“They’re not lone hackers in hoodies anymore.”
That’s how Jeff Scott, vice president of Fraud Tech Solutions at Q2 Holdings, sized up today’s fraudsters when he joined Sarah Snell Cooke on The Credit Union Connection. Picture less Hollywood basement, more industrial-scale operation: rented bots, synthetic identities, organized rings. And yes, they’re armed with AI.
The twist? Credit unions can use the very same tools to punch above their weight. As Jeff put it, artificial intelligence isn’t just for the fraudsters; it’s also the great equalizer. Even without a giant fraud department, credit unions now have the chance to detect patterns no human could ever see and shut down attacks before they snowball.
Here’s the part that made me sit up: Jeff says credit unions have just 27 seconds to figure out if someone logging in is a genuine member or a bad actor. That’s not much time to decide if the person is updating their address or setting the stage to empty an account.
It’s not only about numbers and code, however. Defense can hinge on the tiniest human cues. Is the phone in the member’s usual hand? Are they moving the mouse the way they normally do? Small signals that, together, tell a significant story. And AI is sharp enough to read it instantly.
What we loved most, though, was Jeff’s candor about the elephant in the room: jobs. People worry AI will replace them. He flips that on its head. Instead of drowning in repetitive tasks, staff get time back to focus on real value, like fine-tuning fraud policies or creating better member experiences. In other words, let the machines chase the bots so humans can do the human stuff.
His closing line was a gem: Don’t treat fraud as a cost center, treat it as a trust center. That mindset can be the difference between credit unions being seen as vulnerable targets or as digital havens where members feel they and their finances are secure, protected and valued.
NOTE: The following transcript was created by our robot overlords. It could have a boo-boo here and there.
Sarah Cooke
Hello and welcome everybody. My name is Sarah Snell Cooke. I am your host with The Credit Union Connection. I’m here with the wonderful, wonderful understanding. Jeff Scott, who is the vice president of fraud tech solutions at Q2 holdings, welcome.
Jeff Scott
Thanks, Sarah, great to be here. Yeah.
Sarah Cooke
So explain a little more in depth about yourself and what your company does.
Jeff Scott
Sure. So Q2 is a digital banking and fraud tech solution company for credit unions and banks, mainly based in North America, we’ve got 400 plus customers on the platform, and we help credit unions stay ahead of fraud by combining proven products like dispute management and positive pay with real time detection tools inside the digital session with a new and Emerging AI innovation layer that brings partners together in one cohesive fraud intelligence platform, so we stop billions of fraud every year, but just as importantly, we give credit unions the tools to balance security with great member experience.
Sarah Cooke
Yeah, and I figured I’d hear the words AI or letters, but obviously that’s helped the bad guys and the good guys. So what are we seeing, as far as trends from the attacks that credit unions might be receiving, and then also how the AI can help prevent those attacks? Sure.
Jeff Scott
So you know, criminals or fraudsters have really industrialized over the last five years, aided by great technology like AI and using it for bad. So it’s no longer lone hackers. It’s really fraud as a surface, rented bots, synthetic IDs, organized. Rings. They’re smarter, faster, constantly probing the weakest link and using the most robust and, you know, advanced tools and so AI, you know, is a game changer in so many ways, but also in the hands of bad guys. Means we have to fight fire with fire. So you know the role of AI and ML and Gen AI against fraud is to learn broad patterns across millions of transactions, spot anomalies a human could never detect or see and adapt in real time. And so for credit unions, it means you don’t have a massive fraud department to punch above your weight. It means you’ve got these great tools at your fingertips that kind of augment, you know, just having butts in seats.
Sarah Cooke
Yeah, technology. Oh, great equalizer, no matter what your size. And so for the cybersecurity threads are going through the roof because of the AI, what are some of the more common ones?
Jeff Scott
Yeah, so what’s interesting before we get to the you know, the new and emerging threats is that check fraud is still at an all time high, even as digital grows so it feels sort of unfair, or at the same time we’re dealing with the reemergence of legacy fraud, we have to look around the corner clearly seeing P to P scams through those channels. Just given the real time nature of the money movement, account takeover, social engineering schemes continue to sort of top the charts in terms of threat vectors. And fraudsters are going where the money moves the fastest, and credit unions are no exception to that. So P to P coming soon, as we adopt more real time payments in the commercial space, this will just continue to be the places we think fraudsters will go. Now, the check fraud, it’s just still the easiest channel. And so I think as we’ve fought sort of fire with fire with technology advances, they’re going back to the sort of tried and true, right, fraud schemes.
Sarah Cooke
And so what sort, how, what type of fraud mitigation strategies are you advising credit unions to use?
Jeff Scott
Yeah, it really takes a holistic approach, and that’s probably, you know, an overused buzzword in terms of saying things like orchestration, but we essentially have 27 seconds from the time a bad actor logs into a digital channel session, it has the ability to do something like change PII or move money out of the institution, and so you’ve got to be able to ingest many signals that get the contextualizes who this individual is within seconds without human intervention. And then you need the triggers inside the platform in order to act on those in real time again without human intervention. So are we blocking? Are we allowing? Are we stepping up a user to better understand, should they be allowed to do this action? And you’re using much more contextualized signals, such as, is Jeff holding his phone in his dominant hand? Is he walking in a similar gate that he usually walks? Is he using his mouse in a natural way? Things like that that can be ingested, you know, in real time are just required for the go forward, and not just for the here and now, but likely what’s coming down the road and the next, you know, one to three to five years.
Sarah Cooke
And so how do you work with credit unions like, what’s the onboarding process kind of look like?
Jeff Scott
Yeah, so we offer a full fraud intelligence platform. And so we really built it modularly, such that we know there’s not a one size fits all for our credit union customers, just depending on their members, the geography, the types of members that they have, that you need a different approach. And so it all has to be built on sort of one chassis, one central nervous system, but it needs to be modular in terms of the tools that you can consume. So, you know, maybe just having a login model and a real time ingestion of signals into an orchestration layer that stops bad actors from getting to Zelle or Venmo is enough. Or maybe you need to go, you know, extra steps to protect more sophisticated payment channels like Ach, wire, etc. And then, just depending on sort of the fraud Operations Unit at the credit at the credit union, you know, how much sort of manpower do they have? Have can determine how much automation do we need to bake in? How much do they want the ability to sort of have hands on keyboards and adjust the knobs and dials against their fraud posture. And the most important thing that we’re sort of coaching our credit unions through is the lens that we want to take on this is we don’t want to add more friction to the user experience. We want to add less friction. And so we want our tools to be so proactive that we’re allowing the credit union to fulfill their brand promise and the digital strategy and all the great things that they came to q2 for, from a digital banking perspective, to get and to deliver to their members. We want them to be able to do more of that. So the worst thing that one of our customers could tell us is that they stop fraud by shutting everything off. And so that’s really the approach that we take.
Sarah Cooke
Yeah, so how do credit unions find that middle ground where they’re not denying genuine members doing their activities?
Jeff Scott
Yeah, it’s based on the policies their configuration and the data that we can ingest. And so in our orchestration layer and our fraud intelligence platform, they’ve got real time visibility into their user journeys and the speed bumps that they want to introduce, such that they could change them intraday, or they could champion challenger those speed bumps, they could simulate them for a couple of weeks and see sort of what kind of friction would that introduce? Because the last thing you want to do is catch a good member, good customer and a bad fraud trap. And so you’ve got to have that visibility into the model. And I think in the last decade, you know, in the industry, we all had black boxes. So the machine learning model that did anomaly detection at the front door or inside the user session, you couldn’t really configure it that well, it didn’t have a lot of dials, and that’s all different now. So the orchestration layers that are available that we deploy give you full visibility into that entire ecosystem across the credit union such that you can adjust those things up or down so that you can control your member experience. Okay, that’s good to hear.
Sarah Cooke
And so when you’re talking with Korean leaders out and about what are you hearing, or what are you seeing as the most overlooked part of the implementing you know this kind of fraud technology, fraud mitigation technology?
Jeff Scott
Yeah, I think not necessarily overlooked, but because the market is evolving so quickly, it’s just confusing. And so there’s a new and better point solution every day for a specific piece of their fraud fighting journey that then they’ll come to us as their digital banking provider, and say, but how does this work inside our workflows or ecosystem with q2 and so that’s why we went on this journey of building out this fulsome platform where we can help them plug in the partners that they would like to use alongside our native and proprietary solutions, such that they have that sort of modularness, you know, to the ecosystem. But it’s just, it’s really confusion. It’s, it’s like, what do I need? How much should I be spending on that? What’s the ROI of it, versus the fraud that I’m actually dealing with? And the, you know, $4.63 from the LexisNexis study, that suggests, for every dollar lost, it’s really four and a half bucks, you know, to the credit union in terms of operational other burden, like, how do I dial that in? And so it’s really this consultative need that that most of our credit unions have. I think the other thing would be, credit unions are really built on cooperation. And so data sharing, consortium, type information, joint fraud intelligence, tighter integration across credit unions. We really think the future of fighting fraud is a massive ecosystem problem, and no one’s going to fight it alone. And so that’s really sort of the next frontier for us. Is stitching together in our fraud intelligence platform, all that data across our credit unions in a way that if Jeff shows up in North Carolina as a bad actor, and that’s been contextualized, and I show up again at another q2 institution, you should be able to know that.
Sarah Cooke
Oh, cool. Can you talk a little bit more about that? You’re right. That totally makes sense for credit unions collaborative nature?
Jeff Scott
Yeah, so you know the word Consortium, or the consortium data available in the market is not new, and we’re consuming some of that data through our orchestration layer and into our models such that we can get good metadata about fraud and can. No signals, but we’ve got nearly 500 financial institutions on a digital banking platform, another 600 financial institutions on some of our standalone fraud products. And what we’ve not had until recently is the ability to put all that into one sort of true fraud database, if you will, and really get confirmed cases of fraud such that we can do something with it. So one other example of using that data, we’re working on a more sophisticated machine learning model right now where one of our credit union customers came to us and said, we’re really belabored with account takeover. We have all these confirmed cases of fraud, and they reported that to us. And we took those confirmed cases of fraud and we trained a machine learning model on those pathways, and then we said, every time this pathway happens within the first 15 seconds of a login, we want you to flag it as potential account takeover. And the model just off the RIP was 83% correct and detecting account takeover pathways. So then we said, Okay, that’s interesting. Why can’t we do that across the consortium of all the financial institutions we have on the network and train the model? So that’s sort of the journey that we’re on, and those are the kinds of signals that we think are sort of native and proprietary to q2 because of our breadth and depth that we can bring to the credit union market.
Sarah Cooke
And so I mentioned earlier, you know, technology great equalizer. Is it true to say that maybe smaller cranes would do even would gain even more return than a than a larger one.
Jeff Scott
I love that question because the answer is yes. And so the very, the really great thing for a lot of our credit unions and smaller credit unions, versus, say, a really large financial institution is their data is cleaner because they have less source systems. We have the ability to ingest it much more simply than, say, you know, a large financial institution, you know that we’ve been working with, it’s more difficult because they’ve got many versions of, you know who Jeff is, inside their institution, across lots of different source systems, and that makes it more difficult to have an identity centric approach, not it’s doable, and that’s it’s still critical to be able to have the orchestration functionality in order to do better with that. But our smaller financial institutions really benefit, because they don’t have the staff, and so they need the automation. They need tools that can augment the staff that they do have, or, you know, it allows them to not have to go add additional headcount in order to use these new and better tools.
Sarah Cooke
Now, I think credits have kind of gotten to the point where they’re fairly well educated about AI, whether they like it or not. They know something of they know good basics of a good basis of understanding of it. How do you get over the hump, or how do you explain it to people who are who are concerned that about AI in general, still don’t quite trust it?
Jeff Scott
Yeah, and it’s that’s a valid concern, and we deal with it every day. You know? The thing I would say is that as we’ve gotten more mature and using Gen AI models, which is really what’s new in the market, in my opinion, in the last like four or five years, is a large language model. We’ve been doing machine learning forever, you know, forever. And so I think the visibility into the models is unlike it never is better than it ever has been, you know. So model risk management and all that’s required there from a governance standpoint, has really matured even in the last year in terms of, like, what we’re being asked for by, you know, financial institution auditors, etc. And so the rigor around it is just much more robust. But the thing I would say about, you know, the data sharing concerns, and if you’re using something like an enterprise chatgpt license, and it, you know, the bottom says we don’t use this data to train models. We there. It’s not hard to quarantine and contain that financial institutions, you know, data in a safe way such that they can get benefit from these tools, which I think we’re going to all have to get more comfortable with, because we’ll need Gen AI and llms in order to truly get to a fully agentic world where a large language model wrapped in a workflow is able to take your example dispute investigation to the one yard line. And you come in in the morning, you review what they’ve done, and you can make a decision to go back and research something, or say, yeah, it looks great. Let’s go. And so we’re going to have to advance towards that. And I think it’s just, you know, it’s an evolution. It’s just same as when early days everyone was worried about, you know, being in the cloud. It just evolved. It just evolves. And adoption happens.
Sarah Cooke
So one of the big things about, one of the big issues that people sometimes have with AI is not only, you know, maybe trust in the technology, but a lot of people are concerned this is going to take over their jobs. And you talked about augmenting for smaller credit over the larger crane that might have a larger team. I can, I really kind of understand that concern, and I know looked into it plenty, as a person who does marketing and writing and stuff like that. But how do you what, what is the situation there? Are we augmenting still, or, you know, is it possible that, like, they’re gonna be replaced? What’s going on there? I guess it’s a kind of a cultural question, you know.
Jeff Scott
100% I can totally empathize, you know, as a leader of a team with that, with that concern and question, the way we see it, this just replaces some of the lower value work that’s mundane and sort of task driven, and allows, you know, the rest of us to focus on the high value activity. And so instead of spending, you know, your morning looking through, you know what happened overnight, or what’s happening. You know real time in terms of broad scams, you’re getting that analysis and you know, investigation much more at your fingertips, such that you can go tune policy, you can spend time on other things related to member experience, and you can really just spend time on higher value tasks. So even in my own team, that’s the way we approach it. We literally started with, what are the things that we hate to do the most and that are just super time consuming that we can automate? And so that’s the way I would approach it.
Sarah Cooke
Yeah, absolutely. And makes total sense. I’ve been hearing that a lot too, so I hope that credit unions are really taking that, that particular piece in and the employees too, taking that in and understanding that it’s not about replacing them. It’s making them more time to engage with members or whatever it is that they’re doing. So anyway, I always give my guests the final thoughts. What would you like to leave our credit union audience with?
Jeff Scott
Yeah, I think the thing I would say is, don’t treat broad as a cost center. Treat it as a Trust Center. And what credit unions do in the community is just so critical. It’s really the fabric of the community, and so fraud event is the single biggest thing that could degrade trust in the community or with the credit union. So treat it as a Trust Center. Treat it as an Experience Center, where you can create the great digital experiences, because you’ve got great fraud defenses, because as we, as we know, you know members won’t stay if they don’t feel safe, and you know we’re here to support Awesome.
Sarah Cooke
Well, thank you very much. I appreciate it. We’re heading into Labor Day weekend, so enjoy your long weekend.
Jeff Scott
Thanks, Sarah. Appreciate it.