AI Fraud Detection in Payments | Srishti Andreasen

Speaker A: Online payments fraud will exceed more than 362 billion euros just in the next five years. Fraudsters are highly diverse. They look at every cultural, emotional and systemic blind spot.

Speaker B: What's the most alarming fraud case we've heard about in the last six months and made you realize AI has changed the game? Hello, everybody and welcome to the Charistico podcast. I'm your host, Alex Hanikov and today I'm joined by Srishti Jayan Anderson, country ambassador for the European Women Payment Network and driving for in the fintech community across the Nordics. She's been watching the payments fraud landscape evolve and what she's seeing right now has her concerned fraudsters are adopting AI faster than banks can defend against it. So we're going to talk about fraud in the world of fintech and payments. Welcome to the show.

Speaker A: Thank you, Alex. It's lovely to be here today. Yes, it has been really exciting for me to be the country ambassador for ewpn. It's been an exciting launch here in Denmark with a lot of interest to really participate both in the male and the female community. And I also am very interested in this specific topic with fraud because I work for RS Software and executive and in global business development. And we have created a fraud solution targeting the entire landscape of India. When we launched the real time payment rails for the npci. And I'll share some more details about that later today when we're talking.

Speaker B: Great, let's dive into it. What's the most alarming fraud case we heard about in the last six months? And may you realize AI has changed the game.

Speaker A: Yeah, it really has. You know, we've been hearing several examples. But, you know, the deep fake video technology is something that has really been alarming. There's, you know, something that really shifted the paradigm was when recently a multinational firm's branch in Hong Kong lost more than 25 million euros just in a single afternoon. So the fraudsters use deepfake video technology. They've recreated the company's chief financial officer and several colleagues on a live conference call and they convinced an employee to execute 15 different transactions and transfers. To answer your question about detection, it takes minutes or hours. It didn't. The institution didn't even realize that they had been breached until the employee checked in with the real CFO days later. By then, the funds were completely cleared. They were completely laundered through automated mule networks. This isn't an isolive incident as part of a massive escalated global crisis, really today, to put the scale into perspective, Juniper Research which you're probably familiar with, forecasts that online payments fraud will exceed more than 362 billion euros just in the next five years. And more shockingly, global consumers losses to fraud in a single year reached just over a trillion euros. You know, another more recent study closer to our home is bank of Italy, where they warned about the deep fake video here. It's interesting because what they did was they used the governor, Fabio's Panetta's likeness to promote fake investment products. And what made this alarming was not just that video was fake, it was that the fraudsters used perceived authority of a central bank governor to manufacture trust at scale. Earlier scams often impersonated a bank employee, like I just mentioned earlier in Hong Kong, a celebrity or a company executive. Now we are seeing fraudsters impersonate as the very institutions that we are trained to trust. That really changes the game. So now when we look at it, AI no longer just helps criminals to write better phishing emails. It allows them to create synthetic credibility, a familiar face, a trusted voice, an institutional setting, financial call to action. It's all packaged into something that looks legitimate. So for banks and payment ecosystems, that means that fraud prevention can no longer rely on static identity checks or customer education. The defense has to move really closer to the transaction itself and in real time, Real time risk scoring, behavior analytics, mule, account detection, device intelligence, cross institution fraud intelligence. Before the money moves, before generative AI, this type of fraud, which was business email compromise, relied on clunky phishing emails. So that's where there was poor grammar, there was static fake invoices. It took weeks to actually manually socially engineer this to pull it off. And just a simple phone call could break the spell. But now AI has removed the human error on the fraudster side, so they can now fabricate live interactive human identity in real time. And they're completely bypassing traditional biometric checkpoints. Just really changed the game.

Speaker B: That's amazing how things are changing so fast. So it's mainly about identity fabrication, Right? Walk me through how fraudster actually use AI today. What's the playbook? Are they using specific tools, how accessible those tools are for them? It's just an easy thing that Random Joe can do. Or it's more sophisticated.

Speaker A: Yeah, it's actually surprising how easy it is for them. So the modern fraud playbook is fundamentally industrialized. The rapid growth and globalization of online commerce has turned payments into the primary vector for fraudsters. And AI is driving massive innovation across email, text, phone scams, account takeover attempts. The Playbook, the Way, if I would put it would put as a three step execution cycle. So the first one would be scraping and harvesting. You're probably familiar with scraping, so it begins with scraping data. The fraudsters feed vast amounts of breached personal data into large custom LLMs, so large language models and then they create highly targeted personal social engineering campaigns at massive scale. There is an immense volume of personally identifiable information, PII, as we call it, and account data constantly for sale on the dark web. We'll be surprised at how much supported by an advanced criminal element that harvests and repackages these details for fraudulent use. And then phase two is orchestration. That's where you come in with the AI tools as you mentioned, to automate the creation of synthetic documents, alter metadata on fake IDs and to clone voices using as little as just a 3 second audio clip from a public social media post. So people innocently make their posts, make their videos, oh, out on the beach swimming today and have a little bit of video of them or their children. And that's all it takes for AI to really be able to scam. Phase 3 Scaling via Fraud as a Service or FAAS as we abbreviate to your point about accessibility. Yes, anyone can do this. Now we have entered the era of fraud as a service on the dark web. Fraud tools like Fraud GPT or Worm GPT are available just for a nominal subscription, €50 to €200. So something very easily accessible for most people. The cost to execute a sophisticated scam has plummeted to near zero, while the potential payoff is in millions. So this increasing sophistication leaves less savvy consumers highly susceptible to devastating scams, account takeovers, ato, as we say. This asymmetry is exactly why traditional isolated barriers are failing at RS software. As I mentioned earlier, we've spent 30 years building core payment infrastructures and what we've learned is that you cannot fight automated cross channel AI attacks with manual siloed rules. You really need to look at an overall perspective.

Speaker B: It sounds alarming and I assume banks are taking action on this. In your opinion, is it more about fraud prevention because it's generally more threatening to them or because it's more expensive for them than delicacy?

Speaker A: So it's a harsh reality. But when you look at the numbers, if you look at the industry, McKinsey today estimates that Genai could add a staggering 200 to 340 billion euros in revenue for global value to the banking sector. But a massive chunk of that value unfortunately is currently leaking out directly the back door due to sophisticated fraud. So when fraud happens, the question of who bears the cost depends heavily on the region and the rail. So traditional card networks, banks and merchants have established liability frameworks. But with the rise of instant account to account real time payments, which naturally have the least amount of control and recoverability, so the funds leave irrevocably in multi milliseconds. And if a consumer is tricked into authorizing the transfer, what we called authorized push payment fraud, the consumer is historically bearing the entire loss. However, today there's many regulatory shifts, like the UK's mandatory reimbursement rules and evolving European frameworks, they are forcing banks to split that bill. This has triggered a massive clash with customer expectations. So interestingly, 77% of consumers today surveyed, they actually say that they would outright leave a bank if they would not refund a scam loss. However, only 6% of financial institutions report that they actually intend to reimburse all the scams, preferring instead to review them on a case by case basis, which of course is very costly for the institution. This means that banks must invest heavily in customer protection tech, not out of altruism, but because of their own balance check sheets and customer retention metrics, they are directly on the line. The legacy systems built decades ago just can't keep up. That's why we built RS Intelli Edge, the fraud platform that I talked about, which is able to process and score risk in under 100 milliseconds. Because if you can't catch it before the real time rail clears the transaction, the money, the liability becomes a nightmare for everyone involved who takes the risk when it's in real time. Banks prioritize fraud prevention because it is an immediate unrecoverable cash out the door loss that they often have to pay for themselves. Whereas delinquency is an asset management problem which can be priced, it can be managed, it can be outsourced. However, to prevent fraud, there are two aspects. One is to detect if a transaction is fraudulent, so typically account takeover or app fraud, and then to detect if it is a mule account. Usually. These two prevention systems unfortunately are sitting really far on the banking pipeline. So the BSI has made a recommendation for bringing these two closer, but it is yet to be achieved due to multiple hurdles. And this is where RS Intelli Edge really looks to solve this substantially.

Speaker B: You already mentioned a few times the way it usually works out and it's mainly about synthetic identity. Let's talk more about what synthetic identity is and also back to your point about legacy systems, why can traditional mechanisms like credit scoring catch it?

Speaker A: Yeah, so synthetic identity is like a Frankenstein identity. So fraudsters take real dormant piece of data, like a child's Social Security number or like in the US or a CPR number in Denmark, or, you know, every national system has some kind of a social number. Or they take a clean national identification number and then they combine it with a fake name, fake address, and AI generated biometric faces as well. So they really go through the entire process. So traditional credit scoring models can't catch it because the identity looks perfectly clean. In fact, they go much further. They play the long game. They use AI to nurture these fake accounts over months or years, paying off minor balances, catching excellent credit history, taking fake accounts over months, and then acting like model customers. So then they bust out. So they take their time, they build it out, they build the credit history for that account, which is the credit history of course is huge in the US and then they bust out and they max out all the credit lines, they apply for massive real time loans and they vanish into thin air. So how prevalent is this? McKinsey and industry data show it is the fastest growing form of financial crime today, which accounts for billions of losses annually. Occurrences are rising sharply alongside other escalating vectors like real time payment fraud, deepfakes and check fraud. We aren't talking about hundreds of cases, we're talking about millions of synthetic profiles which are quietly sitting just inside the bank databases right now. In practice, it looks like a completely perfectly valid customer profile with a stellar 750 plus credit score, but there's no actual human behind it. So to catch this, you need real deep data analytics that look way beyond credit files and they're able to analyze real time, cross channel behavioral patterns. The real time aspect is very crucial. A crucial educational takeaway for banks here is to incorporate reputational and consortium data into their fraud decisioning. So sophisticated players today, they track the risk, risk ratings and indicators of both the source and the destination banks. By leveraging the consortium networks, which then securely share the clean data for various customer archetypes, banks can preemptively identify synthetic footprints. And before they bust out, what really happens?

Speaker B: It sounds crazy. I'm trying to get my head around this and it sounds like banks are constantly playing a catch up game here. It seems like the technology became such a great tool for fraudsters to move faster. In your opinion, what's stopping banks from catching up faster? Is it mainly technology or regulation or culture also take place here?

Speaker A: Yeah, so you're absolutely right. So before I joined the fintech community. I was working for an institution in the US called sri Stanford Research Institute. And that's where I worked on leading my program management, was leading cybersecurity for the U.S. government, the Department of Homeland Security. And in my seven years of doing that role, it was definitely evident that the fraudsters are always ahead of the people who are trying this. As much as you want to be proactive, you end up being reactive. In the case of the financial institutions, it's really a mix of all three. But culture, customer friction, sensitivity and legacy infrastructure are really the true blockers. If you look at the, if I was to summarize the most important ones, most traditional banks today, they're sitting in silos. They're operating in silos. The credit card team doesn't talk to the real time account to account payments team. The retail banking risk model doesn't share data with corporate banking. If you look at McKinsey's Rewired research report, banks fail with AI adoption not because their technology is weak, but because they layer advanced tools onto broken disconnected legacy workflows. And that's the key. Furthermore, banks face a major operational dilemma, the sensitivity of customers to friction that causes purchase disruptions. So most financial institutions today, they take blunt one size fits all approach to fraud detection which results in false positives. In the high 90s, it's a lot. So this ruins the customer experience and leads to abandoned shopping carts and lost revenue. So if you're trying to buy something, you choose it all, you get your shopping cart, you're going and the transaction gets rejected. Right. It kind of breaks your trust over there. Because regulations penalize banks and protect consumers, consumers have become way, way less worry while financial institutions have become terrified of interrupting a legitimate transaction. So best in class institutions today, they're cracking this code by developing good customer detection capabilities. So they use machine learning to analyze unstructured data. They look at direct deposits, they look at secure balances and then they use those to offset those false positives. Down into the 60s, the fraudsters don't care about the bank's internal corporate structure or the friction fears. They exploit the gaps between the channels. Are there institutions getting it right? Yes. The ones that I think that are winning are the central payment infrastructures and the Forward thinking Tier 1 banks that are focusing on having a more integrated enterprise risk model. So for instance, RS Software's RS Intelli Edge central architecture is deployed at a national Payment Corporation of India, as I mentioned, national level scale to protect the unified payment interface which is the Real time payment rails across India. By breaking down the silos and analyzing over 200 million transactions a day across 1200 plus institutions connected banks in one single platform, it has driven an 80% reduction in leading categories of real time payment fraud. This is a cultural and a structural shift, not just a software update.

Speaker B: Interesting point you made is that it's the consumers who are scared about the experience. They made the game during the purchasing transaction. And it sounds like whoever from the bank side figures out the way to address it in the best way has the better competitive advantage over competitors. So the question I have in your opinion, should banks share fraud intelligence with each other or that actually kills their competitive advantage?

Speaker A: So I think they should absolutely share their fraud intelligence. So fraud intelligence can never and should never be a competitive advantage. It's a baseline requirement for an ecosystem trust. So why, you may ask. So if bank A shuts down a money laundering mule account but doesn't tell bank B, what does the fraudster do? They automatically jump their operations to the next door within minutes and this leaves the entire financial institution system vulnerable. The fear has always been privacy regulation and data leakage, but modern technology has solved that. McKinsey highlights how generated AI and synthetic data allow banks to evaluate models and share risk intelligence securely without exposing actual production data or violating gdpr. So there's value in being able to share the data and not having to worry about sharing secure data. When one bank shares with another and doesn't reciprocate, it creates a weak link. That's why the most successful model today is federated centralized intelligence. The industry learning here is that robust fraud management strategy must combine performance targets to fraud loss rates, customer impact, shared consortium data from providers like in the US Early Warning Services or LexisNexis. For example, with RS Intelli Edge, we utilize collaborative intelligence across thousands of endpoints. It creates a network effect which is very essential. When a new fraud pattern or compromised purchase point is identified anywhere in the ecosystem, the platform immediately injects and updates rules globally in real time, which protects everyone simultaneously. And that is the real key.

Speaker B: Let's talk more about deepfakes because I see lots of cases defect voice and video scams in the media. How close are we to not being able to trust anything we see or hear?

Speaker A: Financial transaction Unfortunately Alex, we're already there. We can no longer rely on the visual or auditory eye test to verify identity and high value transactions. If a bank's primary line of defense is a customer service agent listening to a voice or looking at a selfie match On a video that defense is porous. The critical lesson for the industry is that while most institutions have individual tools like biometrics, payee confirmations, one time passcodes, these tools must be orchestrated to operate seamlessly together. So if you look at the operational playbook, I think it should follow a three step verification architecture. So step one, using reputational data to flag suspicious onboarding and external account details linkages. Step two, using link analysis to identify hidden connections to risk rated fraud details. And step three, they shift from the static biometric to continuous multi perspective behavioral telemetry. So analyzing keystroke latency device interaction and cross channel rails, really shifting from static to real time and continuous is very essential. You have to look at the data that's surrounding the transactions. How is the user interacting with the device? What is the latency of their keystrokes? Are they using cross channel rails in a way that deviates from the identity based aggregate statistics? Have I personally accounted deepfake? That fooled me? Absolutely. In the fintech community we test these tools regularly. So I've heard voice call clones of colleagues that where the pitch cadence and the breadth pauses was so flawless that without secondary cryptographic or out of band verification I would myself have confidently authorized that conversation. The human brain can no longer distinguish it. It only specializes in machine learning models and running multi perspective analytics cam. So this is where RS Intelli edge can support the exact kind of decision making and then it gives the banks real time cross trail scoring that is tailored to their own customer base and risk patterns. So I'll give you an example just sitting here in Denmark. So one of the people that I know works for Nordic bank. So she herself works in the banking industry. And just early last year her mom received a text messages from her number so from my friend's number and which said hey, I need to, I'm at the store and I need to buy an Apple iPhone. And so mobile pay is the local phone account to account phone service here mobile payments. And so she's like can you mobile pay me? The text message says mom. And she spoke exactly the way that my friend would speak. It's completely mimicking her personality, her way of speaking, all of that on the text messages. And her mom said okay, sure. And she mobile paid the number. So that's instant, the instant transfer. And then five minutes later she gets the message again and says oh, the money didn't come through, can you send that to me again? And so the mom sends it over again and this is somebody who's actually physically in the Banking community who's facing something like this. Right. So one has to be really, really careful and the individuals cannot be able to detect it. Have to use AI and sophisticated machine learning technology.

Speaker B: Yeah, that's actually something that I'd like to talk more about. So we've pretty much covered the aspects that institutions are facing and how they can improve their infrastructure and of technologies they can implement. What about the consumer side? The one thing consumers should stop doing today that makes them vulnerable to AI powered fraud.

Speaker A: So I think right now, you know, if you're looking at the consumers, they really need to stop answering calls from unknown numbers. We all do it. And engaging conversations are posting high quality uninterrupted audio clips of their voices publicly online. So if you pick up an unknown call and just speak for a few minutes, hi, who is this? Who's calling? I can't hear you. That's enough time for them to really be able to capture your voice. Right. Or social media posts with your voices publicly online. So AI voice cloning, as I've mentioned earlier, it needs less than five seconds of clean audio to replicate you perfectly and target your family members with emergency cash scams like I just gave an example of. Data shows that an alarming percentage of people still fall victim to this because the psychological manipulation is just, it's just so intense. But we also need to engage customers as the first line of defense which turns them from the weakest link into the strongest asset. So financial institutions need to provide targeted education such as security portals with common scam typologies, risk based prompts during transactions, the ability for users to really be able to report suspicious content for an AI based scam assessment for example. From a technical standpoint, the simplest tool should enable its hardware based passkeys like Apple or Google passkeys for example or authenticators rather than SMS based two factor authentication. SMS is incredibly easy for AI driven SIM swapping bots to intercept. In our national level deployments, implementing strict device finding and immediate cross channel analytics dropped SIM swap and spoofing fraud metrics to less than 1% within just months.

Speaker B: The more we talk, the more alarming I feel, especially the last point. To me it's about like not answering the unknown numbers can clone your voice. So basically us talking on this podcast and making it public already. Kusas and me frisk Krupp.

Speaker A: Yeah, I mean I answer the phone all the time because sometimes my doctor's office calls from an unknown number. I have two young boys, sometimes I get calls from their, from the schools and so Then they need to reach me. So I actually pick up all calls that I get because I want to make sure I'm reachable for my kids. So I completely agree. So I myself am like, okay, should I pick up and not say anything as an unknown call and let them say something before I realize that it's fake?

Speaker B: So like stop using SMS messages and more rely on passkey management. That's probably the way to go, right? Like to minimize the risk based what

Speaker A: I'm saying, depending on yes. So that's probably makes sense, but it depends on what kind of fraud platform sits behind it. So in India we do use the SMS and the two factor authentication, but the RS intelliit sits behind that entire system and is able to monitor the transaction. So then that way it's able to detect it and flag it before it even takes place.

Speaker B: So five years from now, do we win or lose this arms race?

Speaker A: You know, I'm optimistic. I think we can win, even though the picture I've been painting so far has been so bleak. But I think in order to win, we have to fundamentally shift our mindset from more of a reactive defense to more of an adaptive anticipation. So if we continue to stick to our legacy architectures, the fraudsters win. That we know, because their AI models learn and evolve way faster than a bank's internal IT ticket pipeline. So in the next 12 months, the global financial ecosystem needs to universally adopt adaptive AI models that assess model drift automatically. So fraud patterns, they change weekly now, not just like in a few weeks or something, it's weekly. The nightmare scenario, however, is if we lose, it isn't just financial loss, it's a systemic collapse of consumer trust in the digital commerce. So if people become too terrified to actually click send or to open an online account base, they risk the immediate unrecoverable devastation is too high, the economic velocity grinds to a halt. And that's the problem. The entire system comes to a shut. Winning requires comprehensive fraud solutions. So if you look at Citigroup for example, they've done it well with Citiverify there. That's where they provide bank account verifications to protect against unintended use. These solutions have to be integrated into onboarding and free transaction checks. That's very essential. We must realize that fighting fraud isn't just about security controls. It's about giving customers the ability to safely shape their own protection posture through custom limits and consent preferences, thereby preserving trust and protecting the economic system.

Speaker B: What's the role of regulation here? Is government intervention going to help or make things worse.

Speaker A: So regulation really is a double edged sword. And Europe right now is probably arguably sitting at the most regulations ever in the financial services sector. So if regulation is too prescriptive, it stifles innovation and it binds the hands of the good guys while the fraudsters, they just continue going unhindered. But when done right, it forces the entire ecosystem to elevate its entire defense baseline. Right Now, Europe and UK are leading the charge. UK's PSR liability shift model for APP fraud has forced the industry to innovate. Simultaneously, the EU AI act is sitting in a strong framework around data provenance and security. What regulators are missing however, is the focus on interoperability. And that's where I've been really talking about having the centralized interoperable system. Fraud is global and it's immediate, especially when we're looking at real time transactions. But regulation remains fiercely localized. Every country, every bank is looking at their internal systems. Regulators need to mandate secure cross border, cross institution intelligence sharing and penalizing institutions that act as safe havens from your networks. Furthermore, regulation needs to expand its scope towards anti money, laundry and know your customer frameworks. So Today up to 2 trillion euros annually is laundered through the global financial system. It's a lot of money. And AML related fines surpassed a record 6 billion euros globally in 2023. The learning for financial institutions is that robust compliance systems shouldn't just be viewed as regulatory burden, but they are a significant growth lever. Best in class compliance reduces onboarding friction, improves customer conversion rates and provides the safety assurance required to confidently enter new high risk regulated markets. That's really important to really be able to view it not as a competitive advantage, but as you know, it's a loss for everybody if we don't work together and we don't have something that's interoperable.

Speaker B: I'd like to finish this episode by talking a bit more about your work with women payments and your view on how women and fintech approaching the fraud problem perhaps differently than the traditional mal dominated security teams.

Speaker A: Absolutely. That's exciting and something I'm very passionate about. Just a couple months ago for International Women's Day in March, I organized an event which was hosted by MasterCard here in Copenhagen and where it was an excellent panel, powerful women who all explored the topic of AI and the role of women in the use of AI in terms of agentic AI tools and also what that means for what it creates for customers. And one of the things that was interesting was that today the agentic AI tools are all created by men. Most of the engineers creating these tools are men. And there's a bias that exists. I haven't myself witnessed it as much, but now I'm very curious. I've been since then opening my eyes and kind of trying to figure out where the male bias is and their responses. So I think it's an incredibly vital differentiator. Historically, cybersecurity and fraud teams have taken a purely technical parameter defense approach, building bigger walls, thicker firewalls, heavier encryption. What I see from women leaders in the fintech and the EWPN community is that it's a much stronger focus on the holistic ecosystem and human centric design. So they look at the psych, we look at the psychological vector of the fraud. How are the fraudsters manipulating human empathy? How does consumer behavior shift under stress? Diversity in security teams matters because fraudsters are highly diverse. They look at every cultural, emotional and systemic blind spot. If your entire database team thinks identically, you will design a system that misuses the nuanced social engineering loopholes that AI excels at exploiting. So catching modern fraud requires a balance of raw, lightning fast processing power. The kind of tech we built into RS Intelli Edge, for example, a deep empathetic understanding of human interaction is very crucial. It requires a balanced, robust, multimodal AI fraud detection with seamless customer journey so that we protect the human being without destroying the user experience. Interestingly enough, our product head for our fraud product is a woman at our software.

Speaker B: That's great. I love that perspective. Srishti, thank you very much for your time. That's been a great conversation on fraud and tech.

Speaker A: Thank you so much. And it's been really interesting to hear the Curiosity Code podcast. You have a really nice way of catching the opinions of diverse community. So I'm very excited to see what's upcoming in the next few episodes.

Speaker B: Thanks a lot. And for the listeners, don't forget to subscribe to the channel if you haven't yet and hit that like button on YouTube or leave a feedback in the podcast platform. You're listening this and see you in the next episodes. Bye bye.