As we enter into a new generative AI era, we're looking for startups that help with real time detection, monitoring, and protection against fake identities and fraudulent transactions.

• $12.5B record lost to consumers and businesses globally in 2023
• Financial Services is the 2^nd most impacted sector on data breaches
• 79% of financial CISOs said threat actors are deploying more sophisticated attacks

Introduction

In today’s digital age, financial fraud has become an increasingly prevalent and costly issue for businesses and consumers. As technology and AI continues to improve, fraudsters develop more creative and sophisticated attacks. This constant evolution requires fraud prevention solutions to continuously adapt and improve their detection capabilities. 

At Montage, we have an active thesis in the space, with this piece exploring some of the market opportunities we’re hunting for. Since we have a strategic focus on financial services and insurance, this post explores opportunities and companies that sell to financial services as a segment and is catered towards a FI’s perspective.

We’ve invested in Carefull, which provides financial safety and monitoring for caretakers and their families. Carefull was born out of the founders’ (Todd Rovak and Max Goldman) personal experiences witnessing parents missing mortgage payments and scrambling to find a solution. They’ve built a platform uniquely suited towards seniors who are often targeted with social engineering scams (more below) to help them prevent suspicious payments and deposits, set up bill payments, monitor their credit and identity, and set up trusted access control to family members. Carefull has both a direct to DTC annual subscription as well as B2B channel partnering with wealth advisors, banks, as well as insurance companies to better serve their clients. 

As we’re looking for another investment to make in this space, we’ll dive into additional areas in fraud we’re excited about. Our mantra at Montage is to introduce founders to our strategic network of financial institutions to help supercharge go to market, and we’d love to chat with anyone building in this space. 

Cyberattacks, fraud, or financial crime

Many institutions draw a distinction between fraud and financial crime. However, boundaries continue to blur. While financial crime refers to illegal activities such as money-laundering or tax evasion, it is typically viewed as a compliance problem. In contrast, fraud generally designates a host of crimes, such as credit scams and identity theft. Recent attacks show that distinctions among cyberattacks, fraud, and financial crime are disappearing:

For the purposes of this exploration, the term “Fraud” encompasses a host of cyberattacks (which can lead to ransomware, compromised credentials, unauthorized payments), financial crimes (money laundering), as well as traditional fraud (application, credit card, chargebacks, account takeovers).

The Cost of Fraud for FIs

The cost of fraud extends far beyond the immediate financial losses, encompassing a wide range of direct and indirect expenses. In 2023, the FBI reported that consumers and businesses lost a record $12.5 billion to online fraud, a 22% increase from the previous year. Fraud rates are rising for both consumers and business accounts globally.

Financial institutions are particularly vulnerable, with nearly 60% of banks, fintechs, and credit unions losing over $500,000 in direct fraud losses over a 12-month period. Surveys indicate that fintechs, on average, lose 1.7% of their annual revenue to fraud. This percentage may seem small, but for rapidly growing fintech companies, it can translate to substantial monetary losses.

Indirectly, fraud incurs a number of expenses, including investigation expenses, repetitional damage, operational disruptions (particularly in the cyber realm), and even regulatory fines. In 2023, individuals and organizations were slapped with $6.6 billion in compliance fines (up 53% YoY) for failing to comply with AML, KYC, ESG, and CDD regulations (although the majority of the fine was $4.3B to Binance for AML failings). 

In cybercrime, Financial institutions were the second most impacted sector based on the number of reported data breaches (sensitive data is accessed, stolen, or exposed without authorization) in 2023. The rate of ransomware attacks on FIs has increased from 55% in 2022 to 64% in 2023 (Sophos). The biggest root causes of attacks included: exploited vulnerabilities, compromised credentials, and malicious emails/phishing.

Opportunities We’re Seeing

We’ve segmented the market into cybersecurity approaches selling to CISOs, or identity and transaction monitoring use cases for risk, compliance, and fraud teams:

Social Engineering and Phishing Solutions

According to ProofPoint’s CISO survey, email fraud (36%) was the third leading threat after ransomware (41%) and Malware (38%). Email fraud is seen as the biggest threat over the next 12 months by public sector (61%), transport (58%) and financial services (41%). The global scale of business email attacks is staggering – Proofpoint’s data shows an average of 66 million monthly targeted attacks.

Interestingly, Microsoft is the most abused brand, with common email scams asking to click on links to change account credentials or fake support team emails. In addition, there is now a likely link between BEC and generative AI, as attackers can use the technology to create more convincing and personalized emails in multiple languages.

In addition to voice, video, and image deepfake detection (more below), we see email channels as being a core component of cybersecurity and fraud prevention as more individuals are being targeted through social engineering tactics.

Sublime Security is an interesting company that helps security teams monitor inbound emails, block domains, and triage phishing attacks for a variety of enterprises. Doppel is another example of anti-phishing and brand protection by monitoring email, applications, and social media to detect impersonations, working with a variety of crypto companies and asset managers.

Deepfake Monitoring, Detection, and Takedown/Resolution

With the advent of Generative AI, the barriers to entry for fraudsters to breach financial systems or to carry out social engineering efforts are lower than ever. Attackers can now create highly convincing replicas of legitimate websites with unprecedented speed and accuracy, enticing victims into sharing sensitive information or engaging with malicious content. 

For example, ChatGPT can be easily used to create a fake login page. FraudGPT was recently released on the dark web to create content for cyberattacks, along with other tools for cheap. Fraudsters can now easily clone fake documents, or impersonate people via photo, video, or voice, potentially leading to Account Takeovers and APP fraud. In February this year, a finance clerk working at a Hong Kong branch of a large multinational corporation was scammed into wiring $25M in funds (Source). The attacker posed as the company’s CFO via deepfake video conference call, recreating the likeness and voices of executives.

“The concern for deepfakes or scenarios discussed is extremely prevalent and actually a high loss.” – Head of AI at a Multinational Bank

At Montage, we’re interested in applications that detect AI-generated content for the use cases of 1) financial services and fraud, or 2) brand identity and protection. 

For financial services, banks and asset managers are looking for solutions to prevent either fake IDs at account onboarding, voice impersonations for call centers, or deepfake video calls. On the ID side, there are vendors emerging like DuckDuckGoose and AI or Not that provide scoring on tampered images, AI detection, and surface the underlying foundational model used. On the voice front, we’re seeing incumbents like Pindrop and challengers like Reality Defender analyze speech patterns or video calls in real time. 

We’re also interested in platforms that can scan the internet to detect unauthorized images, video, or voice that copy the likeness of another person, brand, or IP. These platforms also help with workflows in automatic takedown or settlement. This remains a challenge for media, entertainment, and even creator/celebrity or HNW use cases. Beyond entertainment, there’s additional use cases for global consumer brands, fintechs/banks, and even governments to monitor high profile individuals being cloned or unauthorized use of trademarks and IP. A new class of startups are emerging such as Clarity, Outtake, Loti, Podqi, each with different segments they’re serving.

First-Party Fraud Detection

Fraud continues to be a growing challenge for banks, fintechs, and merchants to manage, with first-party fraud often miscategorized as credit loss and written off as bad debt. 

Bust-out fraud is the most common first party fraud across US & UK, where either a legitimate (their own), stolen, or synthetic identities maximize their credit card debt, leaving banks and issuers in debt (generating $6B losses annually). It starts with the application, but may take years to uncover, as the customer may exhibit timely payments for years until suddenly maxing out the credit card.

There are leaders in the space like Datavisor that helps FIs take a holistic approach in analyzing application attributes and behaviors across accounts. Newer approaches by Unit21 aggregate data insights in their consortium to help members share protected/anonymous data, screen customers for any reported fraud, and customize workflows based on their risk tolerance. Their consortium currently has 35M adults in the US, including customers like DriveWealth and MoneyLion to help report and fight against bad actors in the ecosystem.

“Collaboration in the industry is still not there. Early warning was initially founded for banks and excluded fintechs. Consortiums need to get to a scale of volume and privacy is a big concern” – Trisha Kothari, CEO of Unit21

As it relates to our commerce thesis, chargebacks are a big problem that have primarily centered around merchants. A chargeback is a reversal of funds following a debit or credit card purchase, set in motion when the customer files a dispute over the charge with their bank or credit card provider. Chargebacks are almost always initiated by customers; refunds involve the business telling their payment processor to return funds to the customer. With a chargeback, the customer’s bank will usually pull the funds in question from the business’s account and hold on to them while they sort out whether the chargeback request is valid, taking up to a week for refund (or several months if the merchant contests the charge). While chargebacks can be legitimate, they can also be “friendly” in that consumers don’t recognize the charge, claim delivery problems, or just don’t want to pay for the product. Disputes often are manual for banks and merchants, and depending on the size of the transaction, can create a strain on merchants and their processors. We see the market having many chargeback solutions focused on merchants (Justt, Chargehound, ChargeUp, Sift, ChargeBlast, Pinch). There are also a few providers emerging like Efficio that focus on helping fintechs, banks, and card issuers investigate dispute workflows.

Global Risk Management

As companies become global in nature and enter into two or more markets, managing identities, compliance, and fraud risk becomes challenging.

In 2019, Europe introduced the Strong Customer Authentication (SCA) requirement as a security mandate requiring financial institutions to use at least two independent methods to verify a customer's identity when they make an online payment. While the overall impact of SCA has been positive, there remains a significant challenge in cross-border transactions, particularly those involving countries outside the EEA where SCA compliance is not mandatory. Fraud rates for these transactions were notably higher—up to ten times more—underscoring the need for enhanced security measures in international payment processing.

To address the vulnerabilities in cross-border transactions, FIs are looking to invest in advanced fraud detection systems that leverage real-time analytics. These systems can identify and mitigate risks associated with transactions from emerging markets. 

At the very start of addressing global payments is verifying consumer or businesses’ identities globally. Companies like AiPrise aggregate vendors and registries across countries, covering local documents and providing a decisioning engine. 

Real Time Payments Fraud

Real time payments become the standard for many countries such as Brazil, India, the UK, with the irreversibility of the payment making it attractive for fraud schemes. 

Taking the queue from Europe, APP scams resulted in £459.7 million was lost to APP scams in 2023. In the UK, Faster Payments (instant payments) was used for 98% of fraudulent APP scam payments (FeedzAI’s 2024 report). Common examples of APP scams include purchase scams, invoice scams, CEO impersonation, social engineering scams.

The UK’s economic regulatory agency introduced a rule in June 2023 to mandate reimbursement for victims of APP scams -- prompting financial institutions to implement more robust security measures against APP fraud, including enhanced security systems and consumer education programs, while splitting the liability to repay the victim 50-50 between the sending and receiving bank. 

With this rule, UK banks find themselves responsible for fraudulent transactions, requiring new strategies to detect anomalies in transactions. PSPs also need to delay outbound payments through faster payments service if they have grounds to suspect fraud, rather than instantly processing.

While in the US, this problem set is in emerging stages, we currently haven’t seen specific regulations on reimbursement for APP scams as in the UK. Real time payments through RTP and FedNow are still looking to gain traction in the market. Platforms like Effectiv are ahead of the market in providing a platform solution, while bringing a payment fraud detection for RTP as a core feature. We expect this area to continually evolve as RTP gains traction in the US.

What We’re Looking For

Many CXOs are most concerned about AI driven fraud in the coming year, and are looking to invest into new solutions that help mitigate identity risk solutions and authentication. Selling into banks and financial institutions can be rewarding despite the long sales cycles. We see an established checklist of a few areas to sell into this customer segment:

1. Real time —  Today, many banks don’t monitor mule risk in real-time. Being able to monitor AI generated identities, behaviors, and payments with short latency is essential.
2. Technology Moat – We’re interested in founding teams who have built a unique catalog of models to detect fraud with greater accuracy against what FIs have attempted to build in-house.
3. Point versus Platform -- A point solution can be implemented in the tech stack or offered via a partner to supercharge GTM, versus adopting a platform that can service end to end workflows. A solution can start as a point for faster sales cycles and develop into a platform solution.
4. Ease of Integration – Selling to FIs typically requires 6 month sales cycles and another 6 months of deployment. Companies selling to FIs should be prepared to come with ease of integration (assessment, IT review, POC, deployment, and production)
5. Collaborative Data Sharing – Cross functional workflows between cyber and fraud units as lines begin to merge. We’re interested in how teams can collaborate with each other through better frameworks, risk identification, and sharing of assessment processes, streamlining holistic views of attacks and customer profiles. In addition, models allowing for knowledge sharing with vendors such as consortium data and portability are interesting features to consider.

“Innovating on the models is not enough. There needs to be a distribution advantage to build the data moat and deliver the product where the customer needs it.” – Rohan Ramanath at Nubank (formerly Co-Founder of Hyperplane)

A Call for Founders

At Montage, we collaborate with founders to support them in supercharging their commercialization through introductions to our strategic network of potential customers. We’re a boutique seed firm choosing to work tirelessly for founders – providing functional support on hiring, marketing, sales, product, and capital markets.

If you’re a founder building in any of these areas I’d love to hear from you! Please reach out to Connie at connie@montageventures.com