We face a pandemic of online fraud, with over £1.2 billion stolen in 2022 and 80% of cases starting online.
As concerns grow around celebrity deepfakes and more targeted identity fraud, consumers need to be much more careful both online and offline. It’s becoming much easier to be fooled with a variety of fraud types using sophisticated tools to identify, attack, and mimic victims – meaning anyone can fall prey to a scam, even the savvy. But customers need the benefit of online authentication, replacing the need for face-to-face meetings while complying with EU and UK security and compliance requirements.
Protecting customer data, rightsizing security, educating users and trying to offer a user-friendly experience is a tough balancing act. Especially in an environment where technological change happens rapidly and the skills to counter new threats are in short supply.
Increasingly intelligent imposters
There are tens of fraud types, from account takeover to work from home scams. Some are very well-known, like email or credit card fraud, and well-established business services are trained to spot and stop them. Automation and machine learning are critical in keeping these from reaching the vulnerable human target’s money and information.
UK Finance reported that 78% of authorized push payments (where victims are tricked into sending a large transfer) begin online, and 18% through telecommunications.
New types of fraud, like audio or video deepfakes are also being deployed, and are much harder to stop getting through to and fooling customers. The EU Agency for Cybersecurity (ENISA) warned how photos, videos, masks and deepfakes can all be used in face presentation attacks that impersonate users for fraudulent identity verification.
ChatGPT and other generative AI models can be used by fraudsters for multiple purposes, both strengthening the verisimilitude of their communications and speeding up the throughput of their targeted attacks. GPT tools like the leader, ChatGPT, and art tools like DALL-E are extremely useful for bringing creative prompts to life. But some can be used to ape the voices and faces of targets for use in fraud. Deloitte laid out some of these new threats and cited a third-party survey claiming that 37% of organizations have faced a deepfake voice fraud attempt. These aren’t new – they are just becoming easier for fraudsters to use at scale – with the first AI- enabled case understood to be in 2019.
Senior Director of Product Management International at DocuSign.
A lifeline for fraud prevention: liveness detection
Identity verification is at the heart of business fraud prevention and is the basis of trust between customers and providers. Given the ability of deepfakes to mimic users, firms are looking to liveness detection technologies to defeat impersonation. These are built with biometrics checks and AI that looks for points of likeness and dissimilarity between documentation like identity cards, signatures, photos and videos that providers request when users sign up. The key feature lies in ensuring the real user (signer, selfie taker) is alive and present at verification, without false positives.
Liveness can apply techniques such as one-time passcodes or live speech for a set phrase. There is also facial liveness, which can be passive or active. The former applies machine learning to recognize a real face, and the latter requires users to make a predetermined set of actions to prove they are alive, live, and present.
Critical metrics for the tech and business leaders involved are to look at their accuracy, speed, and ease of use. Security technology has always had a reputation for being a blocker. While AI is causing a problem for security, it’s equally the solution – making legitimate users’ lives easier with more pleasant and secure experiences.
Biometrics and AI together support businesses with better identity assurance that the person on a video selfie, the signer of a written contract, or the face over the counter, are who they say they are. Given the importance of operating at digital speed, liveness detection must bring down authentication failure rates to keep users happy doing their business. Moreover, given the digital freedom customers have to take their business where they want, liveness solutions support the business broadening offerings to new services or markets without adding to either party’s burden.
Businesses may also be aware that the EU’s eIDAS 2.0, for carrying out seamless, secure electronic interaction, is coming into force shortly. This will promote more secure and interoperable electronic identities. This will increase pressure on UK service providers to stay up to date with sophisticated identification and trust services available in the Eurozone, including digital signatures and certificates.
Tips to adapt, educate, and stay vigilant
Frauds will become a bigger challenge for business unless liveness detection automation supports the verification process and simplifies authentication.
Authentication platforms that leverage AI make it easier to determine where a customer’s biometrics are valid, and where they are live and present. Depending on the features, AI-powered identity and access management (AIM) can also analyze patterns of use and escalate an alert where any behavior deviates from normal behaviors.
Organizations must also educate users in an engaging way, ensuring they know what a legitimate corporate communication experience looks like. Moreover, users must be taught what red flags should make them stop and query before taking action – both internal business users and end customers alike.
All users must keep their ID documents safe and secure. People often forget that any contracts they sign online fall into this category, too. Everyone needs to query how authentication words, and what security the other party uses.
And finally, customers and their service providers alike must do that most basic of tasks – maintaining their tech with patches, updates, and stringent cyber hygiene. Just as with the physical hygiene that became so important during the pandemic – scrimping on regular, rote checks increases the risks to users, and everyone in their network.