Social engineering 2.0: How AI redefines financial fraud
Season 6 Episode 06
Transcript
Juan José Ríos (Host):
Mundo Financiero Seguro, your space to stay at the forefront of cybersecurity, fraud prevention, AML, fintech, and risk management.
Discover the latest threats, innovations, and key tools for building a more secure financial future. Join the conversation and turn challenges into opportunities.
Artificial intelligence has burst onto the technological scene with a speed and impact that surpasses previous waves of innovation, from the adoption of Big Data to the beginnings of modern cybersecurity. Today, organizations of all sizes are beginning to rely on AI-based systems to automate processes, optimize workflows, and respond to security incidents in real time.
However, this same sophistication has also been adopted by attackers, who use artificial intelligence to refine their techniques: from hyper-realistic deepfakes to conversational bots that scale phishing and spear phishing attacks with unprecedented levels of personalization.
My name is Juan José Ríos, and I welcome you to Mundo Financiero Seguro, the Plus TI podcast.
In this episode, we will address two main lines of thought. First, we will analyze whether, in the age of artificial intelligence, our defenses are truly more robust or whether, on the contrary, we remain exposed to risks that evolve at the same pace as technology. Second, we will explore how artificial intelligence has redefined social engineering attacks.
Joining us today are Deepak Daswani, cybersecurity expert, computer engineer, and ethical hacker recognized in Spain and internationally; and Álvaro Arzayus, digital fraud prevention product manager at Plus TI. Thank you both for joining us.
Deepak Daswani:
Thank you, Juan José. Technology is constantly evolving, and every change, every innovation, involves risk. We often forget that technology is never 100% secure because it is created by people. Even though there are secure development cycles, policies, and guidelines to minimize vulnerabilities, there is always the possibility of introducing errors or flaws that, over time, become risks for organizations.
Furthermore, the speed at which technology evolves is often greater than the ability of organizations and professionals to adapt. This means that many solutions are implemented without adequate security measures, exposing critical systems.
On the other hand, new technologies tend to be less mature and, in many cases, adopting them leads to neglect of existing infrastructure. In the world of hacking, this is known as low hanging fruit: old, obsolete, or poorly maintained systems that attackers exploit because they no longer receive priority attention from the organization.
All of this means that, paradoxically, technological advances can increase our vulnerability.
Juan José Ríos:
Álvaro, if we add to this the fact that artificial intelligence now allows attacks to be tailored to the victim's exact profile, we are no longer talking only about quantity, but also about quality in deception. How does AI enhance personalization in social engineering?
Álvaro Arzayus:
Artificial intelligence has revolutionized social engineering through what we call hyper-personalization. Fraudulent messages that used to be generic, poorly written, or riddled with obvious errors can now appear completely authentic.
Thanks to technologies such as natural language processing, attackers can analyze large volumes of public and private data: social networks, leaked emails, forums, and blogs. With this information, they build highly detailed psychological and professional profiles of their victims.
These profiles include habits, communication tone, topics of interest, organizational structure, internal nicknames, and daily routines. With this information, criminals generate messages that mimic not only the content but also the communication style of a specific person, such as a direct boss or business partner.
Artificial intelligence also allows these messages to be refined in real time, correcting errors and making them appear increasingly legitimate. This makes detection by traditional filters extremely difficult and makes these attacks one of the most complex threats to mitigate today.
Juan José Ríos:
Deepak, with all your experience, why do incidents continue to occur if today's technology is, in quotation marks, more secure by default?
Deepak Daswani:
It's an interesting paradox. Ten years ago, developers inadvertently introduced technical vulnerabilities: injections, cross-site scripting, configuration errors, among others. Today, modern frameworks already incorporate mechanisms to prevent many of these vulnerabilities by default.
This means that even a junior programmer can develop relatively secure applications without in-depth knowledge of cybersecurity. Technical barriers have increased. However, incidents continue to occur, and in many cases even in greater volume.
Why? Because incidents are often a combination of technical failures and human error. Insecure configurations, default passwords, exposed services without authentication, or poorly managed processes remain critical issues.
Furthermore, although users are becoming increasingly aware of phishing, artificial intelligence has raised the level of sophistication so much that it is becoming increasingly difficult to detect a scam, even for trained individuals.
Juan José Ríos:
Álvaro, let's talk about deepfakes. What exactly are they, and how are cybercriminals using them?
Álvaro Arzayus:
Deepfakes are audiovisual content generated or manipulated using artificial intelligence, capable of replicating a person's voice, gestures, and facial expressions with great fidelity. With just a few seconds of audio or video, these models can create extremely realistic false representations.
In the context of financial fraud, criminals use deepfakes to impersonate figures of authority: executives, managers, partners, or even family members. A common example is the so-called "CEO fraud," where an employee receives an apparently direct instruction from their boss to make an urgent transfer.
The danger lies in the fact that it is no longer a matter of poorly written emails or suspicious calls. Victims see and hear what appears to be legitimate communication, which can even fool people trained in security.
Juan José Ríos:
Deepak, why is artificial intelligence not a magic solution for eliminating vulnerability?
Deepak Daswani:
Artificial intelligence is a powerful tool, but it remains just that: another tool in the toolbox. It is used by attackers to sophisticate their techniques and by defenders to detect threats, analyze patterns, and improve incident response.
Not applying artificial intelligence leaves you behind, but applying it does not guarantee you will be on the winning side either. It does not eliminate risk or prevent incidents from occurring; it simply adds another competitive advantage in a game where both sides are constantly evolving.
Álvaro Arzayus:
Today we also have more silent defense mechanisms, such as passive authentication and behavioral analysis. These technologies work in the background, without friction for the user, analyzing patterns such as the device, location, writing style, or interaction.
Combined with machine learning models, they enable real-time anomaly detection and fraud prevention even before it occurs. They are key components in a multi-layered security strategy, where multiple controls work together in a complementary manner.
Deepak Daswani:
We remain vulnerable in the age of artificial intelligence, albeit in different ways. Systems are more secure by default, but our dependence on technology is greater, which increases our exposure. We are more protected technically, but also more interconnected and therefore more exposed.
Álvaro Arzayus:
Artificial intelligence has redefined social engineering, blurring the line between what is real and what is fake. However, we also have advanced defensive tools at our disposal. The key is to use them as part of a comprehensive strategy that combines technology, processes, and people.
Juan José Ríos:
Artificial intelligence can accelerate our defense, but it does not replace the need for a culture of security and solid operational discipline. Only with a defense-in-depth architecture that integrates technology, processes, and people will the financial sector be able to mitigate emerging risks and protect its assets and reputation.
Thank you to our guests and to you for joining us on Mundo Financiero Seguro, the Plus TI podcast. I'm Juan José Ríos. See you next time.
