
Banks should be developing AI fraud detectors and encouraging customers to install them alongside banking apps. But they’re still investing in infrastructure protection. Banks are investing more than ever in fraud detection. They are strengthening their infrastructure by upgrading core systems, deploying corporate email protection tools, tightening access controls for internal services, improving network security. Yet they continue to lose ground, because the fraud nowadays happens outside the bank's perimeter – in messenger apps, social media, or email. At the same time, AI has made fraud more sophisticated and enabled fraudsters to operate at a much greater scale. How can financial institutions respond to this challenge? What are banks already doing, where are the gaps, and what tools do modern financial organizations need? I explore these questions in this article. What are banks and other financial institutions doing? Some of the most advanced banks in terms of cybersecurity today are JP Morgan and Revolut (which received its banking license in the UK this spring). Over the past two years, JP Morgan has been rebuilding their anti-fraud strategies. They acknowledge that fraud happens outside the infrastructure: in messengers, emails, and phone calls. The bank is building an entire ecosystem of protection: consumer awareness programs, real-time prevention systems, interbank fraud signal sharing, research into scam patterns, and coalitions against AI-enabled scams. JPMorgan has also become one of the founding members of the North American chapter of the Global Anti-Scam Alliance and supported the creation of the Aspen Task Force on Fraud and Scam Prevention. One of the organization’s directions is consumer intervention – where banks try to stop a person before a payment is made. For example, if a user is transferring money after a call with an unknown number or after clicking through a suspicious investment ad, the system is supposed to intervene before the funds are sent. Revolut, in order to reduce AI-generated fraud, decided last year to move all calls into the app. It now actively informs users that employees do not call via regular phone lines. At the beginning of this year, they released another feature. The app can now see all your active calls (any type – regular mobile network calls or WhatsApp/Telegram/other voice apps). When a user opens the Revolut app, they see a banner telling them whether the current call is actually from a service employee or not. In addition, Revolut has a large machine learning layer that analyzes user behavior, device/IP/geography data, and anomalies in transaction chains. Before sending money, the system can show warnings like: “this type of transfer is often used by scammers.” Plus, Revolut participates in initiatives with Google/Android to protect against screen-sharing scams and remote access fraud. These banks are among the most advanced players in the industry. But in reality, most of the banking sector is still noticeably behind. And meanwhile, fraud losses keep growing. In the US alone, consumers reported more than $10 billion in fraud losses in 2023, according to FTC data , with impersonation scams and payment fraud growing the fastest. What aren’t banks doing? All of these methods are good. But the further AI scams evolve, the less they can actually protect both businesses and everyday users. Even the most advanced fraud systems still live inside the bank’s perimeter: they analyze user behavior, the transfer itself, the device, the recipient – but they only see the final point, the moment when money is about to be sent. And in the case of AI-powered social engineering, that’s often already too late. At the same time, regulation is increasingly raising the stakes for financial institutions. The UK's Payment Systems Regulator introduced mandatory APP fraud reimbursement from October 2024. Singapore’s Shared Responsibility Framework extends accountability across banks and telecoms. The FCA’s Consumer Duty requires firms to avoid causing foreseeable harm, which includes AI-enabled impersonation scams. The EU AI Act classifies fraud-prevention systems as high-risk, while DORA adds operational resilience and reporting requirements. The next step, which right now might look slightly ambitious but is becoming increasingly logical, is extending protection beyond the bank. I’m currently working on an initiative like this. Essentially, the idea is that the user gets an additional trust layer at the device level: an extension or built-in layer on phones and desktops that understands the communication context around a person. The way this layer works can be described quite simply. It continuously collects and interprets signals from different sources: messages, calls, emails, links, domains, sender profiles, as well as behavioral context – for example, that the user recently received a message, started a conversation, or clicked on a certain link. Then this layer builds a chain of events: who contacted you, how the communication evolved, and what risk signals have already appeared along the way. \n Banks should build such tools or delegate their creation (depending on what is easier), and distribute them to users – employees, businesses or individuals – so these layers can recognize social engineering and detect all suspicious signals. But such systems should not be trained on a company’s internal data – in that case they remain limited to historical patterns and are not aware of how fraud is evolving globally. That’s why cross-industry and cross-geography approaches are key for future trust applications. The cybersecurity industry solved this problem decades ago with ISACs, MISP, and FS-ISAC-style frameworks, where financial institutions share threat intelligence across organizations. Fraud detection has not yet adopted this architecture, and that gap is one of the reasons loss numbers continue to grow. Of course, it’s also worth noting that in the era of AI fraud this is also necessary because AI enables the execution of thousands, hundreds of thousands, or even millions of fraud attempts at the same time. That’s why detection strategies should also rely on the ability of AI to analyze these patterns, recognize them, and report them.
View original source — Hacker Noon ↗


