Scammers around the world use artificial intelligence to trick their way inside banks and credit unions’ systems. And over half haven’t adopted a key prevention tool, new research says. iStock illustration

Scammers around the world use artificial intelligence to trick their way inside banks and credit unions’ systems. And over half haven’t adopted what one expert says is a key defensive measure.

According to Red Sift, a cybersecurity organization headquartered in Austin and with an office in Braintree, 61 percent of major U.S. banks remain exposed to phishing attacks because of weak or absent enforcement of an email security protocol, called “DMARC.” DMARC stands for “Domain-based Message Authentication, Reporting & Conformance.”

These phishing attacks have the primary goal of gaining access to employee passwords and emails in order to get into bank interfaces or platforms.

Red Sift CEO Rahul Powar said he wasn’t surprised by the findings. While some of the largest banks might have high levels of defense, smaller or regional banks are proving to be the preferred target for phishing attacks, he said.

“As with many other industries, as soon as you move off that top 10, top 50 list, and you move into regional or non-retail finance, organizations’ adoption of these technologies just immediately drops off,” Powar said. “What we’ve seen is that bad actors have sort of started to attack these other organizations which are very relevant to the markets that they serve and are very trusted in those markets, but don’t have the same scale of technical controls. So, they seem from the outside in as softer targets.”

Powar urged all organizations in the banking space to adopt these cybersecurity measures to protect against the risk of a cyberattack.

One More Cost Center?

But DMARC enforcement and other perimeter controls require lots of planning, said Bank Five Senior Vice President Maureen Terranova said. Terranova is the Fall River-based bank’s chief information officer.

“There’s all different ways to prevent cybersecurity attempts,” she said. “I think it’s a multi-layered approach, it isn’t any one thing. I think that DMARC enforcement is an interesting solution.”

Part of the reasoning behind the fact that there is a drop off in enforcement among regional and smaller banks can be credited to cost, executives interviewed for this story said. In a high-cost environment, increased cybersecurity is just another added expense for financial institutions already dealing with compliance costs, marketing expenses, software licensing and other budget items.

“Cost is always an issue, but I think what’s even more important is protecting any kind of sensitive, confidential, private information,” Terranova said. “Cybersecurity is at the forefront at our bank. We’re always looking for new and improved ways to do things.”

But even with the many business expenses banks face, Reading Cooperative Bank President and CEO Julieann Thurlow said, while cybersecurity in an added tax on banks, they are necessary. It is better to spend the money to protect an institution than to deal with the ramifications of a successful cyberattack.

“You’re better off spending an extra $150,000 on a new cybersecurity tool that’s monitoring all of your transactions, rather than getting a $500,000 loss because a small business authorized a payment that they shouldn’t have,” she said.

AI Risk Goes Far Beyond Phishing

Artificial intelligence is only increasing how indistinguishable phishing attacks can be from actual conversations between bank employees.

“Fraudsters effectively have access to toolkits that are optimized for doing exactly their fraud use cases on the back of [generative] AI,” Powar said. “So clearly they can generate very legitimate sounding content at an industrial scale with very little input required. Even if they’re not native English speakers, in sort of faraway places running some of these fraud farms, they now have access to very high-quality content generation in the language of their choice, making it far more difficult for people to distinguish illegitimate communication from these fraudsters.”

AI’s threat doesn’t just involve tricking bank employees into clicking on the wrong link. It also helps make some phishing attacks harder for automated cybersecurity systems to detect, Terranova said.

And even Sam Altman, one of the biggest names in AI and CEO of OpenAI, is warning lenders of the threat posed by a technology he helped bring into the world.

The banking industry faces a “significant impending fraud crisis” because of the ability of artificial intelligence tools to impersonate a person’s voice to bypass security checks and move money, he warned during a July Federal Reserve conference in Washington, D.C.

Beyond phishing attacks, AI has the potential cause even greater damage to banks. For example, fraudsters can use AI to make copies of a bank’s domain with “hooks” to gather information or install malware, according to Powar.

“The other extreme, which is sort of the more expensive and the more complex portion of it, is when you start to use Gen AI to real-life impersonate individuals. For example, you know, all the way from the CEO to a bank manager, you can effectively use Gen AI to create very convincing real-life synthesis of either voice or video or both, to defraud real users in real time with conversations on a call,” he said.

Sam Minton

‘Arms Race’ in Full Swing

But AI can also be used to protect companies from cyberattacks. Powar predicted that AI will become an important part of any organization’s cybersecurity tech stack.

“If we’re going to have AI generating a whole bunch of stuff to defraud people, we need to have AI in the security operations center or in the managed service provider that’s looking at all of this content and looking to classify what is fraudulent and what is not so that further action can be taken,” he said.

Evolving threats are pushing banks and credit unions to focus more on cybersecurity risks, Terranova said.

“I don’t see that going away anytime soon. Especially with AI, and its more advanced techniques, I think we have to do better,” she said.

But fraud driven by AI is growing as fast as solutions-based AI usage, Reading Cooperative Bank’s Thurlow said.

“Whoever is going to win this arms race remains to be seen,” she said.