Opportunistic individuals have sought to steal money from banks, credit unions (CUs) and other financial players for as long as these financial institutions (FIs) have existed. They do so for a simple reason: As famed Depression-era bank robber Willie Sutton said when asked why his crimes targeted FIs, “Because that’s where the money is.”
Fraudsters’ tactics have largely evolved beyond Tommy guns, safecrackers and getaway cars as they turn to more sophisticated digital tools to perpetrate their crimes. Not only have their schemes changed, but their targets have, too. These bad actors now go after valuable personal data that can be just as lucrative as hard cash when it is sold to other cybercriminals on the dark web.
“The bad guys are either after information or they’re after money,” said Mike Upton, chief digital and technology officer at First Tech Federal Credit Union. “It’s the same threat we face that all financial services institutions face. We have to protect our members’ private, confidential, privileged information [and money] from the bad guys that would want to exploit it for nefarious purposes.”
PYMNTS spoke to Upton about the various scams that fraudsters use to snatch cash and data as well as the preventive measures First Tech deploys to keep itself and its customers safe. He also detailed how the CU uses artificial intelligence (AI) to bolster its various defensive capabilities and consolidate its protective measures into a cohesive solution.
How Fraudsters Target FIs
Fraudsters deploy an array of schemes and tactics to steal money and data, ranging from high-tech hacking to old-fashioned confidence scams. Upton noted that some of the more common schemes rely on brute force attacks, which entail bad actors using stolen credentials to launch hundreds of login attempts in the hope that one password and username combination will grant them access.
“They try to breach our systems by overwhelming them and coming in through the front door,” he explained.
These attacks have largely supplanted distributed denial-of-service (DDoS) attempts, in which hackers flood banks’ servers with traffic to bring their operations to a standstill. Upton said that this indicates how quickly fraudsters can change their techniques to incorporate new technologies or innovations.
“Denial-of-service attacks exist, but they’ve gone out of vogue because really all that does is it disrupts our ability to do business,” he said. “It doesn’t really benefit that bad guy as much. You still see it, but not as much as brute force attacks.”
At the other end of the technological spectrum are fraud schemes like phishing attacks and social engineering scams that exploit human weaknesses rather than technical ones. Fraudsters perpetrating these attacks attempt to trick CU customers or staff into giving them account access, at which point they can harvest personal data or steal cash as they see fit.
“Another common [scheme] that is pretty prevalent is a phishing attack where they’re targeting the members or credit union employees with safety emails or fake websites in which they are going to con [them] into handing over legitimate credentials,” he said. “Social engineering scams involve fraudsters pretending that they are an institution by spoofing their phone numbers and asking [members] to provide information.”
The key to stopping these various attacks is a multilayered defense strategy that consists of several authentication points to ensure customers are legitimate. Making sure all of these steps work together is the job of advanced AI algorithms.
How AI Helps Defense Systems Coordinate Their Strategies
First Tech, like many other FIs, relies on a multilayered defense strategy that combines user authentication, firewalls, human analysts and other defensive measures to check and recheck transactions and logins to ensure that customers are who they say they are. Single layers run the risk of being breached, but it is much more difficult to punch through several at once.
“We adhere to what we call a defense-in-depth strategy, where we look to have layers of defenses to protect against the various different types of attacks that are out there,” Upton explained. “There’s defense in depth at the front door and the traditional firewall, and there’s defense in depth internally, where we compartmentalize not only member data but also employees’ access to systems. Each employee has access to the systems they need to do their jobs but no more, [which can] prevent any breach from being too pervasive.”
He said that AI enters the picture to ensure that all of these systems work in tandem by having a single algorithm examine all interactions holistically. This ensures that individual layers cover one another’s blind spots, resulting in a defense system that is more than the sum of its parts.
“A lot of the different layers are what we call point solutions, with this technology looking at this part and that technology looking at that part,” Upton said. “Where AI becomes intriguing and beneficial is looking across all those different point solutions more holistically. That’s really where you’re going to need to start leveraging AI solutions because you have to be able to span multiple point solutions to ensure that there’s nothing [falling] between the cracks. While you may have [human analysts] monitoring each of these different layers, bringing them together at [speed] is really where the AI tends to have the most promise.”
Any effective team-based approach relies on coordination to ensure that its efforts have the greatest impact. AI may be the key to making sure that FIs’ various fraud-fighting tools are in sync and operating at their best when it comes to cracking down on a multitude of fraud schemes.