevention and identity-protection technology exists for companies to help mitigate that risk and ensure a positive customer experience across all their products and services. The key is to keep pace with evolving applications of AI-driven fraud and to collaborate with organizations who partner in developing effective solutions.