An elevated level of vigilance will be crucial in 2024 as Artificial Intelligence (AI) threats and scams are on the rise. Fraud currently accounts for over 40% of crime in England and Wales and scammers are using ever more sophisticated forms of deception with the assistance of AI. AI-enabled fraud such as deepfakes, phishing attacks, and identity theft pose an increasing threat to businesses in the UK and abroad.
AI is increasingly playing a role in fraud attempts, and the speed with which fraud typologies are evolving, aided by AI, poses a serious present danger to businesses. The ability to create huge volumes of fake SMS, video, or voice clips in a matter of seconds means the production of materials for potential fraud schemes is now quick, cheap, and easy. Add to that the ability to process vast amounts of information such as emails, images, videos, and voice recordings, which results in deepfakes of individuals and businesses used by fraudsters to their advantage. Businesses should be aware of the risks of impersonation of business owners, C-Suite Executives, and trusted advisors.
In addition, email phishing is becoming continuously more sophisticated, with fake documents and realistic email chains. Similarly, voicemail phishing, where the fraudster only needs a few seconds of audio to curate a convincing voicemail asking an employee to transfer funds, is an increasing risk.
As well as external attacks, organisations will need to be alive to the risk of internal threats. In October 2023, the Economic Crime and Corporate Transparency Act introduced a new failure to prevent fraud (FTP) offence. This offence targets 'large organisations' i.e., organisations that meet at least two of the following three criteria in the financial year preceding the year of the fraud offence:
- More than 250 employees
- More than £36 million turnover
- More than £18 million in aggregate assets on the balance sheet
Such organisations will be guilty of an offence if an 'associate' (an employee, agent, subsidiary, or anyone who otherwise performs services for or on behalf of the organisation) commits a fraud offence intending to benefit either the organisation itself or any person to whom the associate provides services on behalf of the organisation. Being charged with the offence may result in the organisation being prosecuted with a potentially unlimited fine. It will, however, be a defence if the organisation can demonstrate that, at the time the fraud offence was committed, it had 'reasonable prevention procedures' in place to prevent the fraud from occurring.
The new offence underscores the importance of businesses being vigilant to fraudulent scams and having internal practices and procedures designed to detect and act quickly if a business discovers they have been a victim of a fraudulent scam. Guidance on exactly what these 'reasonable prevention procedures' are will likely be published by the government in early- to mid-2024. This means that organisations need to act now to analyse their current fraud prevention measures against the yardstick of future guidance, to ensure they have appropriate procedures in place.
Given the widespread use of AI by cyber-criminals, it is important that businesses' fraud risk management frameworks are sufficiently robust to resist novel modes of AI-enabled fraud. Training is essential for directors, consultants, and employees. It is critical for businesses to triple check before making any transfers of money or sharing information with third parties. Verification procedures are key in mitigating the risk of fraud. There are now verification tools on the market which use the metadata that sits behind video clips to detect whether a clip is a deep fake, for example, by looking at the clip's IP address.
We expect an explosion of these types of AI-enabled tools and business will need to consider carefully how they can leverage AI to their advantage, in conjunction with more traditional methods of combatting fraud (e.g., due diligence, transaction approvals and monitoring systems, and escalation policies). Businesses also need to have a disaster management protocol that is fit for purpose so that if they become subject to a hack or scam, they can act quickly to mitigate any damage and get ahead of the narrative to avoid irreparable harm.