Key takeaways:

• • • Legal promise, operational gaps 鈥� The biometric CURP could streamline identity verification in legal and notary contexts but lacks training programs and designated data capture sites.

    • Balancing security and civil liberties 鈥� While intended to help locate missing persons, the CURP raises concerns over government surveillance due to broad access by security agencies.

    • Digital readiness under scrutiny 鈥� Mexico currently lacks the systems and regulatory framework to securely manage biometric data, risking identity fraud and misuse if not properly addressed.

Last July, key reforms to Mexico鈥檚 General Population Law and the General Law on Forced Disappearance were approved, marking the beginning of a transformation in the way people are officially identified in the country.

With these reforms, the biometric Unique Population Registry Code (CURP) becomes an official identification document, which is now mandatory and available in both physical and digital formats that will integrate biometric information such as fingerprints, iris scans, and photographs.

The biometric CURP will be used mainly for identity validation on digital platforms, immigration procedures, access to health services, legal processes, and to support the search for missing persons. With little time left before its implementation, doubts linger regarding how this new system will be implemented and the impact it may have, especially in the judicial and notarial areas.

To provide a professional perspective on the possible impacts, Jos茅 Ra煤l Gonz谩lez Ram铆rez, Master in Notarial Law and aspirant assigned to Notary 1 in Cuernavaca, Morelos, shared his personal perspective on what this mandate will mean for Mexico and its citizens.

Challenges and benefits in the legal and notary fields

In Mexico, there is currently no single official identification document. In the legal and notary field, the passport and voter ID card are mainly used, as they are documents issued by federal institutions that generally use greater security measures. The biometric CURP could represent a solution to this lack of a single document, offering a more reliable tool to validate people’s identity.

However, key parts of the system are still lacking that could have significant consequences. For example, there is no implementation program to train notaries on this document; and while the College of Mexican Notaries is hoping to disseminate training mechanisms in the coming months, so many areas of the system remain undefined that training at this stage could prove difficult.

Further, no designated sites have been reported for the population to go for the official capture of the biometric data that is at the heart of the system鈥檚 methodology. Finally, no official date has been defined for the mandatory use of this new CURP.

Hope or surveillance?

The biometric CURP was approved with the main objective of strengthening the search, location, and identification of missing persons in Mexico. Not surprisingly, this has raised significant government surveillance issues. And while the access to CURP is stipulated to be exclusively for search purposes, access on a consultation basis will be allowed to prosecutors, investigative bodies, and the National Intelligence Center.

This measure has generated divided opinions among Mexicans. On one hand, there is fear that it could become a tool for government surveillance as the National Guard (GN) and the Secretariat of Security and Citizen Protection (SSPC) can access individuals鈥� delicate information that will include bank and telecommunications data. On the other, it represents hope for thousands of families who have been searching for their loved ones in a country in which 42 people disappear daily on average according to the National Registry of Missing and Unlocated Persons (RNPDNO).

Master Jos茅 Ra煤l says he considers the implementation is positive, since its initial purpose is the search for missing persons. The rest of the population鈥檚 concerns, in that sense, would be 鈥渃ollateral damage,鈥� he adds.

“It is going to be an identification that, if done correctly and if the registration is adequate, will strengthen the notary鈥檚 ability to identify the person in front of them and avoid, as much as possible, a false declaration or impersonation at the moment of identification,” Jos茅 Ra煤l explains.

Is Mexico ready?

One of the greatest challenges will be Mexico鈥檚 ability to securely store and manage the vast amount of confidential data required for the biometric CURP. According to Jos茅 Ra煤l, the country currently lacks the necessary systems, infrastructure, and regulatory framework to handle this information effectively.

鈥淚f implemented correctly, this system could provide stronger safeguards against identity fraud,鈥� he explains. 鈥淗owever, without a reliable database and proper data management, it could become a serious problem.鈥�

In addition, there is uncertainty about how the data will be captured, with which population the process will begin (those over 18 years of age, or also minors), and how often the database should be cleaned. The population aged 0 to 18 poses a particularly complex challenge due to its size, which current resources and infrastructure are not equipped to handle effectively.

In the coming months, it will be crucial for the Mexican government to define the implementation mechanisms, the initial target population, and the data cleansing processes, as this will be one of the most important aspects for the success or failure of the biometric CURP.

The road ahead

Although a pilot program is currently underway in Mexico City, it is essential to establish a robust action plan for collecting population data. Likewise, a clear framework must be defined for the management, maintenance, and protection of this data, especially considering the sensitive nature of the information and the critical need to prevent misuse. Further, it is crucial to assess whether the government has the technological infrastructure required to securely store this data, or if investment in such storage capabilities will be necessary.

You can learn more about the challenges of identity verification here

Key insights:

• • • SIM swap fraud is a growing concern 鈥� The scale of this trend is alarming, with 1,075 SIM swap attacks investigated by the FBI in 2023, resulting in losses approaching $50 million.

    • Weak authentication processes in telecoms enable SIM swap fraud 鈥� This allows fraudsters to easily hijack phone numbers, highlighting the need for stronger authentication protocols in the telecommunications industry.

    • Regulatory intervention is necessary to protect customers 鈥� The FCC has introduced rules, such as FCC 23-95, to require telecoms to implement secure methods of authenticating customers before approving SIM changes or port-outs.

Even as cybercrime and fraud have escalated into a global crisis, one type of scheme has is seeing stunning levels of growth: SIM swap fraud. This fraud trend is specifically plaguing the telecom industry and its customers and was only to synthetic identity fraud among damaging fraud schemes in the telecom industry.

Through SIM swap fraud, fraudsters hijack victims’ phone numbers, gaining unauthorized access to sensitive accounts such as banking and cryptocurrency platforms. For example, one bank customer after a fraudster deceived Xfinity Mobile into transferring the customer鈥檚 phone number and then intercepted authentication codes to drain his bank account. Likewise, in March T-Mobile had to involving a cryptocurrency-related SIM swap attack in 2020.

The scale of this trend is alarming. In 2023, 1,075 SIM swap attacks, with losses approaching $50 million. In 2024, a 240% surge in SIM swap cases, 90% of which occurred without victim interaction. These incidents highlight the need for stronger authentication protocols in the telecommunications industry to combat this growing trend.

What is SIM swap fraud?

SIM swap fraud occurs when a fraudster convinces a mobile carrier to transfer a victim鈥檚 phone number to a SIM card they control, exploiting the legitimate feature of mobile number portability. Once the swap is complete, the victim鈥檚 phone loses network connectivity, and the fraudster receives all calls and texts, including one-time passwords for account access.

SIM swap fraud is appealing to fraudsters due to its scalability, the lack of need for technical expertise, and the potential for massive payouts from a single attack, particularly when targeting high-net-worth individuals or cryptocurrency investors. Fraudsters also can increase their impact by exploiting data from large scale breaches purchased on the dark web to target multiple victims simultaneously using automated call lists or scripts and hitting numerous carrier accounts with minimal effort.

Additionally, SIM swapping requires no technical expertise, relying instead on the fraudster鈥檚 ability to manipulate carrier employees into transferring a victim鈥檚 phone number to a fraudster鈥檚 new SIM card. Using basic personal information that is often retrieved from public sources or data leaks, fraudsters can execute attacks with just a phone call or store visit, no coding or hacking skills needed. The only tools required are inexpensive prepaid SIM cards or burner phones.

Indeed, how the scheme works is relatively simple. Once, fraudsters collect personal information about their target 鈥� such as name, address, phone number, date of birth, or financial details 鈥� they use the collected information and contact the victim鈥檚 mobile carrier, posing as the account holder.

SIM swap fraud is appealing to fraudsters due to its scalability, the lack of need for technical expertise, and the potential for massive payouts from a single attack, particularly when targeting high-net-worth individuals or cryptocurrency investors.

Because mobile carriers typically verify identity using security questions, PINs, or personal details, fraudsters may be able to bypass these. And once approved on the account, the mobile carrier deactivates the victim鈥檚 SIM card and ports the phone number to the fraudster鈥檚 SIM. The victim鈥檚 phone displays 鈥淣o Signal,鈥� while the fraudster gains control of all communications.

With the phone number under their control, fraudsters can then intercept codes to reset passwords for email, banking, or cryptocurrency accounts, use password reset features that rely on phone number verification, and 鈥� most damagingly 鈥� transfer funds, make unauthorized purchases, or sell account access on the Dark Web.

Telecoms may be enabling SIM swap fraud

A 2020 Princeton University study of five major prepaid wireless carriers in the United States 鈥� AT&T, T-Mobile, TracFone, US Mobile, and Verizon 鈥� for SIM swap requests and their downstream effects on account protection. The study revealed a that 80% of first attempts at SIM swap fraud were successful. The report noted that a main reason for this success rate was that the carriers relied on weak authentication methods that fraudsters could easily bypass. While each carrier revealed distinct vulnerabilities in their SIM swap processes, none of them required in-person verification or strong multi-factor authentication, allowing fraudsters to execute remote attacks with relative ease.

The study also found that carriers prioritized usability over security, opting for simple authentication methods to streamline customer service, making it easier for fraudsters to exploit vulnerabilities. By undermining security to reduce customer friction, carriers inadvertently weakened their own defenses against SIM swap fraud.

By exposing telecom vulnerabilities and highlighting that telecoms were a weak link in the fraud ecosystem, the Princeton study led to a pivotal change within the telecom industry, sparking widespread attention and leading to lawsuits and consumer complaints. In fact, the study was cited by the U.S. Federal Communications Commission (FCC) in its efforts to create regulations to protect consumers.

Government intervention needed

On November 15, 2023, the FCC introduced rule to specifically address SIM swap fraud. Prior to the new rule, the FCC had general regulations to protect customer data, but these did not specifically target SIM swap fraud or mandate specific authentication and notification protocols that had to be followed by carriers. The lack of targeted regulations allowed inconsistent security practices across the telecom industry, which increased fraud vulnerabilities. FCC 23-95 would require telecoms to implement secure methods of authenticating customers before approving SIM changes, including the use of stronger authentication using methods such as account-specific PINs, passwords, or multi-factor authentication; and a prohibition on the use of 鈥減redictable or easily obtainable information鈥� such as Social Security numbers or birthdates.

Customers must be immediately notified via text or email whenever a SIM change request is made. Notifications must be sent to the customer鈥檚 existing device (if available) or a secondary contact method. Also, carriers must immediately notify customers of failed authentication attempts related to SIM change requests. Further, carriers must train employees to identify fraudulent requests and implement secure processes to prevent social engineering, which is a common tactic in SIM swap fraud.

The new FCC rule established baseline requirements for fraud protection, ensuring consistency across the telecom industry while allowing telecoms the flexibility to adopt advanced tools like biometric authentication or behavioral analytics.

The new rule ; however, telecommunication companies sought more time to upgrade technology and implement new employee training. Thus, the FCC has waived the deadline for all rules adopted in the FCC 23-95, and there has been no further update.

Combating the threat

To combat the rising threat of SIM swap fraud, telecom providers need to adopt strong fraud prevention procedures and tools, similar to those used by financial institutions. Implementing strict authentication protocols, such as multi-factor authentication with biometrics or app-based codes, can significantly reduce unauthorized SIM swaps. Real-time monitoring using AI-driven systems can detect anomalies such as unusual SIM swap requests or account changes from unfamiliar locations. Telecom carriers should also enhance customer verification processes, requiring strong identifiers beyond easily compromised data.

It’s also important to educate consumers about fraud risks and promptly notify them of suspicious activities, as mandated by FCC 23-95, which would allow victims to protect their devices immediately. By encrypting sensitive data, collaborating across industries to share threat intelligence, and leveraging advanced fraud detection tools, carriers can strengthen their defenses while maintaining consumer convenience.

You can find more information on the challenges organizations face in聽fighting financial fraud听丑别谤别

Among traditional financial institutions, the on-boarding process, which includes customer screening, can consume valuable time and can sometimes extend to several days. Enhancing efficiency necessitates accelerating the screening and compliance procedures to ensure protection for both the customer and the institution involved. This need for efficiency aligns closely with the objectives of the customer identification program (CIP), which plays a vital role within financial institutions by helping to prevent financial crimes.

Compliance with CIP regulations performs several essential functions in addition hindering financial crimes such as money laundering, terrorist financing, and identity theft. Compliance with CIP, which verifies customer identities to deter such illicit activities, is legally required, through regulations like the USA PATRIOT Act. Non-compliance with CIP can result in substantial fines and reputational harm.

Need for ID verification is critical

Efficient identity verification is critical for the risk management function of a financial institution鈥� compliance program, as delays may lead to the inadvertent on-boarding of high-risk clients, who may pose financial and legal risks. Adherence to CIP requirements also supports institutional integrity, fostering trust among regulators, customers, and the public. Additionally, accurate and timely identification underpins ongoing anti-money laundering (AML) and counter-financing of terrorism monitoring, ensuring the continued effectiveness of these efforts.

In essence, prompt compliance is not merely about fulfilling a requirement 鈥� it entails actively safeguarding the financial system and the institution from imminent threats while meeting legal obligations in a timely manner.

As financial crimes evolve, regulatory bodies update CIP rules to address new threats and ensure robust defenses. Technological advancements, such as the development of AI, also play a role, as new tools and methods for verifying customer identities become available, enhancing security and efficiency. Additionally, changes in laws and regulations, such as amendments to the PATRIOT Act, necessitate updates to ensure continued compliance. And global standards 鈥� like those set by the intergovernmental Financial Action Task Force 鈥� may influence CIP rule changes to align with international best practices.

Further, feedback and experience from implementing existing rules can lead to refinement that improves effectiveness and reduces compliance burdens. These changes aim to enhance the ability of financial institutions to prevent financial crimes and maintain compliance while lowering regulatory costs and improving operational efficiency.

Changes to CIP requirements coming in 2025

Much like every other year, compliance professionals in 2025 face potential changes to CIP rules. The most significant changes include:

• • • Partial SSN collection 鈥� Banks may be permitted to collect only the last four digits of a new customer’s Social Security number (SSN).
    • Third-party verification 鈥� The full SSN would be obtained from a reputable third-party source before the account is opened.
    • Modernization of on-boarding 鈥� This approach is intended to align regulatory requirements with modern on-boarding processes currently used by many non-bank financial technology firms.
    • Enhanced customer experience 鈥� The proposed change aims to reduce friction between customers and the bank by simplifying the account-opening process.
    • Potential for increased automation 鈥� The use of third-party verification tools could lead to more automated on-boarding processes.

A joint proposal from U.S. Securities and Exchange Commission and the U.S. Treasury Department鈥檚 Financial Crimes Enforcement Network means that it is likely that the CIP rule will be changed within the next year, likely as an update withing the AML rule, which already includes CIP requirements for some investment advisers.

These potential changes to CIP rules reflect the dynamic nature of the financial industry and its regulatory environment and seek to modernize the on-boarding process, aligning it more closely with common practices used by non-bank financial technology firms. In short, these changes are designed to enhance customer experience by reducing friction and simplifying account opening procedures while leveraging automation for greater efficiency.

As financial institutions implement these updates, they will be better positioned to address new challenges, optimize compliance, and continue providing secure and seamless services in an increasingly fast-paced business environment. As a best practice, however, customer-facing institutions should pay close attention to the imminent regulatory changes as well as the timing for compliance. It is likely that compliance effective dates will lie in 2026, but it is important not to rest on that assumption.

The future in real-time

As financial institutions navigate the evolving landscape of real-time transactions, the necessity for efficient customer on-boarding processes becomes increasingly critical 鈥� and CIP plays a pivotal role in that. Indeed, CIP not only ensures the demand for speed but also helps financial institutions in their fight against financial crime.

As such, compliance with CIP regulations is essential for managing risks, fostering trust among stakeholders, and supporting ongoing monitoring efforts. And as regulations and technologies advance, financial institutions need to continuously adapt to best maintain robust defenses and operational efficiency, protecting themselves and their customers from illicit activity.

You can find more information on the challenges financial institutions face in聽fighting money laundering and other financial fraud here

In addition to recovering taxpayer funds and deterring future fraud, False Claims Act enforcement “also protects patients from medically unnecessary or ,” the DOJ said in a statement.

DOJ enforcement highlights

The agreed to pay $172 million to resolve allegations that it used “inaccurate and untruthful diagnosis codes鈥� for its Medicare Advantage plan enrollees to improperly increase its payments from Medicare. The government alleged that Cigna also relied on improperly reported diagnosis codes reported by vendors without performing or ordering testing to confirm those diagnoses. The Medicare program reimburses Medicare Advantage plans at a capitated rate based on the health of each member. A member with more diagnoses or more complex medical conditions nets the plans a higher reimbursement from the government.

agreed to pay $22.5 million to resolve similar allegations that it had submitted inaccurate diagnosis codes for its Medicare Advantage plan enrollees in order to increase reimbursements. The diagnoses codes were not supported by member medical records.

The DOJ also litigated other cases involving the government鈥檚 , including cases against UnitedHealth Group, Independent Health Corporation, Elevance Health (formerly Anthem), and Kaiser Permanente.

In another case involving false claims, the government alleged that former long-term care facility and related entities submitted claims for “services performed by unlicensed and unauthorized students” and that the services were either not provider or were “effectively worthless.” Cornerstone and the related entities agreed to pay $21.6 million to resolve these allegations.

The DOJ also announced two resolutions involving electronic health records. In the first, (ModMed) agreed to pay $45.4 million to resolve allegations that it solicited and received kickbacks from a lab company in exchange for recommending that its customers use the lab’s pathology services, conspired with the lab company to donate ModMed’s electronic health records technology to healthcare providers, and paid kickbacks to its customers and other influential entities to recommend its technology and refer potential customers. The government also alleged that ModMed’s electronic health record technology did not always use “required standard vocabularies” that caused providers to improperly submit claims for electronic health record incentive payments.

In the second case, agreed to pay $31.2 million to resolve allegations that it misrepresented the capabilities of some versions its electronic health records software that were 鈥渓acking in critical functionality.鈥� The government also alleged the NextGen offered credits worth as much as $10,000 and tickets to sporting and entertainment events to customers whose recommendation of its software led to a new sale.

In another resolution, and its president and CEO agreed to pay $22.9 million to resolve allegations the company had improperly paid physicians “under the guise of medical directorships to induce referrals of home health patients.”

State Medicaid recoveries

Although the federal government often recovers Medicaid funds when pursuing Medicare fraud, states also have a separate responsibility to prosecute Medicaid fraud. Because Medicaid is a federal/state partnership, these recoveries benefit both state and federal taxpayers.

All 50 state, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have Medicaid Fraud Control Units (MFCUs) to Medicaid provider fraud and patient abuse or neglect.

For fiscal year 2023, in:

• • • $1.2 billion recovered;
    • 1,143 convictions (814 for provider fraud and 329 for patient abuse or neglect);
    • 850 exclusions of individuals or entities from federally funded programs; and
    • 436 civil settlements and judgments.

MFCU enforcement highlights

In , the MFCU partnered with other state agencies in a civil investigation of allegations that managed care company Centene overcharged the California Medicaid program by “falsely reporting higher prescription drug costs” for two of its managed care plans. Centene agreed to pay more than $215 million to resolve the allegations.

In , the MFCU investigated the owner of a laboratory for allegedly billing Medicaid for medically unnecessary testing services and providing illegal kickbacks in exchange for the testing. The owner was convicted of conspiracy to commit healthcare fraud, violations of the anti-kickback statute, conspiracy to commit money laundering, and money laundering. The scheme defrauded the North Carolina Medicaid program of more than $11 million.

In another case involving a medical device manufacturer, the National Association of MFCUs partnered with federal agencies to investigate allegations that misled federal healthcare programs regarding the radio-frequency emission generated by some of its devices that could potentially interfere with other devices that use the same radio-frequency spectrum. The company agreed to pay more than $12 million to settle the allegations.

Although healthcare fraudsters continue to steal, scheme, and conspire to steal federal and state healthcare program funds, these enforcement result show that the government is also having a certain amount of success in recovering taxpayer dollars and punishing fraudsters.

For more on , click here.

The average cost of a data breach reached an all-time high of , and now, artificial intelligence (AI) has led to a significant increase in the sophistication of cybercrime. From deepfake technology to AI-powered hacking, cybercriminals are exploiting these advancements to orchestrate unique attacks.

How criminals are leveraging AI

Deepfake technology 鈥� One of the most concerning developments is the use of deepfake technology, a blend of machine learning and media manipulation that allows cybercriminals to create convincingly realistic synthetic media content. Criminals then use deepfakes to spread misinformation, perpetrate financial fraud, and tarnish reputations, exploiting the trust we place in digital media.

In a recent , a company suffered a loss of $25 million due to the deception of an employee who fell victim to deepfake impersonations of his colleagues. The individual participated in a video call in which deepfake versions of the company’s United Kingdom-based CFO and other team members were present. According to authorities, scammers engineered these deepfakes using publicly accessible video content.

AI-powered password cracking 鈥� AI algorithms, including machine learning and deep learning, enable systems to identify patterns and make predictions based on vast datasets. For example, , harnesses machine learning algorithms that operate within a neural network framework. And the tool seems to work, as a study showcasing the effectiveness of PassGAN in password cracking, published by , found that 51% of passwords were cracked in less than a minute, 65% in less than an hour, 71% within a day, and 81% within a month.

The impact of identity theft fueled by cyber-crimes

Further, there has been a 15% increase in the number of data breaches in the United States between 2022 and 2023, which underscores the escalating threat posed by cybercriminals, according to the . Concurrently, breach severity surged by 11%.

Further, digital account openings emerged as the top highest risk with 13.5% of all global digital account openings suspected of fraudulent activity. And 54% of consumers across 18 countries and regions reported being targeted by various forms of fraud attempts between September and December 2023, according to the TransUnion report.

Cybercriminals persist in breaching organizations’ systems to steal consumer identity credentials, which often contain critical information such as an individual鈥檚 date of birth, full Social Security number, and residential address. With a wealth of stolen identity credentials readily available, criminals have become increasingly adept at fabricating identities.

Consequently, this has led to an increase in the use of illicit synthetic identities among accounts opened at US lenders such as auto loans, bank credit cards, retail credit cards, and unsecured personal loans. The surge in this synthetic identity fraud has exposed lenders to potential losses totaling $3.1 billion, representing an 11% increase compared to the end of 2022. Cybercrimes, including identity fraud, are projected to cost the world about $9.5 trillion annually by the end of 2024, according to AuthenticID鈥檚 .

JPMorgan Chase: Battling cyber-threats

JPMorgan Chase鈥檚 CEO Jamie Dimon has identified cybersecurity as the “” facing the financial services industry. This recognition comes in the wake of legal action taken against the bank in January 2023, when a subsidiary of EssilorLuxottica filed a lawsuit alleging negligence in addressing signs of fraud. The lawsuit claimed in orchestrating 243 fraudulent transactions, resulting in the siphoning off of $272 million from Essilor’s manufacturing division.

Since then, JPMorgan has intensified its focus on strengthening cybersecurity measures. A recent disclosure by a JPMorgan executive revealed that the bank repels an astounding . In response to the escalating efforts of hackers, JPMorgan allocates a substantial portion of its $15 billion budget towards cybersecurity initiatives, backed by a dedicated workforce of 62,000 individuals committed to defending against cyber-threats.

Key strategies for cyber-defense

There are several tactics that organizations can take to help mitigate cyber-crime, including:

• • • Prioritize investments in comprehensive cybersecurity infrastructure, equipped with advanced threat detection and response capabilities, to effectively safeguard against cyber-attacks.
    • Collaborate closely with regulatory authorities to establish and adhere to rigorous compliance measures, ensuring adherence to industry regulations and standards for data protection and financial security.
    • Embrace cutting-edge technologies such as AI to better develop sophisticated fraud detection systems capable of identifying and mitigating evolving threats in real-time.
    • Establish multidisciplinary teams including experts from fraud, cybersecurity, risk management, and data analytics departments to leverage diverse skill sets and perspectives in developing comprehensive security strategies. Encourage regular knowledge-sharing sessions, joint brainstorming, and collaborative projects to foster a culture of teamwork and innovation. By breaking down silos and promoting collaboration across departments, financial institutions and organizations can enhance their ability to detect, prevent, and respond to emerging threats effectively.
    • Launch targeted educational campaigns to inform customers about common fraud tactics and cybersecurity measures. Offer easily accessible resources such as online tutorials and workshops to empower customers to protect themselves from cyber-threats.

In conclusion, ensuring financial integrity demands every organization鈥檚 constant attention, especially considering the rapid growth of cyber-threats. By fostering a culture of strength, innovation, and collaboration, leaders can effectively address the challenges posed by data breaches and fraud.

You can , here.

ATO attacks saw a staggering 123% rise in the second half of 2022, marking a 108% YoY increase from 2021. Carding attacks, in which bots use multiple simultaneous attempts to authorize stolen credit card credentials, increased by 161%; and scraping attacks, in which bots search websites for data that could be used in fraud schemes, saw a rise of 112% during the same period.

Understanding bot attacks

Bot attacks, fundamentally malicious activities executed by automated programs or bots on digital platforms, exploit vulnerabilities with speed and scale. These attacks can manifest in various forms, such as:

• • • New account fraud 鈥� Bots create fraudulent accounts using stolen or synthetic identities to exploit incentives, promotions, or credit offers.
    • Account takeovers 鈥� Bots attempt to gain control over user accounts by exploiting vulnerabilities in authentication processes or using stolen credentials.
    • Scraping 鈥� Bots scrape websites for data, often for purposes such as competitive intelligence, spamming, or selling data on the dark web.
    • Distributed Denial-of-Service (DDoS) attacks 鈥� Overwhelming a network, system, or website with a flood of traffic from multiple sources, rendering it inaccessible to legitimate users.

Bot attacks against financial institutions

Financial institutions, in particular, have become prime targets for bot attacks, exposing vulnerabilities in the account opening process. Criminals are now leveraging hybrid bots 鈥� combining human and automated inputs 鈥� to open money mule accounts at an unprecedented scale. These hybrid bots can elude most banks’ detection capabilities, allowing criminals to open numerous accounts rapidly.

Research indicates that one in every 100 mule accounts is opened by a bot. Criminals exploit stolen or synthetic identities to establish untraceable accounts, often letting them lie dormant to avoid detection. Startlingly, 62% of all new accounts created by criminals in 2022 were financial accounts, making new accounts 9.5-times riskier than mature accounts, according to the .

The issue of mule accounts is not confined to a specific region, rather, it’s a global problem. In 2022, in the United Kingdom alone, 39,578 cases on bank accounts were indicative of money mule behavior. While this is a reduction from 2021, these cases still account for 68% of misuse of bank accounts, according to .

Simultaneously, bots are escalating ATO rates, with fraudsters employing them to gain unauthorized access to victims’ banking, e-commerce, or other accounts. According to , ATO attacks spiked by a staggering 427% in Q1 2023, compared to all of 2022. As more commerce and financial services move online, ATO attacks become not only more accessible but also more profitable. Predictions suggest that global ATO fraud losses will reach almost

AI and biometric authentication in combatting bot-linked fraud

In the face of these escalating threats, organizations are turning to advanced technologies to bolster their defenses. Artificial intelligence (AI) and biometric authentication emerge as powerful tools in the fight against new account fraud and account takeover linked to bots. Some of the ways these advance technologies are being employed, include:

AI-powered detection systems

AI-driven solutions can analyze vast amounts of data in real-time, identifying patterns and anomalies indicative of bot activity. Machine learning algorithms can adapt and learn from evolving attack patterns, enabling organizations to stay ahead of sophisticated bot attacks. By employing AI-powered detection systems, financial institutions can enhance their ability to identify and mitigate threats with unprecedented speed and accuracy.

Biometric authentication

Traditional authentication methods are often vulnerable to bots that exploit stolen credentials. Biometric authentication 鈥� leveraging a customer鈥檚 unique physical or behavioral characteristics such as fingerprints, facial recognition, or voice patterns 鈥� provides an additional layer of security. Bots struggle to mimic the intricate and individualistic nature of biometric identifiers, making it significantly more challenging for them to succeed in ATO attempts or new account fraud.

Multi-factor authentication

Combining AI with biometric authentication in a multi-factor authentication (MFA) approach creates a robust defense mechanism. MFA requires users to provide multiple forms of identification, such as a password, a biometric scan, and a device confirmation. This multi-layered approach adds complexity for bots attempting to breach accounts, significantly reducing the likelihood of successful attacks.

Promoting the enhancement of Know Your Customer rules

Beyond fortifying against bot attacks, the integration of AI and biometric authentication positively impacts the implantation of Know Your Customer (KYC) rules. By implementing these advanced technologies, financial institutions can gain a deeper and more accurate understanding of their customers. Biometric authentication, in particular, provides a unique and irrefutable link between users and their accounts, enhancing the reliability of identity verification.

This heightened KYC strength not only safeguards against fraudulent activities but also ensures that financial institutions can truly know their customers. The combination of AI and biometric authentication establishes a secure and transparent relationship between users and financial institutions, fostering trust and integrity in the digital realm.

Conclusion

As the threat landscape evolves, the integration of AI-powered detection systems and biometric authentication emerges as a formidable defense mechanism, providing real-time analysis and robust identity verification. The significance of these advanced technologies extends beyond defense, positively influencing KYC practices and fostering secure and transparent digital relationships.

The collaboration between industry players and advocates underscores the necessity for heightened cybersecurity measures, awareness, and the continuous advancement of authentication mechanisms. By embracing these innovations, organizations can stay one step ahead in the relentless battle against evolving cyber-threats such as bots, ensuring the trust and integrity of digital interactions in an ever-changing landscape.

For more on this subject, you an access the report here.