By Anil G. Khilnani, Fraud Education and Awareness Program Lead, Wells Fargo
It can start with an email. A meeting invitation. A phone call or text message. It will seem to be from a trusted source: A regular supplier. A colleague in another city. The company CFO.
There’s a chance, however, that on closer inspection, one or more of the routine communications that you or your team receive every day will turn out to be a sophisticated fake, created by cyber criminals using powerful generative artificial intelligence (Gen AI).
Just as companies are harnessing new Gen AI tools to automate processes and increase efficiency, cyber criminals are also leveraging the technology to advance their fraud attempts.
A recent scam made international headlines when fraudsters netted more than $25 million from a company in Hong Kong. A finance employee authorized a series of payments to the criminals after believing the attendees on a corporate videocall were actual coworkers—including the company’s CFO. These “participants” turned out to be high-tech video deepfakes so realistic the employee was unable to detect the scam.
Unfortunately, situations like these are increasingly common. A recent survey notes that 80 percent of organizations reported being victims of attempted or actual payments fraud in 2023—up from 65 percent in 2022.
Gen AI capabilities make it faster and easier for bad actors to churn out phishing emails and deceptive text messages, calls, and videos—all with much higher quality than in the past. The technology also enables scammers to automate and scale up their attempts so they can target more companies, more often.
These are just a few of the ways bad actors are deploying Gen AI:
Unfortunately, schemes like phishing and business email compromise can make it nearly impossible for your bank or payment provider to detect unauthorized payments. This is because when an employee authorizes a payment or unintentionally shares bank account details, login credentials, or other sensitive personal data with scammers, the resulting transactions can look just like regular payments.
It makes ongoing employee training a critical element of your company’s fraud prevention strategy.
Follow these precautions to help improve your organization’s defenses against fraudsters:
The more suspect emails you can catch before they reach an employee’s inbox, the less your staff need to monitor as they do their jobs. Consider implementing an AI-based secure email gateway. These solutions—considered an industry best practice—use behavioral analysis and other techniques to filter out imposter domains and business email compromise attempts.
A fraud attempt often begins with an innocuous communication, like a company leader requesting a one-time payment, or a vendor asking to change their bank account information or payment method. Remind your team to double-check every request by using a different communication method, and with the contact details you have on file.
For example:
Having two employees involved will give you a second opportunity to catch fraudsters in the act. Have one employee initiate a payment or change, and a separate employee—using a different computer—approve the transaction or request. Use the same checks and balances for designating user access and entitlements for your critical internal systems and bank portals. Most importantly, train both the “initiator” and “approver” that it’s their job to ask questions, look for suspicious activity, and ensure proper procedures are followed.
It’s vital to create a culture of awareness and cybersecurity at your company. The more you conduct ongoing training on fraud prevention and keep potential risks top-of-mind, the more vigilant your employees can be.
AI will continue to disrupt the way we live and work, with both positive and negative impacts. Businesses that stay current as the technology advances will have the best chance of understanding its potential, using AI wisely, and protecting your organization from fraud and risk.
AFP 2024 Payments Fraud & Control Survey
Global Treasury Management products and services are provided by Wells Fargo Bank, N.A. Wells Fargo Bank, N.A. is a bank affiliate of Wells Fargo & Company. Wells Fargo Bank, N.A. is not liable or responsible for obligations of its affiliates.
Deposits held in non-U.S. branches, subsidiaries or affiliates are not FDIC or CDIC insured. Deposit products offered by Wells Fargo Bank, N.A. Member FDIC.
Wells Fargo provides best practice information related to cyber risk and/or topics for educational and information purposes only. This document is not intended to and should not be relied on to address every aspect of the risks discussed herein. The information provided in this document is for the purpose of helping customers and clients better protect themselves from cyber risk and highlight industry best practices for operating in a more secure manner. This document does not provide a complete list of all cyber threats or risk mitigation activities, nor does it document all types of best practices. Wells Fargo is not providing cyber-related advice or consulting services and customers and clients should decide whether to engage a cybersecurity firm for specific questions or advice. It is the responsibility of our customers and clients to determine their best approach for mitigating cybersecurity risk through implementation of best practice aligned to the level of risk.
Wells Fargo Bank, N.A. Member FDIC.
TM-3297 RO-3599208
LRC-0624
Sign On