Innovating Cyber and Financial Crime With AI
Interest in AI is exploding. Views vary regarding what we should be concerned about, other than using ChatGPT for faking academic essays. There is a much bigger picture, namely the malicious use of artificial intelligence. Moreover, there is a need to better understand risk management at the intersection between cyber security and financial crime prevention.
The dual-use nature of AI must be taken seriously, according to the report “The Malicious use of Artificial Intelligence: Forecasting, prevention and mitigation”, by Cambridge university, Future of Humanity Institute, and OpenAI, among others in 2018. Research on AI ethics and the use of AI for criminal intent was very limited then and still is.
One recommendation in the discussion around the malicious use of AI, is that best practices need to be identified with more mature methods for addressing dual-use concerns, such as computer security. AI can be applied to exploit human vulnerabilities for example through the use of speech synthesis for impersonation and to identify existing software vulnerabilities.
As the use of AI is scaled up, attacks become cheaper to carry out, human criminal tasks are automated. This means that more criminal actors can carry out attacks directed to a greater number of targets.
AI creates criminal economies of scale
Cyber crime is targeting trade secrets in key industries such as aerospace/aviation, biomedical, defense industrial base, healthcare, manufacturing, maritime, research institutes, transportation (rail and shipping). It is also targeting high technology and gaming companies, retail customers by setting up schemes to sell bogus software products in the millions. Fake advertisements placed on the websites of legitimate websites. Cyber crime is both a means to generate criminal proceeds, and a means for layering and integrating criminal proceeds.
The intent of hackers may be political, physical or purely economic. The border between cyber-crime and financial crime is blurring, which is why it is all the more important to address risk exposure with a more interdisciplinary and holistic approach. For those, including this author, who feel that the label “holistic” is imprecise, let us suggest the alternative word “all”, as in one consequent way of managing risks, not excluding any material risks.
There is a lot to be learnt in the intersection between AI vulnerabilities and cyber security management. There is also a lot to be constructively discussed at the intersection between cyber security and financial crime prevention, which is a topic that FCG and Transcendent Group will address during the Stockholm GRC Conference later this month.
Innovation in multi-criminality
In the annual report of the Swedish FIU we can read that the number of reported money-laundering cases increased by 20% compared to 2021. The fact that more money laundering is reported may be explained by better cooperation between competent authorities and increased awareness about the criminal economy. It also says that criminal networks are taking on new types of fraud, including vishing (fraud over the phone to access bank accounts), which is also highlighted by the FBI with regards to cyber security. Cyber crime as described by the FBI involves methods to fraudulently gain unauthorized access to victims’ online bank accounts, or stealing money from victims’ bank accounts and then laundering the funds through multiple bank accounts including foreign beneficiary bank accounts controlled by accomplices and money mules.
By way of example, one particular criminal scheme managed by one of the FBI’s now most wanted cyber-criminals (a Swedish citizen) included browser hijacking, multiple fraudulent and false error messages, making victims purchase full paid versions of fake software products. The proceeds of credit card sales involved were allegedly deposited into bank accounts around the world and then transferred to bank accounts in Europe.
When customers complained that their purchases were actually fraudulent software, call center representatives were instructed to lie or provide refunds in order to prevent fraud reports to law enforcement or credit companies.
Human risk will always decide
It is important not to get stuck focusing only on technical IT-security. A further and even more complex question is the risk at the intersection between systems and human behaviour. The biggest risk of exposure is staff. Suffice that one member of staff is successfully targeted in order for consequences to be extreme and have devastating impact. Establishing a culture of awareness, of security and ethics is a well-known mantra, and reasons are obvious.
There are several common traits between financial crime prevention and cyber security awareness, two of them being the extremely fast-moving threat landscape (risk environment) and the other being the talent shortage (the competence gap). The similarities with financial crime prevention are also identifiable when it comes to the typical top challenges in managing awareness, namely training and skills, inability to engage employees, leadership support, budget, relevant program metrics, lack of data reflecting program return on investment.
Just as effective anti-money laundering requires legal as well as technical expertise, a breed which we at FCG have coined the “legal technologists” (which may be embodied in several individuals, as team members, n.b.), we are now just at the beginning of understanding the potential uses and implications of cyber crime and the use of AI as a means for financial crime. Just like the porn industry is said to have been a major growth engine for internet innovation, it just might be that financial crime will be a key driver for AI development. It is all about staying the step ahead.
If you are interested in this issue area, please join us at the GRC conference or contact us for a presentation.
Head of Cyber & Digital Risk
 FCG AML State of Play Sweden 2022; FCG AML State of Play Denmark 2022; Cost of Compliance Report (Thomson Reuter, 2022)
 SANS 2022 Security Awareness Report “Managing Human Risk”