Strength in numbers

With fraud more prevalent than ever, it’s no longer good enough for financial services organisations to simply focus on their own operations. They must come together in the battle against AI-powered scammers

Financial services organisations face escalating fraud risks caused by the wrong people getting access to critical systems, data and assets. Knowing who’s who can help mitigate the risk but identifying hackers and scammers is becoming increasingly difficult.

Digital transformation is creating welcome opportunities for all types of businesses. Criminal enterprises are no different. The digital tools and technologies at their disposal are becoming much more sophisticated. And with AI and machine learning now mainstream, the technology arms race between them and the industry is heating up.

We, at BT, can see this and it’s making the fraud landscape much more challenging than ever before. That’s why earlier this week, we brought together our financial services customers, competitors and industry stakeholders. At our Fighting Fraud event, we committed to work together to reverse the tide.

Of all types of fraud, consumer fraud is arguably the highest-profile risk. APP (authorised push payment) fraud alone cost British consumers £355.3m in the first half of 2021, an increase of 71 per cent year-on-year.

Internally, the proliferation of connected devices and a burgeoning “work from anywhere” culture is creating new threats. It is estimated that 79 per cent of data is shared within organisations without encryption. This is the soft underbelly in many organisations’ defences.

Thirdly, there’s cyber risk. This is the top non-financial operational risk category in banking. Most banking losses come from cybercrime or fraud linked to technology. Effective cyber risk management is now about getting a step ahead of hackers by identifying cyber threats before they even arise, and objectively quantifying their risk.

These are three very distinct categories of risk but to tackle them, they must be considered together. Organisations must look at their whole ecosystem. There must be no gaps. And they must think end-to-end across their processes.

Trusting no-one is key. Whether it’s a customer, employee or anyone else, before they can use a system, do business or access data, their identity must be authenticated — and authenticated again for each additional process or data they want to use. In the cyber security industry, we call this “zero trust”.

That broadly outlines what individual financial services organisations can do themselves. But the war on scammers, fraudsters and hackers won’t be won if each organisation stands alone.

What if, having experienced losses from a scam or hack, you hear that one of your competitors had suffered the exact same attack months ago but hadn’t warned you about it? What if it was the same criminals who pulled off the scam? I’d expect you’d be incredibly frustrated and annoyed.

At our Fighting Fraud event, we called on organisations from across the financial services industry, including regulators and consumer groups, to collaborate more comprehensively in the battle against the criminals. We know this isn’t easy.

Regulations are there to protect customers and ensure the financial services market works effectively, with resilience, and fairly. But those same regulations can sometimes prevent us from collaborating to beat the scammers. It’s a nut we need to crack because cyber criminals are already collaborating and do so very effectively and with few barriers.

For example, hackers and hacking organisations share stolen credentials, data and techniques on the dark web and offer “ransomware-as-a-service”. Cyber specialists advertise and hire out their services to other criminals. Others generate and evolve malware – share and add new code and exploits to existing malware “products”. And they advertise for and recruit other cyber criminals using the dark web too.

If we don’t collaborate, the criminals will outmanoeuvre us over and over again.

Collaborating would involve sharing data and intelligence. AI and machine learning are incredible technologies but they’re only as good as the data that feeds them. If the criminals share data and intelligence to direct their attacks, the industry must be able to do the same to keep defences one step ahead.

Consumer groups and regulators would normally be alarmed about this. So, we need their help to create trusted and compliant frameworks to allow us to share data and intelligence. From speaking to many of BT’s financial services industry customers, I know they’re fiercely competitive. Sharing their experiences and insights will be counter-intuitive but in this fight we’re all on the same side.

At our event, one audience member commented that the ongoing arms race against criminals is like this: “You build a ten foot wall to protect your business. So, the scammers turn up with an 11 foot ladder.” That indeed sums up the challenge. But what if you were warned by another firm that someone had just tried to top their walls with an 11 foot ladder? You’d know what to look out for and be able to adapt your defences in advance.   

It’s vital that we all recognise that this is not a battle we can win on our own. Only by working together will we able to rapidly identify scammers and threats and adapt our defences. By doing so, we’ll be able to move quickly against AI-powered criminals and proactively and effectively mitigate fast-evolving threats.