Fraud Protection Solutions: High-Tech Crime, Low-Tech Strategies

Artificial intelligence is transforming cybercrime. Scams and fraud are evolving faster than our defenses. They’re becoming more personal, harder to detect, and more believable than ever. Fraud protection solutions are essential for both individuals and organizations to protect themselves. But it doesn’t require fancy, expensive, high-tech systems to protect yourself. In fact, despite how complex our digital world has become, the best solutions are often low-tech ones. See Before the Fraud Tsunami Hits with Ritesh Kotak for a complete transcript of the Easy Prey podcast episode. Ritesh Kotak is a lawyer licensed in Ontario, Canada, who specializes in issues around AI, cyber privacy, cybercrime, and emerging tech. He helps clients navigate the digital space, as well as assisting those who are victims of fraud. His career started in law enforcement, where he ended up in tech-focused roles investigating computer crimes and developing cybercrime units. After leaving policing, he spent some time in big tech before becoming a lawyer. Ritesh’s fascination with technology started at a young age. When he was three years old, his father brought home a computer – a Pentium 486 running Windows 3.1. His father wanted to use it to do accounting for the grocery store he owned. Young Ritesh, though, was fascinated. He took the computer apart, but couldn’t get it back together. His father took it to a repair shop, and Ritesh was equally fascinated watching the repair person put it back together. He took it apart again, and this time could put some of it back together. After the third time, he could reassemble it on his own. That’s where his whole career in technology started, with his fascination with that one machine. Ritesh always assumed he would go into business to help his parents. But even when he decided to serve his community by policing instead, that love of technology never left. He joined the police force in 2010, and tech use was coming to the forefront. The world was starting to see cybercrime and organized crime using technology. Ritesh presented the concept that crime was no longer just physical, but it also wasn’t just virtual. He saw that future crime would be some blend of the two, and law enforcement would need to be competent in both. Crime is no longer going to be physical. It’s also going to be virtual … it’s this new convergent world between the two. Verification was a big issue. Even before AI deepfakes , people created fake email accounts to harass others. Dating profiles , online forums , and classified ads could all be fraudulent. And there are jurisdictional issues, too. Servers are all over the world. So are victims and criminals. It’s challenging to navigate, and digital forensics is increasingly important. Ritesh took opportunities he had to impress on the police the importance of tech. Once, he was in a meeting with the chief of police, the deputy chiefs and the IT director. He was the youngest person in the room. He asked the chief if he believed the police could be vulnerable to cybersecurity issues. The chief said he didn’t think so. So Ritesh hacked his device right there in the meeting. Instead of disciplining him, the chief understood his point. Ritesh ended up creating one of the first municipal cybercrimes units in Canada and traveling to teach other police forces about fraud protection solutions and what we have to do today to deal with the issues of tomorrow. Ritesh has had friends and family members who were victims of scams. Though he hasn’t been a victim himself, he’s come pretty close. Ritesh loves amusement parks, but the tickets are expensive. He’s always looking for discounts and opportunities to save a few bucks. While planning one trip, he called a friend of his who he knew had a discount code and asked to borrow it. His friend said absolutely and offered to send it. Ritesh then got an email from him with a link. He clicked the link. The site showed amusement park tickets at a heavy discount. He started filling in the information it asked for. He got through his personal information, but when he got to the credit card information, he stopped. When he looked at the address bar, there was no lock symbol showing the site was using HTTPS and was secure. At this point, he started to question. He picked up the phone, called his friend, and asked if the link was correct. His friend replied, “What link?” It turns out that his friend’s account had been hacked, and someone spammed his entire address book with a fake amusement park discount link. Ritesh happened to be looking for tickets, so it fit what he expected. He came very close, and was lucky he noticed the issue before he submitted anything. If it can happen to Ritesh, it can happen to anyone. He’s worked with other lawyers, computer scientists, and even police officers in fraud departments – all very smart people – who have been caught by a scam. There’s a lot of stigma attached and people are embarrassed. But there shouldn’t be any shame in being caught by professional, sophisticated scammers. The right scam at the right time can catch anybody, regardless of intelligence. Data breaches export as much information as possible so criminals can use that to profile you and build trust . If you get information from marketplaces, financial institutions, email servicers, or company CRMs, you can compile and aggregate it into detailed profiles. Criminals then purchase those profiles and use them to target you. Information really is gold to scammers. If someone calls you talking about a specific purchase you made at a specific store on a specific day, you’re likely to assume that they’re legitimate. That element of trust can get you hooked. Even something as simple as spoofing, or making your caller ID show a different number, can build a little trust. Generate enough trust, and a scammer can get what they want from you. Tech companies are trying to fight back. In Canada, devices and telecommunication companies are implementing systems to keep spoofed calls from going through or label them “likely spam.” But it’s like playing whack-a-mole. When you figure out fraud prevention solutions to patch one hole and whack one mole, two more pop up. It’s a constant race to figure out how the scam evolved and a new way to deal with it. Emerging tech is just making this more difficult. Tools get developed based on the types of scams that are discovered. And you figure out how to patch one scam … but two more pop up. AI is a sword that criminals can swing to hurt people. And it can also be a shield to provide some fraud protection from fraud. AI is a sword. It is being weaponized against individuals. [And] AI is a shield being used to protect individuals. As a shield, banks and other organizations have been implementing new technology to discover issues. AI can help them spot inauthentic behavior and shut down accounts. Some banks are now using the sound of your voice to verify you when you call or implementing other authentication features with AI. As a sword, we’re seeing some interesting uses. An obvious one is in emails. Phishing emails used to be obvious, with errors, broken links, and weird visuals. But generative AI makes it easy to draft customized, grammatically correct emails that are more difficult for tech to spot. It’s also easy for AI to duplicate websites. Now it takes only seconds to do what used to take days, and the end result is better. The next generation is going to be audio and video. We’re already seeing grandparent scams , where scammers use a small sample of someone’s voice to create an identical-sounding AI clone and calls their grandparents asking for money. And deepfake videos can get extreme. There have been documented cases of an administrator on a virtual call with ten people getting told to do some financial transaction, but nine of those ten people are AI deepfakes. There’s no global playbook for what to do with AI. It’s going to get harder to tell what’s real. We need fraud protection solutions to help. As the technology gets better, as processing gets cheaper … it’s going to become even more difficult to decipher fact from fiction. Conventional wisdom used to be that you could protect yourself by asking to get on a video call. If they made excuses or avoided it, they were probably a scammer. But that’s an outdated fraud protection solution now. Deepfake technology means a scammer could look like anyone, even on a live video call. Unfortunately, there’s not a good way to identify AI on video calls anymore. Even when we come up with a way, criminals find a way to get around it. And sometimes there are legitimate situations where friends or family need money. Ritesh has had those calls in the middle of the night. He doesn’t want to leave a loved one stranded if they’re actually in trouble. Ritesh is a firm believer that a lot of high-tech crime has low-tech solutions. He and his family and close friends have a secret phrase. If they don’t use the secret phrase with the request, Ritesh assumes it’s a scammer. When the requests come through text or message, he’ll pick up the phone and call. Sometimes, he’ll even hang up and call back from a number he knows. Fraudsters try to keep you on the phone and create a sense of urgency. If you hit pause, take a deep breath, verify, and have a secret phrase, that will go a long way towards helping you spot fraud. It’s what Ritesh does. There are apps out there that can detect AI content. Most of them are designed for text, though. We’re starting to see some for images, but not a lot out there for video right now. AI can still manipulate image metadata, but it’s better than nothing. The only real solution right now is verifying everything. If they email you, call them. If they call you, email them. Scammers can fake voices and emails, but it’s much more complicated to take over someone’s phone number and email at the same time. Doing that extra check isn’t a high-tech fraud protection solution, but it is a huge help. This is important for businesses , too. Major organizations and even governments have fallen for these kinds of things. There’s a lawsuit going on right now in Ontario where a company was tricked into changing an account number and paid a bill to a fraudulent account. The company is saying they paid the bill, and the vendor didn’t receive the money. A lot of people think cyber insurance would kick in at that point. But just like car insurance could deny your claim if you were driving recklessly, cyber insurance might deny a company’s claim if they haven’t trained their staff and put protection measures in place. Insurance is a safety net, but companies also have to do their due diligence. A lot of people don’t do that. Reporting scams and fraud is essential . It helps track and catch criminals and power the evolution of fraud protection solutions. But a lot of people don’t fully understand the role of reporting. Victims care about being made whole and getting their stolen funds back. But that’s not law enforcement’s job. Their job is to figure out who’s behind the crime and arrest them. If they happen to seize some assets, victims may get some funds back, but that’s not their primary goal. Ritesh recommends victims think about reporting in two ways. From a criminal perspective, you should always report scams to law enforcement. You may have a piece of the puzzle they need. You’re definitely not the only person to be a victim of that criminal, and you may have a phone number, email address, IP address, or something else that can help law enforcement’s investigation. This also gives you a record of being a victim. Recently, there was a major takedown in Europe where law enforcement seized funds. Canadian victims who reported the scam got some of their money back because they had a record of what they lost. If you’re reporting on behalf of a business, consult your legal council first, but always report it. The civil perspective is about actually getting your money back. That process depends on the details. If it involved a credit card, there may be a chargeback or dispute process you can use. Always call your financial institution right away. The money may have left your account but not left your bank yet, and they could retract it. The quicker you move, the more likely you are to stop that money getting to the scammer. If it involves a platform, like an app or crypto exchange , report it to the platform too. Scams and online fraud are a crime in just about every jurisdiction. But what happens once you report it varies depending on your jurisdiction. If your bank says there’s nothing they can do, for example, some jurisdictions have an ombudsman you can appeal to or a civil court process you can use. Ritesh has been a big advocate of creating some kind of hub that brings together government representatives, fraud investigators, and police so you can have just one contact to deal with everything. But right now, you have to manage everything individually. We need to rethink our response to dealing with these crimes. We’re trying to fight 21 st -century crimes with 20 th -century fraud protection solutions and frameworks. Often the victims end up re-victimized by the whole process, because it doesn’t put victims at the center. We have 21 st century crimes, but we’re using 20 th century frameworks. We already do something similar in the physical world. Operations centers, real-time crime centers, and other “war rooms” exist to deal with physical crimes. Even banks and airlines have these kinds of setups. We need to make something specific to victims. Not only would this make the process easier for victims and help make them whole again, but it would centralize information to help bring people committing these crimes to justice. If you’ve been a victim of a scam or fraud, Ritesh does recommend talking to a lawyer to help with the process. Some organizations are hard to get a response from, but they take your situation more seriously once they get a phone call or letter from a lawyer. It shouldn’t be that way, but it is. A lawyer experienced in these kinds of situations can also help you navigate the system. There may be civil remedies available, especially if an organization was negligent in preventing scams from happening. And a lawyer will know what your rights and options are in your jurisdiction. Every situation is a little different. So having a legal pro help walk you through it can be a great benefit. Technology is just going to keep getting more sophisticated. No matter what fraud protection solutions we come up with, criminals are always going to find a new way to evolve their methods and defeat our safeguards. Staying safe isn’t just about figuring out how to prevent particular crimes. It’s about learning the right skills to deal with new crimes as they continue to evolve. Ritesh’s best advice is to focus on those low-tech solutions. Hit pause, take a breath, and don’t let anybody rush you. Ask a friend if the situation seems suspicious. If you’re not sure if something is legitimate, pick up a phone and call the source – especially if it’s asking for sensitive information or has links. Take the time to validate and verify. If you do become a victim, it’s impossible to put the toothpaste back in the tube. You may not ever be able to get what you lost back. While it’s good to know what to do if it happens, put your effort into stopping it from happening in the first place. Prevention is better than finding a cure. Find Ritesh Kotak online at riteshkotak.com , on Twitter @riteshkotak , and on LinkedIn .