AI is amplifying the risk and fraud exposure for financial institutions, with attacks moving from isolated incidents towards systemic exposures — and those institutions that are best prepared to respond will be those that identify vulnerabilities and connect knowledge across the business
Key insights:
-
-
-
AI is supercharging old fraud schemes — By making synthetic identities, deepfake scams, and customer fraud faster, more credible, and harder to detect, AI is amplifying fraud and crime.
-
The real vulnerability may be internal silos — Institutions need to be on the lookout, because what looks like a credit loss, an HR issue, or a payment request may actually be part of a wider multi-vector AI-enabled attack.
-
Institutions already have the tools to respond — Through KYC and internal and behavioral data, financial institutions have the ability to respond to fraud threats — but only if teams connect and act together.
-
-
Fraud and crime existed long before AI, of course, but today’s technology delivers an acceleration in speed, scale, and success rate for fraudsters, resulting in billions of dollars in losses for victims. AI-enabled frauds on financial institutions could reach $40 billion by 2027 in the United States alone, and estimates are that almost 43% of detected fraud attempts on financial institutions use AI – and of these, 29% are successful.
To respond effectively to these threats, institutions need to implement a unified response that brings together departments that may not traditionally be partners. This cross-functional coordination should include not only the institution’s fraud and financial crime risk teams but also its credit risk, cybersecurity, and human resources functions.
And this response is critical, because today, financial institutions are being targeted by multiple types of AI-enabled attacks, including tactics such as:
-
-
- use of synthetic identities to circumvent know your customer/customer due diligence (KYC/CDD) controls and perpetrate fraud or launder money;
- use of deepfake identities to gain employment, particularly by North Korean IT workers;
- AI-enhanced “CEO frauds” to deceive staff into taking unauthorized actions; and
- Bank customers may be targeted by fraud too, presenting further risk to financial institutions.
-
Let’s look at these threat vectors individually:
Vector 1: Synthetic identities and KYC/CDD
Synthetic identities can be entirely fabricated or may use combinations of real and fabricated personal information to create a new identity. For example, a fraudster may construct a synthetic identity using a Social Security number exposed during a data breach combined with an AI-generated passport.
This threat is real and happening now: Government analysis identifies that criminals have already used AI to successfully open accounts using falsified documents, photographs, and videos. And according to industry estimates, synthetic identities were used to open as many as 3% of US bank accounts, representing millions of identities. Not surprisingly, these illicit accounts are used to commit fraud and launder the proceeds of money laundering.
Vector 2: North Korean IT workers
North Korean individuals have successfully gained employment as remote IT workers at American companies, often passing themselves off as US nationals using AI-generated face-swapping technology combined with proxy computers and false identity documents. North Korean IT workers are estimated to generate almost $800 million annually for the regime.
Institutions deceived into employing these workers are not only breaching sanctions against North Korea, but they are also exposing commercially sensitive data and systems to an adversary state, increasing the possibility of theft, cyber-attacks, and extortion.
Vector 3: CEO Fraud
A “CEO fraud” is a cybercrime in which an attacker impersonates an executive to deceive an employee into taking actions such as sending unauthorized wire transfers or disclosing sensitive information. AI accelerates these frauds by making them more personalized and credible.
In one of the more well-known examples, Arup Engineering lost $25 million in an AI-enhanced CEO fraud in 2024 after the fraudster impersonated Arup Engineering’s CFO and requested a staff member to make several financial transfers. The criminals added credibility to the fraud by using a video conference in which the target recognized many of their colleagues – unfortunately, all of them were deepfakes.
Vector 4: Frauds targeting customers
Where customers are targets, AI provides the scale, speed, and personalization to allow illicit actors to deliver individualized fraud. For example, whereas romance scams previously used repetitive scripts and re-used the same images of the romantic “partner,” fraudsters can now use AI-generated messages, images, or videos, continuously adapting the execution of the scam to the target’s responses and behaviors.
Creating a cross-functional and unified response
The examples above demonstrate the diverse and highly sophisticated uses of AI by illicit actors, both adversary states and criminal networks. Detecting and responding to these illicit activities requires joint action between teams that may not traditionally work closely together.
For example, if an account holder fails to repay a loan, the credit team may consider it to be a default by a legitimate customer and write it off as a credit loss. However, if the account was opened using a synthetic identity, investigation may reveal other accounts that share similar customer data points or transactional patterns. This could reveal a network of accounts that are perpetrating a fraud or money-laundering scheme. To detect and respond effectively, joint action is needed between KYC/CDD on-boarding teams, financial crime investigators, and fraud and credit risk professionals.
Alternatively, for HR teams to effectively identify use of face-swapping videos during a hiring process, knowledge from the organization’s cybersecurity team, especially of deepfake indicators, would be valuable. If a North Korea IT worker is hired and only later identified, cybersecurity and sanctions teams must be involved in the response to mitigate data, network, and compliance exposures.
Detecting and responding to all illicit activities requires joint action between teams that may not traditionally work closely together.
Finally, all staff may be targeted by deepfake fraud, but those in senior positions or departments with financial authority are the most vulnerable. This means it is essential for institutions to deliver employee training using real-life case studies, “near misses,” and scenarios drawn from across the institution and industry. This type of training will increase vigilance and minimize the likelihood of a successful attack.
For customers, financial institutions are well-positioned to identify indicators of fraud due to their extensive datasets of KYC/CDD records, transactional, and behavioral information. Institutions should enhance their customer relationships (as well as meet applicable regulatory requirements) by taking proactive measures to inform and protect their customers.
While AI has accelerated fraud and crime, financial institutions also hold valuable and relevant assets: the knowledge distributed across their cybersecurity, HR, credit risk, financial crime compliance, fraud, and KYC/CDD teams. By connecting these teams together, even in contexts in which these departments have not traditionally been partners, institutions will be well-positioned to protect both themselves and their customers from illicit actors’ sophisticated AI-enabled threats.
You can learn more about the fraud-fighting challenges faced by financial institutions and other organizations here
