WASHINGTON—A new alert from FinCEN is a stark reminder that credit unions need to take steps to address the growing wave of fraud driven by generative AI.
Late last week FinCEN issued an alert encouraging FIs to be vigilant for fraud schemes involving deepfake media. The agency said criminals are targeting banks and credit unions with these new attacks.
The alert follows a recent report in CUToday.info that addressed this growing crime and steps CUs need to take to address it.
“Beginning in 2023 and continuing in 2024, FinCEN has observed an increase in suspicious activity reporting by financial institutions describing the suspected use of deepfake media in fraud schemes targeting their institutions and customers. These schemes often involve criminals altering or creating fraudulent identity documents to circumvent identity verification and authentication methods,” FinCEN said.
Generative AI is a type of artificial intelligence that can create new content, such as text, images, audio, and videos. It uses generative models to produce output in response to specific prompts, which are natural language requests sent to the model. Deloitte's Center for Financial Services predicts that generative AI could enable fraud losses to reach $40 billion in the United States by 2027, up from $12.3 billion in 2023.
Kelly Miller, managing director and leader in FTI Consulting’s cybersecurity and data privacy communications practice, provided advice to credit unions in a recent CUToday.info report.
“We can be sure that cyber threat actors and scammers are adopting generative AI to enhance their spear phishing tactics, making their attacks more convincing and harder to detect,” Miller said. “One of the most concerning advancements is AI’s ability to replicate a human voice—and it’s convincing.”
Open Source Research
FinCEN provided advice in its alert for detecting deepfake fraud.
“When investigating a suspected deepfake image, reverse image searches and other open-source research may reveal that an identity photo matches an image in an online gallery of faces created with GenAI. Financial institutions and third-party providers of identity verification solutions may also use more technically sophisticated techniques to identify potential deepfakes, such as examining an image’s metadata or using software designed to detect possible deepfakes or specific manipulations,” FinCEN said.
FinCEN identified best practices that may help financial institutions reduce their vulnerability to deepfake identity documents.
“For example, multifactor authentication (MFA), including phishing-resistant MFA, and live verification checks in which a customer is prompted to confirm their identity through audio or video, are two such processes,” FinCEN shared. “Although illicit actors may be able to respond to live verification prompts or access tools that generate synthetic audio and video responses on their behalf, their responses may reveal inconsistencies in the deepfake identity. Consequently, malign actors using deepfake identities may attempt to avoid or circumvent live verification checks. For example, a criminal actor attempting to open an account with a GenAI-produced identity document may claim to be experiencing repeated technical glitches or request to change communication methods during a verification check. Some identity verification solutions may also flag possible attempts to circumvent verification checks, such as the use of third-party webcam plugins, which can let a customer display previously generated video rather than live video.”
FinCEN listed “red flag indicators” for deepfake fraud:
- A customer’s photo is internally inconsistent (e.g., shows visual tells of being altered) or is inconsistent with their other identifying information (e.g., a customer’s date of birth indicates that they are much older or younger than the photo would suggest)
- A customer presents multiple identity documents that are inconsistent with each other
- A customer uses a third-party webcam plugin during a live verification check. Alternatively, a customer attempts to change communication methods during a live verification check due to excessive or suspicious technological glitches during remote verification of their identity
- A customer declines to use multifactor authentication to verify their identity
- A reverse-image lookup or open-source search of an identity photo matches an image in an online gallery of GenAI-produced faces
- A customer’s photo or video is flagged by commercial or open-source deepfake detection software
- GenAI-detection software flags the potential use of GenAI text in a customer’s profile or responses to prompts
- A customer’s geographic or device data is inconsistent with the customer’s identity documents
- A newly opened account or an account with little prior transaction history has a pattern of rapid transactions; high payment volumes to potentially risky payees, such as gambling websites or digital asset exchanges; or high volumes of chargebacks or rejected payments
Staff Education Needed
FTI Consulting’s Miller encouraged credit unions to defend against these evolving threats through proactive education.
“Any security training program should keep pace with tech advancements,” she said. “Don’t just dust off the same training as last year. Run phishing tests regularly and incorporate audio and video deepfakes. Engaging, real-time educational content should be delivered regularly to both staff and members. For example, share periodic roundups of scams encountered at your institution, with detailed examples, so employees and members know exactly what to look out for. This content can be plugged into your regular communications channels, such as newsletters or marketing campaigns.”