Generative AI will enable card issuer American Express to be more innovative in tackling fraud, but the technology’s also likely to aid bad actors, Tina Eide warned.

“It will impact both sides of the coin, and that's why it's very important for us as an industry to continue to research, develop and explore so that we can stay ahead of the bad actors,” said Eide, executive vice president for global fraud, credit bust out, payments and banking product risk management at Amex. 

An Amex spokesperson said the company doesn’t disclose the amount the company spends on fraud-fighting efforts.

In its quest to beat back fraud, Amex has leveraged machine learning in fraud detection for close to a decade, and continues to develop artificial intelligence and ML techniques and strategies, said Eide, who’s responsible for enterprise-wide fraud prevention at the company. 

Amex also benefits from the closed-loop data it gets through its issuing and acquiring businesses, she added. Eide spoke with Payments Dive Dec. 12 about current fraud trends and how the industry is addressing those.

PAYMENTS DIVE: What kinds of fraud are you encountering more often?

TINA EIDE: Across the industry, one of the areas that is really starting to pop recently is fraudulent applications. We’re starting to see more and more velocity in this area, and a lot of that velocity is coming from bots who are taking personal identifiable information and applying at very quick speeds. The interesting thing about this round of fraudulent applications is the strength of the information for each application. Identities are being stolen, but with those identities, it’s a full set of PII — name, address, Social Security number, birthday, email address, phone number. And all of that data is legitimate and correct for the individual. So we’re starting to see a lot more quality identities coming through; previously, it was more partial identities.

Why is that?

There's multiple reasons, and there's multiple sources where bad actors get this information. For consumers, if an offer is too good to be true, and you try to purchase the latest item that's sold out, or an item you're seeing at an incredible discount, you may be asked to insert your name, your email, your phone number — things that you feel like, OK, this is normal that I would input these items to get this offer. But really what's happening is the offer’s not coming, and likely that information that you've submitted is heading towards a server that's collecting very clean, complete PII to be sold on the dark web and used for these purposes.

Our digital identities and digital data are in many, many areas, so it's hard to pinpoint. But I think being careful of what and where you enter your information is helpful.

What other fraud schemes are you seeing more lately? 

We continue to see, as the industry does, a lot of social engineering challenges: customers who believe they’re speaking to a financial institution and are giving away passwords. We’re seeing that continue and even pick up speed.

First-party fraud is also an area where we are seeing a lot of pressure, not only from real identities, but also synthetic identities. They’re taking a combination of PII from several individuals and creating an entirely new individual and setting that individual up so that they appear to be real. And then, they’re managing that identity for a while until you’ve maximized your opportunity to bust out on many different things all at the same time. 

Where do you think the industry is making headway as it relates to fraud?

Whenever customers are getting contacted through their financial institutions and they're being given one-time passwords, I think the industry is doing a better job in providing more context for those fraud alerts. As in, what is this for? Why are you receiving this? Customers should really pay attention to that contact, because I think that contact can really help them understand the situation they're in when they're being asked for this information — does it match the situation where the one-time password was sent to them? 

For us, when we have fraud concerns, we try to share as much context as possible, either in the text alerts, or if we speak to a customer through our call center, we give context and try to educate in the moment, of things to be on the look-out for.

You’ve been at Amex for about 25 years. How has the shift to digital payments affected fraud trends?

Over the last three, four years, the number of hard credentials that are available to be purchased on the dark web has grown significantly. Now, you don't really need plastic to perpetrate the fraud. That's very different than 15 years ago.

With digital purchases, our machine learning models have started to get so sophisticated with so much data that sometimes it’s almost easier to track fraud in the transactions (compared to social engineering or fraudulent applications). And we have an agreement with many merchants where they send us enhanced authorization data, and so that enhanced data really allows us to make a strong decision on the digital purchase.

Now, from a control perspective, we’ve gotten so sophisticated that that’s an area where bad actors are struggling to make money, and so now we’re coming back around to more of the scams, the social engineering and even the fraudulent applications. It feels a bit like a vicious circle: As you get better and better at one area, then they'll move to another area; you get better at that area, and they kind of circle through and around.