In 2025, there are so many threats that fraud fighters face. It is often hard to decide which are the ones at the top of the list. In my many years of recommending fraud prevention solutions, I would follow what I learned from folks wiser than me. First, you have to look at the severity of the threat; then you have to look at the probability of that threat affecting you. And finally, how big could the potential losses be – the financial impact (be it dollars, pounds, Euros, or Yen).  There is a whole lot more science behind the calculations, but you get the point. The fourth critical item is how fast will the solution provide measurable value. This is often the most difficult to quantify, because it can take a while to be able to calculate implementation costs and the deployment timeline. More on that later.

This year, I have my top three threats (and another seven behind these first three). What is driving much of these threats is the increased capability of Generative AI. It has created what I call the ‘Evil Twin’ of Gen AI – the ‘good twin’ being all the great capabilities we hear about Gen AI. In a July 2025 article, Secure Worldshows the expected growth of fraud and scams because of Gen AI. According to the article, the chart “highlights a compound annual growth rate of more than 30% in losses.”

Figure 1. Source: Secure World article, AI-Driven Fraud and Impersonation: The New Face of Financial Crime; July 18, 2025

With the obvious addition of AI out of the way, let’s look further at my key threats. For me, these are the three most important threats in 2025:

1.     Ease of breaking authentication

2.     Too many intelligent bots

3.     Too easy to damage financial institution (FI) reputation
  

Attackers are finding too many ways to abuse the typical user ID, password, typical one-time pass code, and authenticators. Phishing can get credentials, voices can be cloned, documents can be replicated, and liveness test can be defeated. With uncontrolled SIM swaps and SS7 security holes, OTPs are getting close to being worthless, especially for high-dollar accounts.  Financial institutions need to mitigate this threat.

Also tied to GenAI, is the powerful ability to create an intelligent army of bots that can be used to test credentials (credential stuffing) or open new accounts (including using AI-generated synthetic IDs) and more. Bot traffic, when not controlled, can also be the bulk of an FIs online traffic. .

Now I want to spend the rest of this blog on the threat to bank reputation. Again the ‘evil twin’ of Gen AI is the reason the threat to reputation is so high. This reputation threat revolves around the FI’s websites, advertisements, and online brand identity. 

Today, financial institutions face phishing threats that are faster, cheaper, and easier to launch. There has been a wave of phishing-as-a-service operations like the Haozi platform , which has facilitated more than 280,000 criminal transactions by providing turnkey phishing kits with built-in automation and hosting support. Campaigns using the Darcula kit show how scammers can quickly deploy convincing clone sites and login pages with little to no technical skill.

What’s fueling this surge is the integration of generative AI. Large language models are not only being used to craft realistic, multilingual phishing emails, but can also be manipulated into validating fake sites, creating a feedback loop that adds credibility to scams. These are not isolated techniques; they're part of a growing ecosystem that makes bank impersonation scalable and profitable.

Scammers combine the ease of setting up clone websites with GenAI with the ease of creating phishing email to make a very effective attack vector. These phishing emails can be in any language, error free, and targeted to individuals (spear phishing) based on stolen customer data. Worse yet, all of the research to create these phishing messages and the actual creation of the phishing messages can be fully automated with scripts — so much more effective and scalable. An example of spear phishing was in a BEC email compromise case  where “an Experi-Metal employee opened a phishing email containing a link to a web page purporting to be a ‘Comerica Business Connect Customer Form’ and the employee then proceeded to provide his security token identification, WebID and login information to a phony site.”

The FDIC recently put out a warning on bogus bank websites: “Criminals also create fake bank websites to mislead and entice people into transferring money or disclosing personal information.” The FDIC also offers to help consumers (call 1-877-ASK-FDIC) identify if a website is real or not. But ultimately, when consumers are scammed by fraudulent sites, the imitated brand also experiences reputational damage and damaged trust. Consumers expect businesses to safeguard against these risks, despite the challenge.

Fraud losses from cloned websites typically fall to the financial institution.

To address these risks, FI organizations must quickly find and identify bogus, impersonated websites and get them taken down. Part of the problem can be getting the ISP to take the site down in a timely way. It can take hours to days to weeks to get these sites removed. So, what is also important is what can be done to mitigate the theft of credentials before the site is actually taken down. There is some interesting work is being done with browser owners (Edge, Mozilla, Chrome) where known URLs of bogus sites can be immediately blacklisted to prevent FI customers from even reaching the clone site before it is taken down.

The second part of FI reputation revolves around FI advertising. Fraudsters are hijacking FI advertising to offer scam bank and investment products. Customers fall for these convincing ads and can lose millions. Recently the Canadian and Australian regulators warned customers about the losses being incurred by customers falling victim to these scams. Investment scams is one of the largest sectors of annual consumer scam losses. According to the 2024 FBI IC3 Internet Crimes Report, investment losses were $6.6 billion, doubling since 2022.

Fraud losses from fake ads typically fall to the customer to deal with.

As I mentioned before, the fourth critical item in helping to determine which new controls should be added is how fast will the solution yield ROI. The good news about controls for protecting FI reputation is that they are, for the most part, external to the bank’s own systems. 

This means the solutions can be deployed without any bank development. Therefore, deployment can be done in weeks. The biggest part of the timeline is the bank’s vendor onboarding and contract work. With deployment complete in weeks, the FI gets immediate reduction in bank and customer losses. Not only that, while agreements are being finalized and vendor processes checked off, the smart thinking FI manager and a sharp vendor could create a short-term agreement to start protecting the websites and advertising/social media immediately. This is certainly what customers would want to see. STOP the threat immediately!  You say that can’t be done; well, I recall in my past life, we had a serious issue and we received approval to fix it in days. In this situation of protecting financial reputation, with no integration, customer protection could begin while the final vendor steps are wrapping up. Obviously, get the essential agreement terms and pricing wrapped up beforehand.

Immediate deployment makes for a much shorter time-to-value. Instead of requiring internal development and integration, organizations can ramp up and scale brand protections more quickly and showcase results far sooner. This also means the FI reputation project can be done in parallel with other higher priority projects without impacting the project staffing.

Next Steps for Safeguarding Reputation

Working on protecting financial institution reputation is a critical effort. Because the fraudsters have the power of GenAI, they can execute reputation fraud quickly and at scale.

The most important step in tackling this problem is to define what parts of reputation you need to protect (e.g. websites, ads, etc.). Understand what the FI (fraud) and customer (investment scams with the FI’s name) losses are. Assess which vendors have the breath of takedown capability and the speed of the various takedowns (websites can be much quicker than social media or platform ads). And what mitigation services do they offer before the takedown is completed.

When you calculate return on investment, know the payback starts immediately and true breakeven is a much shorter timeframe than most security projects.

Join me (virtually) on August 20!
If this topic resonates with you, and it should, I invite you to join me and Robert Duncan from Netcraft for an important conversation:

From Risk to ROI: 2026 Security Strategy for Financial Institutions

We’ll be discussing what today’s GenAI-enabled threats mean for your institution’s reputation, how to prioritize protective measures, and what fast-payback strategies you can implement in 2025 and 2026.