BankThink

Banks need to begin sharing information about sophisticated fraud

BankThink on combating first-party fraud
As long as fraud-prevention efforts remain siloed and bank-specific, perpetrators are free to successfully repeat their strategies. Banks need to do a better job of sharing information and collaborating, writes Mykhailo Iakovenko, of Canonical Labs.
Adobe Stock

When I entered the fraud prevention space back in 2018, a typical fraud attack could take months to unfold. Now, it is not uncommon to see successful fraud schemes executed in just days. This acceleration not only challenges our existing risk strategies but also demands a new approach to fraud prevention altogether.

A few years ago, a typical strategy involved fraudsters trying to reverse-engineer a company's risk defenses. They would start slowly, probing different product features with a variety of stolen personally identifiable information, or PII, and payment data, testing the system for weaknesses. Once they identified a blind spot, they would gradually scale up the attack, allowing it to bleed into lagging metrics: materialized losses.

Although reverse engineering is still very much present, successful large-scale attacks now seem to be coming out of nowhere. Fraudsters are bypassing the experimentation phase altogether, moving straight into large-scale, highly sophisticated exploitation in mere days.

How are they able to act so quickly? While the rise of generative AI for creating convincing text and images has certainly played a role, there is another more fundamental problem at play: information asymmetry.

Unlike financial institutions, which must navigate a maze of regulations and confidentiality concerns, fraudsters operate without boundaries — sharing techniques and stolen data across dark web forums and encrypted channels. You would be surprised (or perhaps not) how easy it is to find fraud guidance on major communication apps (though I do not recommend trying). They learn in real time, refining their tactics with every failed or successful attempt, and this intelligence is quickly distributed globally.

A matchup of Sens. Tim Scott, R-S.C. and Elizabeth Warren, D-Mass., atop the Senate Banking Committee could usher in a new era of bank policymaking in the next Congress.

November 10
Sen. Tim Scott, R-S.C.

Bound by complex regulations and concerns about competitive advantage, financial institutions rarely exchange actionable intelligence on emerging fraud vectors. Even though the financial industry is armed with an abundance of sophisticated risk tools, they are often narrow in scope. These point solutions, while effective in tackling specific types of fraud, are not built for the kind of rapid, multi-vector assaults we are seeing today. Simply upgrading a risk stack to the latest and greatest vendor is not enough.

Fraud today is no longer a single-vector attack — it is an orchestrated, multipronged strategy that leverages information and weak points across different financial institutions. The key to combating this growing threat is collaboration.

Financial institutions must move beyond siloed approaches and begin sharing intelligence in real time. If fraud attempts, suspicious patterns and new techniques were shared across institutions and industries as soon as they are detected, fraudsters would face a much more unified and formidable defense.

Consider how valuable it would be if, after one institution identified a new synthetic identity scam, that information could instantly be shared across a network of banks, payment processors and fintechs. By the time a fraudster attempted the same tactic elsewhere, the defenses would already be in place. Collaborative fraud databases, like the Financial Services Information Sharing and Analysis Center, or FS-ISAC, offer a model for how collective intelligence can shift the balance of power.

The threat posed by information asymmetry is real and time is not on our side. But by working together, leveraging real-time intelligence and sharing defenses across the industry, we can flip the script and put fraudsters on the defensive.

For reprint and licensing requests for this article, click here.
Fraud Fraud prevention Risk management
MORE FROM AMERICAN BANKER