Incode says account recovery deepfake fraud soft spot in expanded attack surface

Deepfakes take center stage in a webinar presented by Incode and hosted by Maxine Most, founder of the Prism Project and Acuity Market Intelligence. Most uses the term “impersonation fraud” to encompass fraud attacks that leverage deepfakes, synthetic identities and other generative AI tools. Deloitte estimates AI-driven fraud of this kind to have resulted in losses that total close to $40 billion.

It’s a threat, says Most, that has to be addressed, and fast.

“One of the things organizations are finding when they start investigating synthetic identity is, they will go through their existing databases and discover they already have synthetic identities living in those databases and developing expanded identity information, including credit reports and credentials.”

“We now have to worry about a world where there are completely made up people and large enterprises are allocating credit and mortgages and all sorts of benefits and privileges to these non-existent human beings.”

Account recovery offers convenient back door for fraudsters

Production of synthetic identities at industrial scale is not just possible; it’s happening. And that makes it impossible for organizations to detect or repel cascading attacks without specialized technology.

Incode provides just such technology. Fernanda Sottil, the company’s senior director of strategy, says the sophistication of attacks has improved, but the attack surface has also grown across authentication flows, enabling a greater volume of attacks.

Sottil says account recovery is a touchpoint that sees a lot of synthetic activity as a potential back door to infiltration. And like a parasite, once it’s gotten in, “it incubates in the organization.”

Fraud fighters can ride investments in big LLMs

Webinar panelist Greg Smith of Financial Technology Partners says the technology investment won’t have to be astronomical, since organizations can leverage the investment going into the big large language models (LLMs). So while more spending is needed to combat the AI threat, “it’s not quite the massive quantity you might think.”

The solution, says Sottil, lies in a multimodal approach. With a multitude of signals at their disposal, fraud prevention teams can base their decisions on a much broader frame of reference, which includes factors like behavioral patterns. “Is there irregularity in the timing? Are there latency anomalies? Are there natural retry sequences in the way that fraudsters are interacting with a device?”

She notes the differences between static approach and something more fluid. “Adversarial threats are constantly being iterated on, and static rules cannot keep up. So we need some type of behavior that’s automatically learning from the different attacks, so that it can adapt in real time and create more dynamic rules.” A system that draws on an established network of trust is a system in which everyone knows what any one entity knows when it comes to fraud signals.

The lesson can be simplified into a bit of common folk wisdom: don’t put all your eggs in one basket. “I wouldn’t put everything into one deepfake detection system today,” Smith says. “ I would make sure I have a fraud-fighting continuum.”

“At the end of the day, work with a vendor that is visionary, innovative, and proven they’ve been able to stay ahead of the curve.”

Article Topics

AI fraud  |  deepfake detection  |  deepfakes  |  fraud prevention  |  generative AI  |  Incode  |  Maxine Most