AI phishing: new threats for financial institutions and merchants

In principle, phishing has been around since the advent of online banking. For many of us, it has been part of everyday life for years. It is one of the most common forms of internet fraud in which criminals attempt to steal sensitive information such as passwords or credit card details. However, while it used to be the case that phishing attempts could usually be recognized and unmasked at first glance with a little caution and expertise, this is no longer quite so easy today. Only recently, the rising number of cases of fraud at banks and credit card issuers was extensively discussed in an article in the finanz-szene (only in German). With the advent of artificial intelligence (AI), these attacks have become more sophisticated. This article looks at current phishing methods and shows how AI has improved the capabilities of fraudsters and is likely to continue to do so in the future.

What is phishing?

Phishing includes various techniques that fraudsters use to try to trick victims into revealing sensitive information. This is often done via fake emails, websites or messages (SMS, WhatsApp, etc.) that attempt to mimic legitimate companies.

AI-supported phishing attacks
Thanks to AI and machine learning, phishing attacks have become more sophisticated and efficient. Here are some examples of how AI is used in these attacks:

1. Deepfake technology
Fraudsters use deepfake technology to create convincing videos or voice messages purporting to be from CEOs or other executives. These can be used to deceive employees and trick them into disclosing confidential information or making wire transfers.

2. Automated email phishing campaigns
AI algorithms can analyze large amounts of data and create personalized phishing emails tailored to the individual recipient. These emails often contain personal information designed to gain the recipient’s trust. Major data leaks in the past (e.g. at Facebook) make it easy for criminals to address people personally and create trust (e.g. by addressing them by their real name or knowing their telephone number).

3. Voice phishing (vishing)
With the help of AI-generated voices, fraudsters can make deceptively genuine-sounding calls. These calls can appear to come from banks or other trustworthy institutions and trick the recipient into disclosing sensitive data.


Current phishing examples:

Here are some recent phishing attempts that show just how sophisticated these attacks have become:

The phishing attempts disguise themselves as text messages from trustworthy parcel service providers and demand payments in order to deliver parcels, threaten to shut down Netflix or Amazon accounts because cards have supposedly expired or the classic: the TAN app is supposedly about to expire and you urgently need to enter your details, please. It gets more sophisticated with elaborately designed competitions that come in the design of well-known food brands (the only really striking thing is that you receive the identical “competition” from Rewe, EDEKA and Lidl at virtually the same time). Some candidates are even more sophisticated, trying to feign a social connection (“This is Dad, I’ve got a new number”) and use it to obtain confidential data.

Here are just a few personal examples from the recent past:

What is striking is that the quality of the texts in particular has improved significantly in recent times. Presumably aided by AI, criminals from Russia and North Korea, for example, can now also write perfect German and produce confidence-inspiring and realistic texts. Much has also changed in the field of graphic design in particular. Today, it is no longer a problem for criminals to make entire websites with elaborate designs look like real savings bank websites or similar. With just a few clicks, you can find instructions on YouTube for AI tools that can create complete, high-quality websites, including graphics and text, based solely on a small prompt text. Only the URLs are often indicating criminal activities. But here, too, they are becoming more and more inventive and are increasingly using very realistic-sounding URL names or hiding URLs behind URL shortening services (e.g. bit.ly), making it harder for recipients to recognize the fraud immediately.

I recently had the opportunity to experience a particularly sophisticated scam up close in my family. The source of the trouble was an elaborately produced online store that was reached via an advertisement on Instagram and advertised sneakers at a suspiciously good price. What was particularly noticeable was the lack of an order confirmation or any further contact from the store in general. Fortunately, the payment was made by credit card and could therefore be refunded relatively quickly via charge-back with a little bureaucratic effort, even though the bank in question initially refused to do so. What is interesting about this case is that the fraudsters went to a great deal of effort to operate a very genuine-looking store and apparently also successfully concluded an credit card acceptance contract for it. Depending on how much turnover was generated here before the acceptance contract was blocked, the acquirer concerned has probably suffered considerable damage. Quite a few customers will probably not even know about their rights and will therefore bear the loss. Incidentally, the fraud as such was relatively quickly recognizable as fraud by googling for the store and then coming across a page of the consumer advice center, which explicitly marked it as fraud.

Just how targeted and extensive perpetrators now operate was recently demonstrated in an impressive case when a financial columnist lost 50,000 dollars through a sophisticated scam. This incident illustrates just how sophisticated and effective modern phishing attacks can be, even among experienced professionals. The article on SPIEGEL Online describes in detail how the fraud took place and what lessons can be learned from it. It becomes clear that financial institutions and merchants must remain vigilant and implement advanced security measures to protect themselves against such threats.

Protective measures

To protect yourself from these sophisticated phishing attacks, the following measures should be taken:

Race between card providers and fraudsters

Credit card companies and fraudsters are in a constant race, with each side trying to stay one step ahead of the other. While credit card providers such as Visa and Mastercard are constantly introducing new security protocols and technologies, fraudsters are quick to adapt and develop new methods to circumvent them. Recent developments include:

A recently published cooperation between Capital One, Adyen and Stripe shows just how great the pressure is for creative solutions, as they share their fraud monitoring data with each other via an open source API in order to benefit from each other’s information and be better protected against fraud on both sides.


What payment providers and schemes can and must do

Payment service providers, banks, acquirers and also the schemes have always been in an eternal race with the “dark side of the force” to make new products (more) secure and to recognize and prevent any new emerging form of attack at an early stage. The preview of the Payment Service Directive 3 (PSD 3) already reveals that the EU will put further pressure on providers to take on more responsibility and bear liability for unintentional misconduct by customers in more cases. It can therefore be expected that this will lead to even more pressure on providers to design secure mechanisms, which will typically be at the expense of user convenience. Providers will also rely heavily on the increased use of AI mechanisms in order to minimize the burden on customers and their user experience through extra and more complicated challenges. As we have already shown in our study, the future of payment will primarily be an area of tension between convenience and security. Ideally, payment processes will become increasingly seamless, invisible and, ideally, more secure for customers. At the same time, however, this also increases the risk of fraud and misuse, which must be kept in check by correspondingly strong security mechanisms.

The use of AI by criminals has made phishing attacks more sophisticated and dangerous. It is critical that individuals and businesses remain vigilant and take appropriate protective measures to guard against these threats. Through education, technical solutions and vigilance, we can minimize the risks and protect our digital identities.