A disturbing trend has emerged in the financial sector, with digital fraud losses skyrocketing by 25% year-over-year, according to recent research from KPMG. In an exclusive interview with Credit Union Connection, Brad Cranford, Director of Product Management at Alkami, revealed the escalating threat, tracing its origins back to the pandemic-driven surge in digital transactions. This alarming rise underscores the growing sophistication of fraudulent activities, leaving institutions scrambling to fortify their defenses.
The shadow of artificial intelligence looms large over this evolving landscape. While not a direct perpetrator, AI is proving to be a potent tool for bad actors, significantly lowering the cost and increasing the efficiency of their operations. Cranford explained that AI empowers fraudsters to quickly master complex schemes and convincingly execute social engineering tactics, blurring the lines between legitimate and malicious interactions. This technological leap, however, presents a double-edged sword, offering financial institutions advanced analytics and data-driven insights to combat the very threats it enables.
Amidst the technological arms race, a stark revelation emerged: a significant portion of financial institutions are failing to adequately protect sensitive member data. Cranford, in his interview, stressed the critical importance of returning to foundational security practices. Robust staff training, often overlooked, stands as the first line of defense against increasingly sophisticated attacks. He emphasized that vigilance in basic protocols is paramount, as even the most advanced AI-driven frauds often rely on exploiting human error through social engineering.
The regulatory landscape, while crucial, is struggling to keep pace with the rapid advancements in technology. Cranford cautioned against relying solely on regulatory compliance, urging institutions to proactively adopt best practices and anticipate emerging threats. He highlighted the need for a dynamic approach to cybersecurity, one that balances adherence to regulations with a commitment to continuous improvement and innovation.
As the battle against digital fraud intensifies, the interview shed light on the unique role credit unions play in safeguarding their members. By fostering trust and engaging in proactive education, these institutions can empower members to become a crucial part of the defense strategy. Cranford’s insights paint a picture of a complex and evolving threat, demanding a multi-faceted response from the financial sector. To fully understand the scope of the challenge and the strategies for mitigation, viewers are urged to watch the full interview, where Cranford delves deeper into the nuances of this critical issue.
Disclosure: Transcript below is automatically generated
Sarah Cooke 00:00
Hello. I am Sarah Snell Cooke, your host at the credit union connection. I’m here today with Alkami’s director of product management, Brad Cranford, welcome.
Brad Cranford 00:32
Thank you. Good to be here. Yeah, we’re gonna be talking about
Sarah Cooke 00:35
this recent research that alchemy has done. In the meantime, though, Brad wants to do a little more introduction of yourself and the research,
Brad Cranford 00:44
Sure, absolutely. Well, my name is Brad Cranford. I’ve been at Alkami for about eight years now, and within our product organization director, within our team, I manage all of our security and fraud integrations and solutions within our platform. So I work with customers every day, around managing, detecting fraud, mitigating that fraud risk, and all of those solutions and features, yeah,
Sarah Cooke 01:11
yeah. And of course, I’m not terribly surprised to see the results of your research that it was 25% increase in fraud losses year over year. So how was that increase comparing to past years? And I know you, what are you doing about it? What are you personally,
Brad Cranford 01:30
yes, well, so, you know, this is a trajectory that we’ve really seen since 2020, when, you know, when digital fraud kind of really went, you know, through the roof with the paycheck Protection Program, the PPP loans, etc, really kind of drove a lot of digital fraud. It was an opportunity where there was a lot of money out there, and that, I think, that created a lot of professional organizations around digital fraud, and so they’ve continued to evolve and get more active. And so we continue to see this growth as that, honestly, as a whole industry that is that is built around taking people’s money, yeah,
Sarah Cooke 02:13
you would think that if they took the brain power it took to be bad guys, they could be really good, good guys,
Brad Cranford 02:18
right, right? So how much increase
Sarah Cooke 02:22
does the evolution I might want to I’d probably say revolution of AI account for in this?
Brad Cranford 02:31
Yeah, that’s a great question. You know, obviously AI is on everyone’s mind and trying to understand the impact of it. You know, the the impacts are somewhat subtle in some ways, because you don’t like it, fraud isn’t detected. It’s like, oh, that was aI fraud, right? Like, it’s fraud that happens. And so we’re deriving that from some of the behaviors. But the, the key thing that we see here is that AI tools are helping the bad actors lower the cost of doing the things that they’re doing they can become proficient, either in the tools or the scripts or in the language or the terminology the things that they need faster and easier. So it’s easier for someone to become a pretty good bad actor. And so they lower the cost, and AI continues to lower the cost of of that activity. Well, that works in reverse as well. Correct, correct. Fortunately, it also gives us a lot of great tools, and so you kind of end up with both sides of that from from a defense standpoint, AI gives us much better data. It lets us make better decisions, and we kind of drive not just based upon assumptions, but what the data actually shows us is ways to combat and stop this action. So it is. It is impacting both sides of the equation. It’s making it cheaper for bad actors to engage and grow and move faster when they find a successful program. But it’s also leveraging institutions ability to have better data about what’s happening and spot the actual trends, and not just have to work off of assumptions, right,
Sarah Cooke 04:09
right? And so this may be a silly question, but what effect will aI have on cyber fraud going forward?
Brad Cranford 04:17
I think it’s going to continue both of those trends, right? We’re going to see, we’re going to see it continue to get easier for for those things to move quickly when, and there’s two parts of that one, when the actors find a successful program process, or whatever, they can spread very fast. AI tools make it really easy for someone to get up to speed and to run with that really quickly, and it helps them again, sound more proficient. I think we’ve mentioned that previously, if, because social engineering is still a huge part of it, but it helps you with language, it helps you with that’s the professional speak, not. Necessary for a particular field that you’re trying to to interact with. And so they can step up much easier, but it will also continue to give us better data, give better tools that you can look at and understand and understand that behavior. And so I think both sides are both sides are being benefited by AI.
Sarah Cooke 05:23
And so one of the scary, scariest things, I think, that came out of the research, was that about a third of financial institutions are not doing enough to protect their their member data, their customer data for the four letter word. But so what more can these credit unions and other institutions do to protect that data? You
Brad Cranford 05:45
know, the the good news there is that a lot of it is is relatively obvious. It is honestly training is incredibly impactful when it comes to improving your ability to protect your members data, we need to be really great at all the basics, because these things move quickly, and they can replace things very quickly. If there’s any breakdown in your ability to your in your staff’s ability to manage those things, if they’re if they don’t follow all the protocols, etc, they’ll find a gap in that process. And so training remains incredibly important to that process, and you need to be able to be really good at all the all the basics, because, and as much as we talk about ai, ai is often used through social engineering. Social engineering is so often a factor. Whether they’re trying to social engineer your end users, or they’re trying to social engineer your staff. It all, all of those angles can be attacked. And so really it’s it. I would say training is the number one thing, and kind of building off of that, make sure you’re really good at all the basics. You don’t necessarily have to invent something new. You have to be good at the things that we know you should be doing
Sarah Cooke 07:03
right. Innovation isn’t necessarily brand new, it’s it’s what new to your organization. And I think obviously, having served on the board of a credit union, stepping up those the training of the internal folks is is super important, and I’m sure it’s important to the regulators as well. So what role does or should regulation play in FIS cyber security going forward?
Brad Cranford 07:29
Yeah, I think there’s two really key points to think about when it comes to regulation. One is obvious. I think financial institutions are generally really good at regulation. They understand the importance of it, they will have a whole organization and workflow to be really good at dealing with regulation, and so you need to embrace it. It is incredibly critical. The regulations are there for good reasons will lead you toward best practices and make sure that you’re doing the things to be safe. I say the second part, though, is don’t depend on it. We’re in a we’re in an environment right now where regulations are changing and sometimes in pretty rapid ways, and you can’t just rely on regulations to tell you what the right thing to do is. And I think that’s kind of the to me. The key point is that we generally know what the right thing you know when you’re doing the right thing to protect your users, to protect your data, just if there’s not a regulation to cover it doesn’t mean it’s not the right thing to do. So it’s you want to do both of those things. Really embrace regulation, but also don’t limit your actions based upon that. You need to move beyond it and do the right things for sector data. I
Sarah Cooke 08:41
mean, just what you were saying demonstrates how far behind the regulation is versus the the technology itself that’s incredibly capable. So do credit unions need to do more or different trainings with their staff?
Brad Cranford 09:00
Yeah, so that’s a that’s a that’s a good question. I think it’s, it’s worth repeating that to me, the biggest part is, do the basics? Be really good at the basics continue to do and embrace the training that it provides dividends all the way through. So it’s, it’s worth the effort of doing that training your staff needs to stay ready and to make sure that that you’re aware of what’s happening and those things that are going on. And so if you if you slow down on those programs, you have opportunity for new people or turnover, or just kind of getting into old habits and not doing the right things and being really aware of that. So part, part of it is just be really good at what you know to do already. The second part would be to make sure that you’re also taking advantage of sharing information within your organization, whether that’s cross functional across teams. Bad actors like to like they’re not going to give. Up just because one thing blocks them, right? If they can’t get through with check fraud, they’re going to work on ACH fraud, and they can’t make that work, they’re going to come into the branch, and we’re seeing old fraud patterns re emerge, right? Check fraud is on the rise, right? In the world of everything being digital, check fraud is one of the biggest problems financial institutions deal with today. If you get your digital banking really, really secure, bad actors will literally walk into your branch and try to work through, you know, old systems through there as well. So all of that training is really important, but sharing information, whether that’s across those teams, so that there you see the patterns of what’s happening here, because it’ll impact what’s happening elsewhere and also across branches, you know, again, old, old fashioned fraud still happens, and if they can’t make it work at one branch, they’ll go visit another branch, and they’ll keep trying until they find a one that’ll let them, you know, get away with, you know, the bad check or whatever they’re trying to do, right?
Sarah Cooke 11:00
Everything old is new again. So the other thing is that Koreans need to be communicating with their members, educating them on how to stay safe and keep their data safe, because a lot of times, through social engineering, that is where their data individually may be taken, and it could have to do with the credit union data or their Amex card or whatever, and those numbers are still going up regardless of the education out there. So is that doing any good? Do we still need to be doing
Brad Cranford 11:32
that? Yeah, I understand that question. I think it’s a situation where it’s it’s expensive, and it it probably often feels difficult to measure whether you’re having an impact there, but it really does make a difference if you’re engaging with your with your users, and teaching them how to protect themselves, making themselves aware of those programs that are out there, you know, the scams and all The things that are happening. You’re, they’re your best first defense, right? If they’re not reusing usernames and passwords, if they’re not giving out their SMS codes, if they’re, you know, all the things that they can can easily get moved into, then those things don’t hit your system, and your staff doesn’t have to clean it up later or help them chase those things down. We have a recent good example with a with a customer that was implementing a PDP solution, and they had some initial fraud in there. You know, people were not making great decisions about how they used it. Made themselves really open to it. They instituted basically a solution of saying we’re initially going to give it to you, but with really low limits. And if you want higher limits, talk to us. And they really just took the users through, like I want you to, we’ll raise your limits. But before we do so, we want to make sure you understand the risk if you let someone get into your account, then they can move this much, you know, like they just sort of walk them through the basics of it, and they found this significant reduction in that type of fraud for users that just listen to a representative, talk to them for a few minutes and tell them about the risk of doing that. And so, like basic education does make a difference. It’s it’s not foolproof that you’re still going to give things away at times, but it’s, it’s always easier to stop it earlier up the chain than to catch it later, to rely on on your other it’s more expensive for you all the way through. So that’s always really good. The other thing I would really say around credit unions, and this training is really important, credit unions, have a really unique relationship with their customers, and a lot of brand involvement there for them, right? And so they’re able to be an advocate for you, and they will help you, if you build that bridge with them, they will help you identify fishing sites that have popped up. If they see them first and report them, you can get them taken down and help protect the rest of your members as well. So this is, you have a great relationship through credit unions, that if you’re doing training in a way that is that they see as being part of that, that shared relationship of being, you know, a member of something, right? And you’re all working together, that that education can be very powerful. It doesn’t solve everything, but it can certainly help in
Sarah Cooke 14:26
addition. I mean, the the side benefits too, of building that trust with the member and spending just quality face time with them, showing that you care about you know, keeping their money safe is a good thing too. Do you think that fraud might improve as more tech savvy generations come of age? I’m
Brad Cranford 14:47
probably in the pessimistic side of that question. I would say don’t hang your hat on a generational assumption. There. One of the things that AI data has shown us is that a lot of our assumptions about age based, you know, risk of fraud aren’t necessarily always true. If you’re looking for it, you’ll find you’ll find people that fall for it at every age group, and the risks are different because you’ve got different people and different behaviors. But I wouldn’t say the next generation is necessarily going to be immune to it in any way. You know, one of the things that that we see in, you know, Gen Z, for example, that is very disturbing to older generations is that they don’t use Google to go find information. They’ll use things like Tiktok for financial advice and how to that. That’s their Google right to solve those things. So that both makes them more savvy and learning some things, but it makes them more susceptible to other types of misinformation and fraud, etc. So I think with every generation, there’ll be different flavors of how fraud, what, what types of fraud are successful, and what programs, if you’re doing in a very general standpoint. But I don’t think there’s going to be like a more secure generation. I think is you have to assume that fraud will continue to be very active and creative across across generations. And it’s not necessarily about technical savvy. It’s so much of it, again, is social engineering that that it’s it’s appealing to whatever is important to that person, regardless of their generation. Somebody
Sarah Cooke 16:37
had me freaked out the other day. There was an email that I got and it had an unsubscribe link. They’re like, don’t click on that. You don’t know if that’s the span, you know, that’s the phishing link,
16:47
right?
Sarah Cooke 16:49
Really, gotta watch it. So, yeah, I allow all my guests to have the final thoughts. So what do you have to leave our credit union executive audience with today?
Brad Cranford 16:58
Well, I think it’s it. I really do appreciate the time to get to talk to you. These are, these are great questions. You know, the main thing I would tell your audience is, you know, be vigilant, but don’t be afraid. I think people hear fraud and they get really nervous and feel overwhelmed by by the challenge, and I think it’s like any other part of doing business right, like you lock your front doors, even though that’s not foolproof for someone getting into your house, you do the things to make sure that you’re safe, and you stay up to speed. And I think asking these sorts of questions and continuing, continuing to check that you’re doing the right things, has anything changed? Are we actually doing the things that we thought we were doing? Those are all things that build your own patterns and safety, and those are, those are all good behaviors. And, you know, I think this is fortunately, I think everyone sees that there are challenges here, and are taking the time and energy to stay on top of it, and that’ll make us all all better, or make all these institutions be able to be safe and feel comfortable moving forward.
Sarah Cooke 18:09
Excellent. Brad, thank you so much for your time today. I appreciate it. You bet. Thank
18:13
you very much.