Well before the surge of COVID-19 unearthed a veritable plague of criminal activity taking place over screens and digitized realms, banks were well aware they had a problem with cybercrime.
A 2019 report from Accenture illustrates a pre-pandemic dire situation for a broad spectrum of industries facing increasing online criminal threats. In particular, banks made for big targets as the report estimated that cybercrime could cost the banking sector nearly $350 billion from 2020 through 2025.
Even more concerning were the calls coming from inside the house: The report also found that almost eight out of ten business leaders see technology adoption rates outpacing their organization’s ability to address related security issues.
Fast forward three years and one worldwide health crisis later, cybercrime is now the most common and costly fraud type. A PwC survey [pdf] of nearly 1,300 executives across 53 countries and regions named cybercrime the most significant threat facing businesses today.
It was also cited as the most common type of fraud across three of the four largest corporate annual revenue brackets. In the fourth bracket, “more than $10 bn (billion)”, cybercrime ranked second behind consumer fraud. In the same survey, the financial services industry reports cybercrime as the second most-common fraud type (38%), also behind customer fraud (44%).
In a report [pdf] by the World Economic Forum (WEF), 81% of study respondents cite digital transformation and innovation as “the main driver in improving” resilience to cyberattacks. Unfortunately, cybercriminals also use innovative methods, including AI technologies, to meet their aims – a technological arms race that sets the stage for a classic game of cat-and-mouse.
In this article, we explore banking cybercrime trends and uncover AI use cases and applications that might help enterprises combat it. Our focus will be answering the following questions for banking leaders:
- Why is cybercrime so widespread?
- What are the current tools available to stop cybercrime?
- What are the best indicators of how these tools will evolve with cybercrime trends into the future?
We explore answers to these questions in the following subsections:
- Leading cybercrime trends in banking
- Foundations of a robust cybersecurity framework
Finally, we will answer the final question by examining two prevention-based use cases:
- Anomaly detection on banking platforms
- Real-time network monitoring and threat remediation
First, we will begin by discussing the foremost and most recent cybercrime trends.
Leading Cybercrime Trends in Banking
Trend 1: Cybercrime in banking continues to grow despite a pandemic slowdown
Unfortunately, cyberattack cases continue to increase significantly despite the recession of COVID-19 across the world. Per a report [pdf] by LexisNexis, both cyberattack volumes and their associated costs have increased significantly, with “U.S. banks and mortgage lenders driving much of [this increase].”
The report, titled LexisNexis True Cost of Fraud Study – Financial Services and Lending Report, estimates the current cost of fraud is between 6.7% and 9.9% higher than before the pandemic. U.S. banks and FIs report the highest number of cases (see Figure 1).
According to an article by the World Economic Forum, there are three primary reasons for this spike in cybercrime:
- The rise of digital payment platforms and digitization of the financial ecosystem
- Organization, effectiveness, and “new professionalism” of cybercrime groups
- Fraudsters are becoming less deterred by traditional fraud prevention tools (e.g., investigations and codes of conduct)
Other noteworthy cybercrime statistics extracted from private-sector company reports include:
- Mobile banking accounted for 33% of U.S. banks’ fraud costs, up from 26% in 2020. (LexisNexis [pdf])
- For one prominent security software company, nearly 42% of the 250+ million phishing attempts thwarted were finance-related. (Kaspersky)
Trend 2: Growing Perception Gaps Between Business and Security Executives
To successfully deter cybercrime, business-focused executives (e.g., CEOs) must ensure that the professionals tasked with securing customer and bank assets are well-trained and well-equipped. Security-focused executives (e.g., CIOs) must work with business-focused executives to ensure that their department’s needs are communicated clearly and that any requested resources are evocatively justified.
Despite the straightforward-sounding nature of interdepartmental harmony, these two factions often see things very differently regarding cybersecurity. According to a report [pdf] by the World Economic Forum, there are prevalent gaps in perception regarding enterprise security between business- and security-focused executives.
The gaps cited and the primary findings in the report can be best summarized via two specific criteria:
- “Prioritizing cyber[security] in business decisions”:
- 92% of business executives state that “cyber resilience” – the ability to deliver business outcomes despite a cyberattack – is integrated into risk-management strategies.
- Only 55% of security-focused leaders agreed with the same sentiment.
- “Gaining leadership support for cybersecurity”:
- 84% of respondents from both sides state that cyber resilience is a business priority supported by enterprise leadership.
- Only 68% state that cyber resilience is a “major part of overall risk management.”
- Due to this misalignment, many security leaders still express that they are not consulted in business decisions, resulting in less secure decisions and more security issues.
- This resulting perception gap between leaders – and the subsequently discordant security policies and priorities – may result in increased attack vulnerability and instances of cybercrime.
Trend 3: Ransomware Is Now the Leading “Cyber Threat”
According to a report [PDF] by the U.S. Cybersecurity and Infrastructure Agency (CISA), “Ransomware has become the most visible threat to [U.S. financial] networks.”
That is quite the proclamation, given the number and severity of known threats. Private-sector research appears to back up these governmental findings. According to a September 2021 press release by security software company TrendMicro, banks experienced a 1318% year-over-year increase in ransomware attacks in the first half of 2021.
A data breach is one potential outcome of a ransomware attack. According to a report by IBM, the average cost of a ransomware-enabled data breach was $4.54 million in 2021. Resolving a data breach also took an average of 49 days longer than it did in 2020, increasing affected enterprises’ direct and indirect expenses.
A potential solution is using AI and automation tools to contain a data breach. According to the above-cited report, data breaches at organizations using AI and automation cost over $3 million less than those without.
Foundations of a Robust Cybersecurity Framework
Before discussing AI- and machine learning-enabled cybersecurity solutions, a general understanding of the non-technical elements of a cybersecurity framework is in order. The external fraud report by PwC mentioned in our introduction summarizes three actionable elements of a robust framework:
- Understand the entire life cycle of customer-facing products: Identify product elements that fraudsters may exploit for financial gain. Brainstorm and articulate the following:
- How the fraudster could exploit the product
- What it would take to prevent the exploitation
- The response needed if exploitation does occur
2. FindCreate a balance between user experience and security controls:
- Preventing cybercrime necessitates a healthy balance between ensuring that consumers have a great experience and detecting and preventing fraud.
- Banks must pursue these dual objectives of keeping false positives low and catching fraud through the proper combination of fraud technology, processes, and strategy.
3. Organize the data:
- Fraud signals often come from decentralized, disconnected systems, which limit their discovery to manual review. As such, these signals are easy to miss.
- It is vital to use a centralized platform capable of tracing the end-to-end life cycle of all users and generating meaningful alerts.
The Place for AI in Preventing Cybercrime
A recent op-ed from Cujo AI CTO Santeri Kangas for the World Economic Forum laid out the argument for AI capabilities as the foremost technologies capable of ailing cybersecurity’s current woes based on three separate but interconnected facts:
- The need to identify novel threats:
Cyber threats, such as ransomware, are constantly evolving and adapting in type, capacity, and method. For example, hacking IoT devices, such as IP cameras and network-attached storage (NAS) devices, has recently created a new threat profile against which to defend.
In such a case, says Kangas, AI and machine learning may aid in constructing a solution. For example, by searching for and analyzing threat intelligence in real-time or near-real-time using NLP and machine learning.
- The need for a proactive response
Traditional security solutions are reactive in that a new threat is found, analyzed, and added to a list.
All of these steps require human input, Kangas says. Given cyber threats’ evolving and unpredictable nature, a more proactive response is needed. AI, especially machine learning, is already being used to automate threat detection and response.
- The need for swift pattern recognition
Kangas argues that perhaps AI’s most powerful capability is pattern recognition, which it does much faster and more accurately than humans. An example use case may be scanning the contents of incoming and outgoing emails for threats, scoring the threat on some risk scale using an algorithm, and isolating the threat if needed.
AI Use Cases for Preventing Cybercrime in Banking
There are several promising AI use cases for preventing cybercrime in banking. We discuss three more common cases showing AI’s current, practical potential in banking cybersecurity.
Use Case #1: Anomaly Detection on Digital Banking Platforms
As mentioned, the proliferation of digital and mobile banking has increased customer and enterprise vulnerability to financial cyber crimes such as scams and fraud. In this use case, we discuss how a multinational bank used AI to build a “scam and fraud detection platform.”
Commonwealth Bank (“CommBank”) is a multinational bank with operations across Asia, the U.S., U.K. and New Zealand. The bank recently introduced an AI solution that it claims can detect suspicious and unusual behavior on its banking site, alert its customers, and possibly prevent a cybercrime event.
CommBank is using AI to detect anomalous and potentially fraudulent behavior as part of its scam and fraud protection strategy. According to a company video introducing the new AI solution, the number of scam attacks on the bank’s customers doubled in 2021:
According to Commonwealth’s press releases, the AI first sets customer baseline data by gathering input from the customer’s keyboard and mouse activity. Moreover, the verbiage seems to imply that baseline activity data is gathered on when (i.e., day and time of day) and on what devices (i.e., device ID) the account is accessed. The bank’s reporting was not specific about the exact input data, but it may have included the following:
- Keystroke logging
- Mouse activity (e.g., scrolling preferences, speed, movement patterns)
We deduce that the input data may have included the aforementioned, as the press release states that customers develop “habits and patterns” in “their keystrokes and the way they use a mouse.”
Commonwealth’s own reporting asserts that machine learning algorithms analyze historical data tracking consumer interaction with digital devices against the recorded baseline activity. The platform continues to monitor for anomalous behaviors that may indicate fraud.
Disparities from this patterned behavior result in the customer being alerted via two-way push alerts via the bank’s mobile app. Commonwealth decided to implement two-way push alerts about suspicious transactions because they are more secure than the typical SMS notification method.
The press release also states that additional security alerts are sent out regarding suspicious transactions. If the customer does not recognize the logon, the platform takes “the appropriate protective action” (this is not detailed) and encourages the customer to perform a password reset.
Concerning results, Commonwealth claims that it “prevented or recovered” over $100 million in customer money. The bank also plans to increase its fraud protection investment by doubling its cybersecurity team size.
Use Case #2: Real-time Network Monitoring and Threat Remediation
CyGlass is a software company based in Littleton, Massachusetts, that produces cybersecurity solutions. CyGlass offers a “Network Defense as a Service” (“NDaaS“) solution that the company claims can help community banks and other enterprises gain enhanced visibility into networks and enhance security via real-time network monitoring and threat remediation using AI and machine learning.
Superior National Bank (“Superior”) is a community bank based in Hancock, Michigan. Superior is one of the oldest financial institutions in Michigan, opening in 1890. The bank has 11 locations and employs about 250 people.
According to CyGlass’ report [PDF], Superior was experiencing a lack of network visibility owing to the bank’s rapid adoption of cloud computing and remote work.
The bank’s chief information officer stated the bank required an automated AI solution that provided cost-effective network activity monitoring while offering real-time risk and threat detection.
Per Cyglass’ value proposition, its NDaaS solution offers the following:
- Cloud-based software as a service (SaaS)
- 24/7 threat monitoring
- Automated threat remediation
- Ideal for small security teams with limited resources
- Easy and affordable deployment and operation
Regarding input data, NDaaS sets network baselines (i.e., “normal network activity”) by collecting network activity data from:
- AD Logs
- Microsoft 365 logs
- NetFlow
- Syslog.
The platform analyzes and models this data using “unsupervised [machine] learning” and what the company refers to as “self-learning AI.”
CyGlass claims in the above-cited report that this AI engine is capable of continuously learning what does and doesn’t constitute “normal” network activity.
After the baselines are set, the AI engine is claimed to continually monitor the network for anomalies. The platform integrates AI-generated outputs with a rules-based engine to define which anomalies are threats.
According to NDaaS product documentation [pdf], Cyglass monitors for threats across networks, cloud, and VPN using “a combination of AI, cyber TTP policies, and threat intelligence.” Among the threats listed as monitored and remediated:
- Ransomware
- Command & Control C2
- Man-in-the-Middle
- Unauthorized web & DNS activities
- Tunneling
- Credential compromise
- Rogue behaviors
- Insider threats
- Lateral movement
- Data exfiltration
Regarding user interaction, the bank’s security team would then use this data to define risks and threats “like unsecured ports, or ransomware IOCs.” The security professional can see the platform’s output – threat data – via a user dashboard (see figure 1):
A policy engine is also implemented, which is used to define regulatory compliance controls. The user can access a CMMC compliance report, which grades the state of network security using the following variables and “grading methods” (see figure 2):
- “Objectives & Controls Goals” (“Very Poor” to “Excellent”)
- Objectives Met: #
- Objectives at Risk: #
- Effective Controls: #
- Control Failures: #
- Network Security (“A” to “F” scale with a corresponding red to green color-coded horizontal bar)
- Situational Awareness
- Incident Response
- Security Awareness
- Network Visibility (Same scale as “Network Security”)
- Risk Management
- Asset Management
- Maturity Capability
According to Superior National Bank CIO John Vander Velder, quoted warmly throughout CyGlass’s use case report, the solution was able to provide the following results:
- A savings of $20,000 per branch
- Visibility into all network activities
- In one incident, Cyglass identified malware-related network traffic, including the offending website.
Qualitatively, Vander Velder states the following results were actualized via the CyGlass solution:
- Seamless alignment with the bank’s “defensive process and … rules.”
- Easily-seen critical threats and prioritized alerts
- Insight into which security applications required updating
- The security team can now “be more proactive in blocking risky sites before problems … arise downstream.”