Cybersecurity and Fraud In An Age of Unprecedented Risks

Combating cyber risks and fraud in today's digital banking environment, where threats are becoming increasingly sophisticated, and more vulnerabilities are being exploited, requires institutions to develop a multi-layered, iterative approach to cybersecurity that safeguards sensitive data, adheres to regulation, and proactively anticipates and mitigates risks. Learn from industry executives and cybersecurity experts on the evolving sophistication of cyber-attacks and what components of a comprehensive cybersecurity strategy are most critical, including a robust cyber infrastructure, artificial intelligence-driven fraud detection systems, advanced authentication and access controls, cyber resilience and risk testing, and cyber incident response guidelines for distributed denial-of-service attacks, ransomware, insider threats, phishing and social engineering, and more.


Transcription:

Carter Pape (00:11)

All right, we're going to go ahead and get started. My name is Carter. I'm with Caleb and Jeff here. This session is cybersecurity and fraud in an age of unprecedented risks. As I said, I'm Carter, a cybersecurity and financial crimes reporter for American Banker. With me is Caleb, who is with Synovus, and Jeff with Zions Bank. Caleb is the Senior Director of the Financial Crimes Unit at Synovus. Caleb, you've been responsible for detecting and investigating fraud at Synovus for almost two years, but you've been in the field since 2014. Tell me, how has the scope of fraud changed during your career?

Caleb Callahan (00:54)

Yeah, so, all right, there we go. Yeah, so let's see. Back when I kind of fell into fraud—because no one really picks fraud, they just kind of end up in it somehow—it was more about just protecting financial transactions, and that was it. Now it has gone beyond that, and one of the biggest things we're doing is trying to protect customers from themselves. They're making these transactions willingly, but they're being scammed. Along with that, especially from a FinTech perspective, fraudsters are going after marketing budgets that don't all show up in losses. So, these are the referrals, the affiliate marketing that's being paid for. They're attacking tertiary access through third-party data aggregators for consumers that may have fewer controls than we have in terms of account access, but they're still giving access to transaction history. The scope has broadened so much, upstream and downstream, that we're trying to protect from that now. We just need a much broader set of controls.

Carter Pape (02:16)

All right. And as I said, Jeff is Senior Vice President and Director of Retail Technology Solutions and Fraud Engineering at Zions. Jeff, you've spent your career with Zions, but not always in fraud. How does your breadth of experience and familiarity with your specific institution shape your thinking about fraud prevention?

Jeff Newman (02:38)

Sure. Sorry about the long title; it is long. I kind of look at it as I've been asked to be the jack of all trades as it pertains to thinking about fraud and fraud engineering more holistically. Like you said, I've grown up in the bank. I actually started out as a customer service representative 27 years ago, and worked in that area for about 10 years. As I think about fraud, one of the things that's probably a little bit different about me is one of the first things I think about is what's that customer impact going to be from a friction perspective, and I start to change the dialogue a little bit. I've also worked on the operations side, so there's always an operational aspect of fraud: What's the work you're doing? How does it impact the team members that are supporting the fraud? Things of that nature. So, I'm really just trying to take a more holistic 360-degree view as I think about what the different techniques we're using are, both in fraud and in the cyberspace, as I work with my peers in that space.

Carter Pape (03:29)

Let's make this a little bit real just by talking about anecdotes. I want to hear from each of you an example of a type of fraud that you've been thinking about recently or trying to prevent at your financial institution and what that's looked like.

Caleb Callahan (03:44)

All right, I'll start then, just going back to the scams. I recently had the opportunity to interview a neighbor of an executive who had just given away his credentials to a fraudster who called him pretending to be the fraud team. To quickly set the scene: He logs in every day and he clicks on this pop-up that says, "Fraud alert, please do not give out your one-time access code to fraudsters." He dismisses it and then goes about his day. Then someone called him, said they were the Synovus fraud team, validated some transactions. He got the text that said, "Don't give this away to anyone who calls you," and gave it away to them. This happens every week. I'm talking to him and I'm trying not to victim-shame, and I say, "Okay, well, what could we have done better to help you be aware that this was a fraudster you were talking to and you shouldn't give it away?"

(04:46)

He's like, "Well, maybe you should tell your customers that if the bank ever calls you, to hang up and call back." We have a "stop, drop, and call" campaign that we send emails and messages out on. He clicks through the "don't give this away" message. It's just so hard. And that's what we're fighting: They're ignoring everything we're saying and still giving away access. This is what we have to detect. So, we're really doing everything we can to continue communications, but then put in additional detection on top of it to see when that access is handed out.

Carter Pape (05:24)

We'll get to Jeff in a second, but I just want to say the calling your bank back thing, I've heard that from a lot of banks, and that it can be very powerful advice. You can spoof the incoming, but you can't spoof the outgoing, but sometimes it's not enough.

Caleb Callahan (05:39)

If you Google, if you just type in Google and search, "fraud team will never call you" or "we will not call from the fraud team" (I forget the exact phrase), pretty much every bank shows up with something in their FAQs saying this. They're just going around doing it.

Carter Pape (05:59)

Yeah. Jeff, give us an anecdote about a type of fraud you've been fighting.

Jeff Newman (06:03)

Sure. So, I actually started out wanting to talk about account takeover because it's something we've all been dealing with, but I laugh—kid you not—this morning I got a text message, a smishing message (one of my least favorite terms, by the way), and it was for the tolls. That's an example of the payment fraud, the scams that are going on in that space. It's a tough one to think about because once the customer initiates the process, or they may get something around, "Hey, we need you to make a payment," they're initiating it on behalf of the fraudster, so it's very hard to detect. You have to focus a little bit more on the behavioral analytics and understanding the customer journey and the behavior of your customer: Are they behaving within the realms of the things they would normally do? How do you take some of those signals and be able to adjust to respond to that quickly?

Caleb Callahan (06:51)

I almost fell for that once. I had just gotten back from traveling with a rental car, and I almost gave it away.

Jeff Newman (07:00)

It was pretty good. If I didn't live in Utah, where there are no tolls, I probably could have fallen for it too.

Carter Pape (07:05)

Well, that one is potent because I need to look into this myself, but anecdotally, it seems like I get those texts after I've been under a toll bridge.

Jeff Newman (07:19)

They must have known that I've been in Florida. There are tolls here somewhere.

Carter Pape (07:23)

So now it's coming. Something that I always think about with respect to fraud, and just in general, is generative AI. Of course, with the specific things you're talking about, and I think a lot of areas of fraud, generative AI doesn't really offer many leverage points for you to be able to deploy it to prevent these things. Can you just confirm that's the case in these areas? Where would it be useful for preventing fraud?

Caleb Callahan (07:58)

Being a bank, we're a little slow to adopt some of these things. We need to figure out the model management of AI, but I have a list, and I'm ready for agentic AI. That's the one I'm excited about. Almost every institution that files Suspicious Activity Reports (SARs) depending on how it's split up, has an investigator who does the case. We have someone who takes those case notes, puts them into a suspicious activity report narrative, and then someone else who reads that whole thing again and will edit and submit it. The middle ground is where that middle person who takes the notes and puts them into the format, that's where the opportunity is. Then again, just in day-to-day, I mean, just one of the innocuous examples is if we have a commercial client with a hundred million dollars in relationship with us and they get a $10,000 fraud alert, or we get a $10,000 fraud alert for a check deposit that is not at risk to us, we need something that will go through and pull those out of our queue. That's a client concern.

(09:10)

That's a collection issue for them. That's not something that we need to spend our time on. So, just little things that give us our agent time back.

Jeff Newman (09:20)

For me, as I talked about that with my team, one of the ideas that we've come up with—and again, slow, so we haven't implemented it yet—is more of the real-time feedback from a customer perspective. As they're initiating something, we use the LLM to understand and, looking at the behavior of the customer, ask questions like, "Are you sure?" Kind of that speed bump mentality a little bit. So, it's not quite as much friction as other things might create, but it warns them of this type of transaction and then even provides information to help them understand what types of fraud can occur in that space. So, using it as an informational, real-time tool as customers are performing actions.

Caleb Callahan (09:54)

So, generating wires, those types of things, like "Where's this for? Why are you doing it? Have you met this person or an online relationship with them?"

Jeff Newman (10:02)

Yeah. I mean, even some examples we've seen are, again, going back to the payment fraud, asking questions of, "Hey, are you sure that your bank initiated this?" Because some of those payment fraud emails or texts you're getting are acting like a fraud department and providing information like what you just said: "Hey, call us first before you initiate this," just to make sure that it's us that's providing something along those lines.

Carter Pape (10:25)

I can't remember which one of you was sharing before about a project where you're developing a deepfake of one of your own executives. Am I remembering this correctly?

Jeff Newman (10:34)

Yeah, you are. We've had a couple of examples of that. We actually are working with a vendor where we were looking to implement their deepfake model. That was one of the examples. Our information security team actually created one of our CEO to test out the product and was actually able to break their system. It was a great way to provide feedback to them and give them the opportunity to adjust some of their modeling from that perspective. The other one that was more fun: We had an all-hands event with my Chief Information Officer, Jennifer Smith, and they made a complete deepfake of her. She stood in the room and interviewed herself with the deepfake and asked it questions. It was pretty close. You could tell just a little bit. I told her afterward, there wasn't nearly as much fun in the AI's voice, and that was it, but it was kind of fun to watch.

Caleb Callahan (11:27)

I've just started that process. I just handed off a couple of desktops with high GPUs to some of my fraud and cyber geeks, and they're going after that now, so I'm excited about the results.

Carter Pape (11:39)

Where are you seeing fraudsters? You're both regional banks, so it looks different for different sizes and different areas, but where are you seeing fraudsters put the most energy in terms of—maybe it's check fraud, maybe it's Zelle fraud—where are they putting their efforts?

Caleb Callahan (11:58)

Yeah, I don't feel like they're putting a lot of effort into check fraud; they're just doing it. It's really too easy. But where they are putting so much effort in right now is the weaponization of what I used to consider innocuous data points. So, going back to that interview I had with a person who got scammed, he's like, "Well, they had my balance." And you have to think about data leakage. You can't commit fraud with a balance, but you can create trust with it to get that fraud going. You think about all the places that you're trying to make it easier for customers to check their balance. You're not putting the full layers of security. You're putting the B level of security over the top of it in the IVR and other checks. They figure out how to use the systems that our customers have. Then they say, "All right, what are their other commercial banking clients?" Well, you just go check PPP loans because it's a public record of every single PPP loan that we helped provide to a customer. They're getting HELOC data and they're using that to create targets. So, it's the weaponization of that data that we didn't use to care about.

Jeff Newman (13:19)

I probably think about a couple of different areas. The focus previously has kind of been more targeted attack spans of specific fraud areas. What you're starting to see is where they're now crossing multiple vectors and being able to use multiple fraud techniques simultaneously, where before it was kind of narrow, so it was a little bit easier to catch. As they're using different, various tactics, it's become harder to catch those things. Things like, again, going back to the behavioral analytics or biometrics to understand whether or not this is something our customers are doing or would be doing helps us in that space. But generally, they're getting a little bit more advanced in their techniques of piling on the fraud techniques holistically.

Caleb Callahan (13:58)

They don't realize that we have different fraud and cyber teams, and they should organize accordingly is the problem. Exactly. Now they're using both the technical standing up sites along with the social engineering at the same time. It gets complicated.

Carter Pape (14:13)

I want to ask about the cyber fraud collaboration, but off the cuff real quick, do either of you have a hot check fraud take? It is an issue that so many banks face, and it's persistent, and as you say, it's really easy for fraudsters. Is there a panacea or something, or is it just a tough problem?

Caleb Callahan (14:38)

I don't really have an answer. Ultimately, as we continue to put the numbers behind it, it makes more sense to just throw more eyeballs on checks that are being written ahead, even though it's a low false positive rate, it's worth the low false positive rate. On the business side, we're working with our lines of business strategically to help them understand what could have been stopped through positive pay. A lot of that is just very manual, going back through the checks, through the losses, gross losses, and saying, "This is basically a policy customer policy decision to allow these customers to operate without positive pay." Being able to throw that—I've been doing that since the beginning of this year and finally have some data because it's all manual—to go back and say, "These are the controls that we could have used to solve this." I'm able to have some more meaningful conversations around what it means to our business.

Carter Pape (15:45)

Let's move on to the—we were talking about the cyber teams and the fraud teams being separate and that being a leverage point for fraudsters. So, what do you guys do to mitigate that? What does it actually look like for you to work with your cyber teams?

Jeff Newman (16:01)

Sure. We have quite a bit of working groups. We're actively engaged with them. I actively work with each of my CISO as well as a deputy director, actively working to understand the different things that they're seeing versus what we're seeing and ensuring that we're removing the silos probably a little bit more. That's kind of one of my hot takes on the fraud space. There are so many silos that take place, and people focus on just the one aspect that they have control over. So, we also do tabletop exercises, walking through different consortiums that we each work with. So, I think FSI is one from the cyber perspective, starting to lean a little bit into the fraud, but there are other fraud consortiums as well. We'll bring back information from both of those to share to help with any threat intelligence or just what examples of different fraud we're seeing in the wild.

Carter Pape (16:53)

What are the tabletops you're doing? Is it like, "This is what an incident scenario would look like," or...

Jeff Newman (17:00)

Yeah, it's usually like an incident scenario where you're walking through a type of an event, whether it could be a fraud event or a cyber event, to talk through how could we interact better together so that we can work together more quickly in a real-time fashion.

Caleb Callahan (17:11)

You can take a cyber event. The easiest ones are some sort of breach that leads to fraud, where both teams have to be engaged—one in the mitigation, the other in the cleanup and protection—and they start to understand how each other's work. Yeah.

Carter Pape (17:24)

Let's talk about collaboration outside of your banks. Let's just start off with what is the biggest entity outside of your own bank that is a partner, a really important partner to you in preventing fraud?

Jeff Newman (17:42)

I can start. I don't know if I'm going to call out the entity. I would say this: I mean, I talked about FS-ISAC because it's providing information, and the consortiums. Those are things any bank should actively be working to find which groups they want to participate in so that they're getting the insights of what others are doing and seeing. I'd say more specifically to that, I have very active dialogues with my vendor partners about what they're seeing, because again, as a bank, our money is spent a little bit differently, but when you're working with your fraud vendors or cyber vendors, that is their purpose. They bring a lot of information to the table that you should be asking them about regularly. I was on a call for an hour on Friday just asking questions of one of my partners just to get some better insights into things that they're seeing from a real-time perspective.

Caleb Callahan (18:29)

It is community groups, fraud working groups, either through organizations, through consulting groups who put them together, or even through the vendor user groups. Ones that I can join will give me the insights into what else is going on: Who's seeing the same things we're seeing? Who's seeing things that we're not seeing? It goes a long way in terms of me providing feedback on what we need to do if someone else is going through the same thing, when I give this feedback to my leadership team.

Carter Pape (19:02)

I bet if anyone asks him afterward, you could get him to tell you off mic and name names. So, what does the collaboration with these entities look like? You said you talk about information sharing with your vendors. Are you getting actual feeds from these places at all to get data from them or...

Caleb Callahan (19:26)

So, the challenge with fraud is we don't have a 314(b) like BSA has regulated in place, and there are consortiums, but they're largely vendor-driven, so it's not everybody in them. It's just: Are you hooked up to the same vendor that has their other clients as well? Most of our actual on-the-ground data, what's happening, is back channel. It's your relationships that you have across banks and specifically the investigators calling other investigators, getting recoveries, getting funds locked down fast. That is what's happening as opposed to having some true information sharing. That's where, hopefully, as we continue to go through this fraud moment, we get a little bit more regulatory support for having data sharing, because in the meantime, calling someone a fraudster who's not a fraudster and impacting their ability to be in the financial ecosystem is something that every compliance and legal team is scared of. So, we can't just go around calling people fraudsters.

Jeff Newman (20:40)

I think, much as when we talked earlier, fraud's kind of like the dirty little secret from a banking perspective. No one wants to admit that they've had fraud. Cyber was that way for a long time; now I think it's a little bit more open. So, banks or other financial institutions don't really like to share their data. I'd say there have been improvements since COVID. I think that was one of the turning points where people actually started to share some data. In some of the cases, we have had instances where financial institutions, through some of these consortiums, have shared specifics of the type of fraud or type of instance of something they're seeing, and we've been able to make changes and adjust and be able to mitigate some of that fraud that would have taken place. But I would say holistically, from an industry perspective, it's probably one of the biggest areas of improvement: How do we have better real-time sharing of data of threats and things of that nature so that we can adjust across the banks? Yeah.

Caleb Callahan (21:32)

BSA has it, cyber has it. We just haven't gotten there yet from a true fraud perspective.

Carter Pape (21:39)

Just to put a fine point on it, FS-ISAC does—I'm very familiar with them, having done a lot of cybersecurity work—and as you're alluding to, they're a really important entity for banks for cyber fraud sharing. So, it seems like there's an opportunity for them or someone else to be doing the same thing in terms of fraud, but there are regulatory barriers to that.

Caleb Callahan (22:05)

There's also the jurisdiction level as well. The fraud has to be prosecuted at the jurisdiction level for the most part, unless it's big enough for another group to come in and pick it up, and that's not what you want to have happen, is have it be that big. So, it's just not a cross-state organization, especially when you are operating across states. Yeah.

Carter Pape (22:32)

That makes sense. We started a little bit late, so I think we have about seven minutes left. I wanted to ask about authentication and specifically passwordless because both of your anecdotes at the start sort of get back to—I mean, passwordless vendors would say, "If you just use passwordless, this would've been solved." But it is true that I reported on Capital One implementing passwordless technology for its employees and contractors, so not for the customer side, but for the other side. In your view, how far would passwordless technologies go towards preventing fraud? I think it's important to separate employee side passwordless from consumer side.

Jeff Newman (23:23)

I mean, it'll go a long way to prevent fraud in that aspect. It takes away a component of authentication that's too easy to give out to others. When you're using a YubiKey, for example, it's multiple layers of mitigation that are taking place. I think the struggle of that is the customer impact when you get to the customer point. I think anyone would say, "Yeah, I want to get passwordless out, and it should be easy. Customers will accept this." I own the ATMs for my bank corporation as well, and we did one thing: We switched the way the card got inserted, and it led to just a revolt. "You changed my cheese," you moved my cheese. That standard saying, right? The aspect of trying to roll out passwordless to customers comes with a whole list of just problems that you're going to have to manage and deal with. I was actually talking to Brian—I can't remember his last name; he was at Fifth Third—and we were talking about this exact same scenario: What happens if someone loses their key? They didn't create a backup, and now you have to build all these new sets of processes to support and help them. We rolled it out for our employees, and I think it was probably six months before we saw the amount of feedback about the negativity of using it kind of died down, and that would be much worse in a customer organization.

Caleb Callahan (24:37)

We don't really trust the password to begin with right now. It's just something, but having a password doesn't mean you are who you say you are, but the friction side, you're spot on. We could put all that friction and tokenized devices at our commercial clients, but when you go further and further downstream into your digital channel and your lower dollar accounts, it takes probably seven minutes to open a digital banking account online right now—probably less, actually. The barrier for friction versus leaving if it's too complicated, or you offer up SMS passcodes, but they're already taking those from customers. So, there really isn't a good answer in terms of password right now. For us, it's username, password, plus the passive signals: the biometrics, the keystrokes, those types of things.

Carter Pape (25:40)

I think the last topic we'll get to is stablecoins. I wanted to ask about this because at a conference I was at recently, a proponent of stablecoins was basically saying if we had more payments based on stablecoins, you would get to exchange more meaningful data about each transaction. You get to see what is actually being transacted against, and that's not something you get with ACH or real-time payments or anything like that. So I guess I just wanted to ask if that was a good take. I mean, is it true that you'd be able to actually get better data from a stablecoin transaction than you would from an ACH legacy payment?

Caleb Callahan (26:25)

I mean, if there is information about the transaction, some degree of categorization, what it's for, the external account that the transaction is coming from, some metadata associated with that—assuming data sharing's in place—then absolutely the value of it would be tremendous for some of the things that we're trying to prevent in terms of fraud, especially from both an AML and a fraud perspective.

Jeff Newman (26:56)

Yeah, I agree with what you're saying. I think as I've thought about this, and I think it was during the Anchorage Bank presentation this morning, I'm going to spend a little time just looking at the amount of regulatory hurdles that currently exist for stablecoin, and I think that's actually the biggest problem right now. While there may be benefits from it, I think I found six different massive hurdles related to its implementation, even from the standpoint of which entity within the government will be the owner. There are four different variations of that. So, there are just a lot of different aspects from a regulatory perspective that still have to be thought through before that can become kind of an effective use. Not to disagree with the CEO from Anchorage Bank.

Carter Pape (27:33)

Cool. We're not going to have time for audience Q&A, but this is the last session in this room, as far as I know, so you should have time to be able to approach us afterward. But the last question I wanted to give to both of you is just what takeaways do people need to have? What do you want to send people away with thinking about fraud?

Jeff Newman (27:55)

Sure. For me, I think I kind of touched on it a little bit: When I stepped into the role from a fraud engineering perspective, I just happened to see the amount of silos that exist. So, my recommendation is looking at that and finding the opportunities, even if it means organizationally shifting a little bit, to remove those silos and start to act as if the criminals are acting, right? They're bringing all of these things together. They don't care about whether or not cyber does one thing and the fraud engineering does another, and ops does something else. The more we can bring those things together and improve the cross-collaboration in the teams, the more effective you'll be at fraud mitigation.

Caleb Callahan (28:30)

I'm going to put in a plug for my fraud leaders out there, which is really, I go through this conversation all the time when I try and put something in place: "How much of our fraud would be saved?" And that's always the wrong conversation to have. One of the things I like to say is, wartime spending is too late. What we really need to think about is the peace-time spending and investment in fraud. You're not going to wait for a massive loss to be able to invest in exposures. Look at it like cyber: You're not going to wait for the breach to invest in cyber controls, so don't wait for the large loss before you start thinking about your exposures as opposed to your losses, and invest in them while you can do it deliberately instead of having to do it as a massive scramble.

Carter Pape (29:20)

Jeff and Caleb, your insights are really valuable. Thank you so much for your time. Round of applause for them, please.