As attractive as new technology and digital tools appear, they also have a darker side.
“There’s a bit of Ying and Yang,” Gerhard Oosthuizen, chief technology officer of Entersekt, a FinTech provider of mobile authentication and security software designed to protect online and mobile banking transactions, told PYMNTS in a discussion around fraud and security trends for 2023.
“I think there’s some real industry changes coming, faster payments, AI, a better user experience across devices,” he said. “We’re going to see advantages, as well as some fraud risk factors that come into it.”
That’s because with modern advances come corresponding vulnerabilities, making it more important than ever for today’s enterprises to remain hypervigilant as fraudsters and scammers search organizational perimeters for cracks and weaknesses.
Research in PYMNTS’ 2023 “B2B Payments Fraud Tracker” found that more than seven in 10 businesses report needing additional digital fraud solutions.
Oosthuizen said 2023 is shaping up to be an interesting year, as businesses emerge from the past couple of years of COVID and are now able to take stock of what tasks and which system investments are needed to accelerate success within tomorrow’s increasingly online and digital environment.
He said he sees digital IDs hitting their stride in 2023, and he predicted momentum for password-less authentications will continue to accelerate alongside advances in biometrics and other security features.
One disruptive trend Oosthuizen said he sees impacting the financial services and banking industries will be a growing enterprise integration and use of generative artificial intelligence tools.
“Generative AI really enables banks to reduce cost and engage with their customers via natural conversationals, allowing them to guide [customers] to choose between different products in a more insightful way,” he said. “There’s a beautiful upside that can reduce cost and drive much better customer experience. Unfortunately, there is also a darker side. People are already using ChatGPT and generative AI to write phishing emails, to create fake personas and synthetic IDs.”
He added that potential scammers can even use generative AI tools to ask, “How would I defraud a customer?” and that the AI engine will spit out a list, or they could ask it for “10 ways to run a phishing campaign,” many of which could be effective strategies.
Oosthuizen told PYMNTS that the industry is seeing a massive rise in social engineering attacks where the victims are being manipulated.
“We’ve seen this grow 40% in Europe and in the U.K., where [social engineering attacks] have taken over classic phishing attacks. The customer is effectively stealing from themselves because they have been coerced into making a payment,” he said. “It’s a technique that’s been sharpened over years and years of phishing detection defenses, but now it is direct, and it is fear-based… Organizations have to deal now with more of the psychology of how to protect their customers than just providing a pure tech solution.”
“I think it’s an exciting time, and a bit of a scary time,” Oosthuizen said. “New entrants have a nice field to play on, and I sympathize with some of the incumbents that have such a wide and diverse set of customers to protect, and such a history with them.”
He added that organizations don’t have to outsmart each other, just the fraudsters.
“I think we need to see how banks can work together better and save costs by collaborating,” he said. “… Where the crisis is big enough, banks can rally, and we’re definitely seeing a larger spirit of collaboration today, even putting data into consortiums so organizations can get a herd protection in place. While we’re not yet at a technology level where there’s an industry standard for security, the awareness and the cooperation is going to make a difference because ultimately the fraudsters are there to find the one open door, the weakest link, and I think this is a wakeup call for the community to band together and help each other out.”
While cooperation between banks is important, so is cooperation with regulators.
“As we’ve gone more digital, I think there are a couple regulations that will be put in place, and banks are going to have to get ahead of that curve, and it might sometimes be uncomfortable,” Oosthuizen said. “If the fraudster called you, and you’ve moved your money, is it the bank’s problem and can the bank be liable? That’s where it gets interesting, and where we’re seeing the regulators tell banks they should protect their customers better.”
He said a group of the top eight banks in the United Kingdom have already come out with a proposal to comply in good faith with upcoming regulatory standards.
“The banks can get ahead of the curve by taking proactive action and putting the right processes in place to make sure they really are in the camp of the customer,” Oosthuizen said.
Although, he added, appropriate solutions and operational controls may turn out to be a little more difficult to implement than just saying in principle, “We’ll help the customer.”
Asked to read the proverbial tea leaves, Oosthuizen said it’s important for businesses to be smart with their regulatory budget.
“Make sure you use [the money] to rearchitect and get into a future, API-based world where you have the right technology for the next 10 years,” he said. “Don’t see regulation as doing the minimum; spend a little extra to get the new tools in place that can enable the organization to be successful.”
As for what consumers can do to protect themselves while banks upskill their anti-fraud operations, Oosthuizen said it’s crucial for people to hold onto their mobile devices.
“We are seeing in a number of markets physical theft of mobile devices because these devices are so enabled that it’s not just your phone that you’ve lost, it’s really the most vulnerable entry point into your entire digital life.”