Trusted Future recently hosted a conversation focused on efforts to digital financial scams and fraud. Participants discussed how to combat fraud, build a more trustworthy digital environment amid increasingly sophisticated attempts, and ways policymakers can avoid weakening the safeguards companies have put in place to limit financial fraud and harms. Participants included senior government officials, representatives from technology and financial services industries, and experts from think tanks and academia. 

The conversation was lively and wide-ranging. We covered much ground and came away from the conversation with four key lessons:

• Lesson 1: The advance of AI is making digital scams more sophisticated and complex. Responsible development of trusted AI, and defensive AI, are some of  the best tools we have to prevent, spot, and respond to fraud. 
• Lesson 2: Policymakers should avoid laws, policies, and regulations that unintentionally diminish the existing abilities to combat digital fraud and scams. 
• Lesson 3: We need to enhance encryption capabilities, not degrade them. 
• Lesson 4: Comprehensive privacy policy would be a meaningful way to help protect all consumers, but especially children. 

Lesson 1: The advance of AI is making digital scams more sophisticated and complex. Responsible development of trusted AI, and defensive AI, are some of  the best tools we have to prevent, spot, and respond to fraud. 

The rise of generative AI has significantly increased the scale and sophistication of digital fraud and scams. Artificial intelligence-powered technology can allow for the creation of hyper-realistic content that can effectively produce photo reproductions of specific individuals, spoof voices, and open consumers and businesses up to deepfakes and complex phishing scams. For example, in France earlier this year a woman was tricked into giving up her life’s savings because she believed she was in an online relationship with a Hollywood celebrity who needed her help. This included the use of AI-generated images of the celebrity in the hospital. Such generative AI tools can also be used to create personalized phishing messages that seem like valid emails on a mass scale. Just last year, a scam used deepfake technology to impersonate a company’s CFO using AI-generated deepfakes on a video call which resulted in the theft of $25 million. 

Fraudsters are also able to use AI chatbots to effectively mimic real human interaction. Another technique that has seen a massive spike in recent years is deepfake-driven “face swaps”, which digitally replaces one person’s face with another. In 2023 alone, there was a 704% increase in this technique being used to bypass identity verification, according to iProov. 

But just as AI in the hands of the bad guys is a powerful tool to commit crimes, trusted, responsible AI and technology like biometrics and digital identity wallets in the hands of good guys is also a powerful tool to recognize anomalous behavior, prevent it, and improve cybersecurity defense. 

Governments and organizations are using tools like digital identity wallets as a scalable defense against fraud. Companies are also investing in cutting edge technology to thwart scammers. For example, AI Agents with the proper guardrails can help minimize the risk of human mistakes and misconduct. This can help make enterprises become more secure as agentic AI is less likely to make mistakes like accidentally exposing data or doing something malicious like making unauthorized copies of sensitive information. But this requires a trusted platform with appropriate agent guardrails that will advance privacy and security.

Some other cutting edge tools that innovators are developing and deploying to thwart fraudsters and scammers include: 

• AI anomaly detection for cyber defense 
• differential privacy technologies
• end to end encryption in the cloud
• adopting post-quantum encryption
• using AI to help outsmart scammers
• developing technologies that are secure by design
• replacing passwords with technologies like passkeys 
• implementing zero-trust architecture in the enterprise 

Lesson 2: Policymakers should avoid laws, policies, and regulations that unintentionally diminish the existing abilities to combat digital fraud and scams. 

The European Union’s Digital Markets Act (DMA) was a major topic of conversation because it does not just raise competition issues, it raises basic privacy, security and consumer protection issues. For example, one of the best protections against mobile app-based scams is to prevent fraudulent apps from being sideloaded onto the device, and infecting the device with malware, spyware, or a fake banking app. The same concern exists for message-based phishing scams, called ‘smishing.’ Smishing messages contain malicious links or requests for sensitive data, faking that the messages are from banks, delivery services, unpaid road tolls, and other ‘normal’ senders that make it likely that the recipient will respond. When they do respond, the linked site steals the requested sensitive data. 

However, the DMA weakens existing protections in a way that could enable a gateway to more rampant consumer fraud and scams. By mandating app sideloading, forcing insecure message interoperability, and giving these unvetted applications deep interoperability with the underlying operating system. This can lead to increased incidence of financial scams, pig butchering, ransomware, spyware, credential theft, data breaches and other exploits. 

One example of how the DMA has weakened safeguards for platforms and app store governance that came up in the conversation was when the cryptocurrency exchange Coinbase needed to send a warning to all of its European customers letting them know that as a result of the DMA, consumers need to be aware of fraudulent Coinbase apps on iOS which could be used “to intercept your personal information, financial assets and other sensitive data.” 

This concern is growing as more mobile devices are the primary vector for scams. According to the Zimperium Global Mobile Threat Report, 82% of all phishing sites now target mobile devices. In fact, financial services organizations saw 68% of its mobile threats attributed to sideloaded apps, according to the same Zimperium report. This rise is for a simple reason: they are effective. According to the FTC, text message open rates are as high as 98%, compared to email open rates of 20%. 

This is why many people who work in sensitive jobs, such as financial services and national security, have phones that are locked down and cannot download unsanctioned apps – to protect security, and prevent private information being stolen and exploited. Legislation or regulation should not undermine similar protections offered to all users to byu device producers, but the DMA does. Discussants were concerned about these implications.   

Lesson 3: We need to enhance encryption capabilities, not degrade them. 

We also discussed the best ways to keep data safe, and the need to avoid privacy weakening policies like the United Kingdom’s “secret order” requiring Apple to create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud. 

Encryption has emerged as one of the most powerful tools we have for keeping data safe.  

• It’s built into browsers so we can trust our credit card numbers are protected with online purchases. 
• It’s built into the systems we use to unlock phones so we can trust our private information will be safe even if the phone is lost or stolen. 
• It’s built into messaging systems so we can trust that only the sender and intended recipient can read it.
• And it’s especially important for business users: 98% of companies reported at least one cloud data breach over an 18 month period and lack of encryption is the primary contributor to sensitive data loss from the cloud.  

Strong encryption has become an essential tool that allows companies to trust that their sensitive data can be protected – even in the case of a breach. This is why we have seen members of the U.S. Congress from both parties “condemn” the UK’s actions as “dangerous” and “shortsighted,” and Director of National Intelligence Tulsi Gabbard likewise warned that the UK’s approach “would be a clear and egregious violation of Americans’ privacy and civil liberties.” 

With the clear consensus around the room that end-to-end encryption is one of the most powerful tools for protecting the cybersecurity and digital privacy of consumers, participants were frankly baffled at the UK’s efforts. 

Lesson 4: Comprehensive privacy policy would be a meaningful way to help protect all consumers, but especially children. 

One issue that arose during the conversation was the current lack of a comprehensive national online privacy framework, which leaves consumers at greater risk. When we think about the escalation in phishing, it’s all aimed at getting you to click on something you shouldn’t. In the mobile environment, it’s often to get you to click on a link that surreptitiously installs something on your phone. Sideloaded software has been involved a range of dangerous exploits. 

Two specific FTC cases to highlight the challenge: 

• StalkerWare. On October 22, 2019, the FTC announced that, for the first time, it has brought a case against a developer of “Stalking” Apps. The agency alleged that Retina-X Studios developed and marketed three apps that allowed purchasers to surreptitiously monitor the movements and online activities of users of devices on which the apps were installed without the knowledge or permission of the device’s user.  The FTC also found the app developer took steps to ensure that a device user would not be aware that the app had been installed, bypassing mobile device manufacturers’ security restrictions and leaving the device vulnerable to cybersecurity risks. The FTC Prevented them from circumventing a mobile devices security protections aimed at preventing sideloading.
• SpyFone. In 2021, the Federal Trade Commission took action against a company whose SpyFone app could be surreptitiously sideloaded onto an Android devices which then “surveilled physical movements, phone use, online activity through hidden hack that exposed device owners to stalkers, abusers, hackers, and other threats.” According to the FTC, “[t]he company’s apps sold real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence.” The FTC said the apps lack of basic security also exposed device owners to hackers, identity thieves, and other cyber threats. 

We also discussed the immense amount of data that is now collected and combined with other data. One participant compared it to uranium, which exists dispersed in nature and is harmless, but when it is collected and refined on a massive scale can become dangerous. This means that individuals’ personal information, such as names, addresses, financial details, and even behavioral patterns, are more accessible to cybercriminals. The Better Business Bureau recently released their 2025 Identity Theft Scam Study which shows that people lost over $125 million dollars to identity theft scams in 2023, the most recent data available. This is because after data breaches, data can be found to the dark web, sold, recombined with other data to either access accounts or, can be fed into AI to create more targeted phishing scams.

This all speaks to the importance of data minimization. Data minimization has been part of recent proposals for digital privacy legislation and is a practice that some privacy conscious companies are already putting into practice. Data minimization means that an organization or company only collects, processes, and stores the minimum amount of personal data required for a specific purpose. Even the most cyber secure system could theoretically be breached. So if only the data that is necessary for a specific function is stored, it limits the impact of any breach. 

With new issues heating up around the country, we also discussed the best ways to  protect kids’ privacy and safety online. While there are no silver-bullet solutions to what has historically been a complex set of issues, there are ways to address these challenges by taking a comprehensive and thoughtful approach to protect kids’ safety, privacy, and parental rights in a way that is based on collaboration and recognizes everyone’s shared responsibilities. The contours of such an approach include: 

• Make sure parents can be in charge of the apps their kids download, as they are today
• Make sure parents have the ability to choose how and whether limited age-range information about their children (for example whether they are a teen or minor) is shared.
• Only share data with the apps that need it
• Only share age range data – instead of specific birthdates.

Parents don’t win with a patchwork of state laws on privacy, or safety. We need a national privacy framework. 

We are grateful for the participants in the discussion who all brought valuable expertise and perspectives. While the digital world may feel frightening at times – and indeed there are real threats – there are steps we can take to both protect and further advance our privacy and cybersecurity, building a more trusted future.