US banks have invested heavily in fraud prevention over the past five years. However, there are still some glaring gaps (as well as some hidden risks) that have yet to be addressed. And, if these are not remedied in 2025, threat actors will exploit them – at massive cost to the financial institutions (FIs) and their customers.
GenAI gets smarter and cheaper
Fraudsters have not necessarily gotten smarter, but GenAI certainly has. GenAI can now quickly generate highly realistic and personalised content. It also allows fraudsters to automate the creation and distribution of socially engineered messages across multiple channels. This scalability increases the likelihood of successful attacks without requiring extensive manual effort. In addition, deepfake and voice cloning is almost impossible to spot and GenAI can use personalised data to target an emotional response that will fool the most cynical individual. GenAI can even generate synthetic identities by combining real and fake information.
Go deeper with GlobalData
In 2022 alone, the FBI counted 21,832 instances of business email fraud with losses of approximately $2.7bn What’s more, the Deloitte Center for Financial Services estimates that by 2027, generative AI email fraud losses could total about $11.5bn in an “aggressive” adoption scenario.
This growing and shifting threat will challenge banks’ efforts to stay ahead of cyber criminals and banks must hit back with a considered and agile security response. This is especially true as DeepSeek enters the fray, doing the same work faster and cheaper than ever before.
Ironically, the best way to fight AI is with AI, and banks should deploy AI models with risk-based authentication (RBA). This allows them to analyse their own customers’ behaviour over time so they can create profiles that help distinguish between normal and suspicious activities. This will enable faster responses to potential fraud – regardless of the new cybercrime modus operandi.
Mobile channels left wide open
Almost half of US banks could be leaving their customers vulnerable to Account Takeover (ATO) fraud due to inadequate protection of their mobile channels. Consequently, criminals are increasingly using mobile devices to gain unauthorised access to bank accounts, rather than mobile web or desktop. Why would criminals struggle to break into the back door when the mobile side door is left wide open?
With biometric authentication now becoming standard on new devices, fingerprint scanning and facial recognition are increasingly part of our everyday lives. Banks should be using open standard FIDO2’s public key cryptography to enable secure, passwordless and SMS-free logins across devices and platforms, which can’t be intercepted. Solutions are also available to create a digital ‘fingerprint’ of a mobile device or desktop browser to create trusted devices that banks can recognise when transactions are initiated.
Outdated fraud prevention technologies
Despite rapid advances in security technology around the world, in many instances the US banking industry seems to cling to technologies that are no longer fit for purpose. Many existing fraud prevention tools are simply not designed to adapt to new types of fraud. For instance, traditional rules-based systems may generate excessive false positives, leading to customer frustration.
The reliance on legacy solutions like SMS one-time passcodes (OTPs) poses another challenge.
According to Liminal’s 2024 Link Index for Account Takeover Prevention in Banking, losses from these attacks have been growing, averaging from $6,000 to $13,000 per ATO incident in the banking industry and US banks have seen an increase of 66.8% in social engineering attacks in the last two years alone.
Despite the fact that banks know OTPs are not safe, Liminal says only 44% of banks are using mobile device signals for protection. By using advanced authentication, banks can leverage active and silent authenticators (via push messages and behavioural biometrics), supported by risk signals for the optimal authentication challenge.
In addition to active authentication where people must perform a task to confirm a transaction, there’s also silent authentication. Behavioural biometrics, which analyse user interactions with devices (like typing speed and mouse movements) can help detect deviations from typical behaviour for more nuanced fraud detection – particularly in cases where scammers impersonate legitimate customers.
Collecting mobile device signals like the SIM card number, network related signals like the IP address, behaviour signals like user interaction, and security related signals like biometric data, banks can further determine risk and prevent ATO attempts.
Organisational silos create security gaps
Despite digital transformation efforts, many traditional banks are dealing with a nasty hangover of organisational silos, where different departments (fraud prevention, information security, identity management) do not effectively communicate or collaborate. The same holds true for retail and commercial banking, digital banking teams and contact centre operations.
This fragmentation is leading to gaps in fraud detection and response strategies and fraudsters are flourishing in these gaps between the channels.
Lack of collaboration hurts everyone
Banks have never been known for their willingness to share, but the lack of collaboration is hurting the entire ecosystem. While larger banks have extensive historical data that enables them to develop robust AI models for fraud detection, smaller banks often lack sufficient internal data and resources, making it difficult for them to create effective AI solutions.
In March 2024, the US Treasury released a report on this problem, calling for enhanced data sharing collaboration among financial institutions.
A tech-forward, multichannel response
US banks are standing on a precipice. To remain competitive, they must prioritise innovation. And this means adopting more sophisticated technologies that can analyse the context of transactions in real-time and across various channels. A more integrated approach is also necessary to address the multifaceted nature of fraud – both between the individual departments and channels in a bank, as well as between banks.
Regardless of separate investments in push notifications, RBA, behavioural biometrics, FIDO or passkeys, if banks are not looking at both active and silent signals across the originating and authenticating channels and capturing all the signals of all the existing infrastructure they have for a complete picture, they will remain exposed. The technology solution is available and tried and tested. What is required is a willingness to do things differently.
Frank Moreno is Chief Marketing Officer at Entersekt
