Fraud for Thought: The Emerging Threat of Synthetics in Insurance
In a compelling interview from my "Fraud for Thought" podcast, we dive deep into the world of fraud prevention with @Steve_Lenderman who has decades of experience in the field - particularly with regards to emerging digital fraud typologies. We explored one of those such themes - Synthetics - and the risk it now poses to the insurance industry. Below are key excerpts highlighting some of the most crucial insights shared during the discussion.
On Emerging Threats in Identify Theft & Synthetic Fraud…
Alex: What recent and emerging trends are you seeing used by cyber criminals with regards to identity theft and synthetic fraud?
Steve: It's been interesting to see the shift take place from the financial sector to the insurance space. Fraudsters will always go where the money is and they realize that's the insurance space. The insurance space, while very mature from an organizational perspective, has always dealt with fraud. But not like the fraud the financial sector has seen.
We're seeing these threat actors coming into the insurance space with things such as synthetic identity, deep fakes, and generative AI - being targeted by technology that it just hasn't quite seen yet.
The banking sector has been seeing it for the last five or six years and the insurance base is now seeing it. And it's what I call the 'fraud tsunami' where they're seeing the waves come in and that's the fraudsters kind of playing with things, understanding the insurance first of all, understanding that insurance is where the money really is, what the controls are, what the program is, and then they'll launch their attacks with technology.
We're seeing a lot of things like bot attacks now that are being used and scripted to apply for a policies for example. Whether they are successful or not, it doesn't really matter to them. It's a testing strategy for them to understand again what the controls are that insurance has in place, to see what they get through. And if they get a policy applied, they may not do anything with it for awhile. They may just sit on it and again understand how the program works, where the control gaps are, what the thresholds are. We call those accounts 'sleeper accounts': they sit there and wait for the activity on the synthetic side.
So you're seeing traditional identity theft and you're seeing synthetic identities that are now being, and have been used, groomed, and matured in the financial sector now moving into the insurance space. I was speaking with a large insurance provider and discussing some synthetic identity identifiers and they quickly ran their identifier and found a $5,000,000 life insurance policy that they paid out to an individual that does not exist. They started looking more and more into it and found roughly $40 million in death benefits they paid out to individuals who never lived.
That is a huge red flag for the insurance industry: that this threat is coming to them, into their space and will start to expand and land as they move forward.
- Key takeaway: The utilization of technologies like deep fakes and generative AI by fraudsters is of paramount concern to Quantexa's insurance customers who are taking a proactive stance in preventing and combatting such threats. They are exploring the accessibility of Gen AI tools to fraudsters and the potential implications.
On Adapting Tactics with Technology…
Alex: From what you've seen, how are insurance companies adapting their tactics to help defeat the fraudster and what strategies and technologies are they putting in place to enhance that capability?
Steve: To combat technology, you need technology. The old days of the human firewalls, like massive fraud shops of hundreds of analysts working reports and cues (that really produced a lot of false positives) is no longer sustainable or scalable. Especially with the level of fraud that is coming to the insurance space; it will be equivalent to what the financial sector saw in the last two decades. So, you have to have the appropriate technology. It's pretty easy. The insurance companies just need to look to the banking sector again, what do they do? It's about account onboarding, right? You want to keep the bad guys out of your account at all costs because once they're in the account, then it's very difficult to mitigate them and it's expensive to move them out of out of your portfolio. You're looking at things at the onboarding stage, which is what I call a proactive stance versus reactive.
To get into the proactive stance where you eliminate the fraud threat altogether you don't approve the application for the policy, you deny them at the door; but how do you do that? How do you prove fraud intent? This may look like fraud, but until they do something, is it really fraud? Just because I'm carrying a firearm doesn't mean I'm going to go out and commit a homicide, but when I do, then then it becomes a homicide. And so it's very difficult for individual for banks and technology to determine what we call the intent.
They're looking at things and tying the data together, such as device information and behavioral biometrics. We're looking at non-traditional data sets instead of your traditional data sets like credit bureaus or large data aggregators. You're looking for things that that would help you tie things together, which ties in the concept of entity resolution.
How do you tie all that technology together? How do you tie the data that you've obtained through those technology into a workable queue for your analyst? Because the false positive rate can be somewhere in the 95 percentile. You have to understand the data you're trying to acquire, what you're going to do with it, and then how to use that data in the truth data format to retrain your models and tighten your defenses.
- Key takeaway: Quantexa customers are going beyond identifying and probing fraud among their existing clientele to preemptively thwart dealings with dubious clients. This requires a proactive approach to refraining from underwriting policies for potentially fraudulent individuals intending to exploit their services.
On Balancing Security and Convenience…
Alex: How are some of those technologies helping insurers strike that balance between customer convenience and the stringent validation that should be in place when it comes to identity verification?
Steve: It's most important to understand the connections with the data (right back to entity resolution) - understanding that these are transnational groups that are attacking at scale. When you attack at scale there are relationships and connections between those online applications or between those accounts. The trick is to understand what those relationships look like and so you know you're looking at again mentioned device identification for example, individuals who try to spoof their computers.
Synthetics have been groomed in the financial sector for the last 20 years, which are truly just data points. Now what we've seen is deep fakes are creating now both visual and audio for the actual synthetic identity: now the synthetic identity has a face and a voice. You've seen a lot of the technology come around about liveliness checks, send us a picture of a selfie, turn your head, go on Webex, go on Teams, whatever it might be to prove that you really are a human. The technology has progressed so quickly in the last two years that's easily defeating most technology that the banks and insurance companies have in place to defend.
Banks have been doing that for awhile now through organized groups. The insurance companies do have some organizations within their within their scope of business and the analysts and investigators do talk to each other. But I believe it's very much in an informal structure. There needs to be some kind of formalized structure to take all this data, put it all together and say, we know this is a bad actor because they attacked insurance company A and inform insurance Company B, right? The banks have made that mutual connection in a relationship to say, listen, we're going to free fall together versus looking at as a competitive disadvantage like sending a bad guy from us to them is better for them. That doesn't happen in the banking world these days. They work together from a consortium's perspective to identify those data sets.
- Key takeaway: Contemporary fraud is driven by transnational groups and advanced technologies like deep fakes. Combatting this demands sophisticated methods such as entity resolution to uncover patterns of fraudulent activity across online applications and accounts, in order to provide a comprehensive approach that balances stringent validation with customer convenience.
Conclusion
My discussion with Steve highlighted critical insights into the emerging threats facing the insurance sector. Fraudsters are increasingly using advanced technologies such as deep fakes and generative AI to exploit vulnerabilities. This shift necessitates a proactive approach from insurers to effectively counter these sophisticated attacks.
Implementing advanced technologies is essential for detecting and preventing fraud before it impacts customers. As these threats evolve, industry collaboration becomes crucial for sharing intelligence and developing robust defenses.
Staying informed about these emerging threats and the proactive measures needed to combat them is vital. By understanding and implementing the latest technological advancements, we can collectively safeguard against sophisticated fraud and ensure a secure and trustworthy insurance landscape. Let's work together to protect your interests and strengthen our defenses against these evolving threats.
For more Fraud for Thought, visit the Quantexa website:
Friend & WIN
prizes!