Fraudsters Use Generative AI to Exploit Gaps Between Customers' Touchpoints

Oct. 27, 2023
Organizations need to take a strategic and seamless approach to mitigating expanding fraud risks

Consumers interact with brands and organizations through many different touchpoints that include online transactions via a website or mobile app, in-branch or in-person at a brick-and-mortar location, call centers, mall kiosks, and much more. While these interactions offer strong customer service opportunities, they represent potential gaps in fraud defense and identity protection.

At a soberingly fast pace, fraudsters are using generative AI to exploit gaps between these touchpoints, and bad actors are looking to take advantage of “moments of value” across a brand’s sales or consumer-engagement channels, product offerings, or vertical markets. And they may also go after a business’ consumers directly.

Expanding Array of Tools Available for Fraudsters

Publicly available tools like ChatGPT, Bard, and other generative artificial intelligence (AI) solutions can be used by fraudsters to build deceptive, misleading identity artifacts. In some cases, fraudsters use these tools to build scripts for sophisticated and well-articulated social‑engineering schemes that appear to come from legitimate brands that render goods or services to swindle unsuspecting people out of their money.

Fraudsters already use similar tools to create various “proof of life” artifacts that many fraud prevention solutions may rely on, such as fake identity documents (e.g., birth certificates, driver’s licenses), fake utility bills and statements, full social media profiles, business websites, etc. Generative AI can automatically scrape the internet, social media, and the Dark Web to obtain valid fragments of identities such as names, addresses, phone numbers, email addresses, social security numbers, and photos.

Once these fragments are gathered, the AI system combines them to create a convincing synthetic ID that is complete with contact points like email, phone numbers, and physical addresses, and can pass format validation and geographic verification controls.

Because of the combination of real and fake elements, these artifacts can more than pass the “smell test.” These lifelike synthetic IDs enable bad actors to interact like a human across thousands of digital touchpoints, fooling businesses, or consumers that they are legitimate.

Worse, these synthetic IDs are often the staging ground for a long line of future attacks and enable fraudsters to seek more lucrative gains.

If that wasn’t bad enough, generative AI enables bad actors to perform this in-depth synthetic-ID-building work at scale, using automation and the vast array of public data to create, distribute, and execute attacks.

Fraud Challenges Will Only Get Worse

For businesses, defense against those attacks begins with the acknowledgment that the job of distinguishing between legitimate and fraudster traffic will only get more challenging going forward.

Businesses should start to look at how they integrate technology solutions that can address all their various consumer touchpoints with an eye on aggregating the data that is gathered across the enterprise and – if necessary – work with vendors that can do this for them.

This consolidation of data includes input from identity verification, fraud prevention, authentication, and security and cyber controls because one of the frontline gaps in consumer touchpoints can be web and app vulnerabilities or employees inadvertently disclosing credentials via phishing attacks. Bringing together all offline, online, bot, behavioral, biometric, transactional, and any cross‑industry sources of data is essential for businesses to create a “best answer” to the question “is this fraud or not” during a consumer interaction.

The most effective fraud solutions are those that can pull together the right variety of capabilities when the risk threat demands it across a wide array of data. These data sets include but are not limited to, authenticated identity and consumer behavioral data, digital device and network intelligence, mobile and email intelligence, and document verification. Part of the challenge and the necessary work is to know when to invoke the right approach to ensure that the costs to the business are well-managed while allowing good customers to connect and transact without unnecessary friction.

Businesses should contemplate breaking down any siloed fraud-prevention and identity-protection processes and begin to consolidate security and cyber control data into systems that can aggregate and analyze that data, employ holistic decisioning logic, build models that are continuously trained on legitimate and fraudulent transactions, and centralize visibility into monitoring and alerting for anomalies.

But the effort doesn’t stop there. Beyond the speed of operations that generative AI empowers, along with the many consumer touchpoints and threat vectors that fraudsters use to attack a business today, bad actors haven’t yet fully begun to employ the more sophisticated attacks that generative AI may enable. These may include generating deep-fake voice, image, and video artifacts to pass facial or voice biometric checks. As businesses add layered controls for identity verification, authentication, and transactional risk, fraudsters will trend toward using these types of attacks, advancing an ongoing chess match: threat versus countermeasure.

Take Appropriate Defensive Steps

Despite all the evolving attacks, there are real defenses against these threats. To combat these next-level fraud attacks, businesses will need to “fight fire with fire,” employing AI-enabled fraud protections with visibility into cross-industry data and fraud signals that will help quickly detect new patterns or inconsistencies in consumer or business behaviors via their various touchpoints or on their own channels, as well as across their peers. When possible, businesses may also seek out partners or solutions that scan for sites and apps that are spoofing their corporate brand for phishing attacks and leverage those partners to take down imposter sites.

By strategically and seamlessly assembling a variety of capabilities that include authenticated identity data, device-risking, email and mobile risking capabilities, behavioral biometrics, document verification, and other risk signals, businesses can instantly spot early indicators of potential fraud. Doing so allows them to mitigate the risk and ensure a positive customer experience with their products and services while protecting consumers’ identities.

With AI-enabled fraud on the rise, consolidating cross-organizational fraud-prevention and identity‑protection processes, and centralizing visibility into systems that monitor and alert for anomalies throughout all the touchpoints in the customer journey, are great steps in what will be a very long-term defense strategy against AI-enabled attackers.

About the Author

David Britton is Vice President of Strategy for Experian’s Global Identity and Fraud group which is part of the company’s software solutions business.