SardineCon SF/2026

Learn More
Fraudology

Devious Gift Card Scams, AI Weaknesses in Major Banks, & The Scaled Threat to Community Lenders

Title card for Fraud/ology #407: "Devious Gift Card Scams, AI Weaknesses in Major Banks, and the Scaled Threat to Community Leaders" with Karisse Hendrick, pictured smiling in a striped jacket.

Welcome back to Fraudology.

Some fraud stories look disconnected at first.

A retail gift card scam over here.AI phishing over there.Major banks patching cybersecurity vulnerabilities.Community banks and credit unions getting hit with more personalized impersonation scams.A weird concern about peace sign selfies and fingerprint fraud.

At first glance, it can feel like a pile of unrelated fraud headlines.

But when you look closer, there is a pattern.

In this solo episode, I’m breaking down how gift card scams, organized retail fraud, AI-driven phishing, biometric fraud, and bank impersonation scams are all pointing to the same bigger issue: criminals are getting much better at finding the weak spot between systems.

Not just inside one company. Across retail, banking, cybersecurity, reshipping, tech support scams, and social engineering.

That is the part fraud teams should care about.

Because organized crime rings do not care whether the vulnerability sits in a retailer’s price-match process, a community lender’s call center, a consumer’s old credit card data, or someone’s belief that a selfie is harmless. They care about what works. And when something works, they scale it.

This episode starts with a very specific retail scam involving manipulated HTML price matching and store credit. But it quickly connects to something much bigger: how stolen or victim-funded gift cards move into high-end electronics, how overseas reshippers help clean up the trail, how elder scams in tech support feed retail fraud, and how AI phishing is changing the pressure on banks and credit unions that do not have unlimited fraud operations capacity.

Yeah.

That is a lot.

The theme is pretty simple: fraud is becoming more connected, and the old boundaries between retail fraud, cybersecurity, banking fraud, and scam prevention are getting harder to defend.

What you’ll hear in this episode:

  • How manipulated HTML price matching is being used in gift card scams
  • Why organized retail fraud groups keep adapting around stronger controls
  • How gift card theft connects to elder scams in tech support and high-end electronics purchases
  • Why AI phishing is increasing the scale and quality of bank impersonation scams
  • How community banks and credit unions are being targeted with more personalized fraud attempts
  • Why AI cybersecurity tools are exposing new pressure around bank vulnerabilities
  • What biometric fraud and fingerprint fraud reveal about the risks of high-resolution personal data

You should listen to this episode if you:

  • Work in fraud prevention, retail fraud, banking fraud, payments, or trust and safety
  • Are tracking gift card scams, gift card fraud, or organized retail fraud
  • Care about AI phishing, AI-driven phishing, and bank impersonation scams
  • Support community bank fraud or credit union fraud prevention programs
  • Want to understand how organized crime rings connect scams, reshipping fraud, and retail abuse

If you liked this episode, be sure to subscribe and review the podcast on iTunes, Spotify, YouTube, or wherever you listen to podcasts. It really helps with getting the word out.

Episode notes & key takeaways

This episode is about how quickly fraud groups adapt when one path gets harder.

Gift card scams are a good example of that. Retailers put controls in place to stop bulk gift card theft, so organized groups start looking for other ways to extract store credit, products, or value from the system. In this case, that means manipulating what a store associate sees during price matching, using local code changes on a personal device, and turning that into hundreds of dollars in store credit per hit.

Not exactly subtle.

But also, not random.

The bigger theme is that fraudsters are not just looking for a single weak control. They are looking for process gaps. They are looking for places where trust, speed, customer service, and operational pressure create an opening.

The same thing is happening in banking.

AI phishing is making bank impersonation scams more believable and easier to scale. That creates real pressure for community banks and credit unions, especially when attackers can use old card data, deep-web dumps, and consumer-specific information to make a scam feel legitimate before the conversation even starts.

That is where the retail and banking stories connect.

The fraud may show up in different channels, but the playbook is the same: find the weak point, make the story believable, move quickly, and turn the fraud into value before anyone can stop it.

Why gift card scams keep evolvingLet’s break this down.

Gift card scams are not just about someone stealing a stack of cards from a rack. That still happens, of course. Organized retail fraud has moved well beyond the obvious version.

In this episode, the gift card scam is tied to manipulated price matching. The criminal changes what appears on their own device, shows a fake lower price, and uses that moment to receive store credit or value from a retailer. The actual manipulation may happen locally, but the loss shows up inside the retailer’s process.

That is why this kind of fraud is hard.

The system may not be fully “hacked.” The criminal may simply understand the workflow better than the person enforcing it.

  • Gift card scams often exploit process gaps instead of traditional payment controls
  • Organized retail fraud groups adapt when retailers close older abuse paths
  • Store credit can become another way to move value through the fraud ecosystem
  • Fraud prevention teams need to monitor how controls behave in real customer workflows

How retail fraud connects to tech support scams

One of the important patterns here is how retail fraud connects to elder scams in tech support.

A victim may be manipulated into buying gift cards or funding purchases. Those gift cards can then move into high-end electronics or other goods. From there, reshipping fraud helps move products across locations or overseas, making the trail harder to follow.

So the fraud does not start and end at the register.

That is the part companies sometimes miss.

The retail transaction may be the cash-out stage of a much larger scam. And if the team only looks at the in-store behavior, they may miss the victimization that happened before the purchase and the organized crime logistics that happen after it.

  • Elder scams in tech support can feed gift card fraud and electronics purchases
  • Reshipping fraud helps organized crime rings move stolen or victim-funded goods
  • Retail fraud teams need to understand what happens before and after the transaction
  • Gift card fraud is often part of a broader scam and laundering workflow

Why AI phishing raises the pressure on community lenders

AI phishing changes the scale problem.

Community banks and credit unions already deal with impersonation, phishing, and account-related scams. The difference now is that attackers can create more personalized messages, cleaner scripts, and more believable outreach much faster than before.

That matters.

A scam that used to look generic can now sound like it was written for one specific customer. And when criminals combine that with old card data, breached information, or deep-web dumps, they can reference just enough real detail to make the victim trust the call, text, or email.

That puts smaller lenders in a difficult position.

They may not have the same staffing, tooling, or response capacity as major banks, but their customers can still be targeted with scaled, AI-driven phishing.

  • AI phishing makes bank impersonation scams more believable
  • Community bank fraud can increase when attackers automate personalized targeting
  • Credit union fraud teams need stronger visibility into scam patterns and customer reports
  • AI-driven phishing can overwhelm teams that are built for lower-volume manual review

Why cybersecurity vulnerabilities are now fraud issues

This episode also gets into AI cybersecurity and bank vulnerabilities, and this is one of those areas where fraud and security teams need to stop pretending their worlds are separate.

If a cybersecurity weakness helps criminals build a better impersonation scam, access customer data, create a more believable message, or move earlier in the attack path, that becomes a fraud problem too.

Right.

The fraud may happen later. But the setup often starts much earlier.

That is why fraud teams need to pay attention when AI tools expose chains of low-risk vulnerabilities that can be combined into something more serious. Criminals do not always need one dramatic failure. Sometimes they just need a few small gaps that work well together.

  • Cybersecurity vulnerabilities can become fraud enablement points
  • AI cybersecurity tools may expose how small flaws combine into larger risks
  • Fraud prevention improves when fraud and cybersecurity teams share signals
  • Bank impersonation scams often rely on trust created before the payment or account event

Why biometric fraud belongs in the fraud conversation

The fingerprint fraud example may sound unusual at first.

Someone makes a peace sign in a high-resolution photo. AI and image tools can potentially reconstruct enough fingerprint detail to create risk. And yes, it sounds like one of those stories that makes people say, “Come on, really?”

The bigger point is not that everyone needs to panic about every selfie.

The point is that biometric data is different.

You can change a password. You can replace a card. You can close an account. You cannot easily replace your fingerprint. So when biometric fraud becomes possible, even in narrow or emerging use cases, fraud teams need to pay attention to how that data is collected, stored, exposed, and used for authentication.

  • Biometric fraud creates long-term risk because biometric data cannot be easily changed
  • Fingerprint fraud shows how everyday images can become security data
  • AI fraud can turn ordinary personal information into more useful attack material
  • Trust and authentication systems need to account for permanent identifiers

Final takeaway:

Gift card scams are not just a retail problem.

They are a fraud ecosystem problem.

The same organized crime groups that manipulate retail processes may also rely on tech support scams, reshipping fraud, AI phishing, bank impersonation, stolen data, and cybersecurity gaps. The channels look different, but the logic is familiar.

Find the process gap.

Make the story believable.

Move the value.

Scale what works.

That is why fraud prevention has to become more connected. Retail teams, banking teams, cybersecurity teams, and scam prevention teams all see different pieces of the same activity.

And if those pieces stay separated, criminals get the benefit of the gap.

Which, as we know, they tend to enjoy.

Connect with Karisse Hendrick | LinkedIn

  • Host of the Fraudology Podcast
  • Award-Winning Cyberfraud Expert
  • Ecommerce Fraud Prevention Consultant
  • Startup Advisor, Keynote Speaker, and
  • Consultant to Fortune 500 merchants
Host
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
Ecommerce Fraud Prevention Consultant
Episode transcript
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
00:02
Welcome to Fraudology Podcast, where we dive into the science and study of online fraud from the perspective of an e-commerce fraud fighter. I’m Karrise Hendrick. Welcome to this week’s episode of the Fraudology Podcast.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
00:16
Well, today it's going to be a solo episode. I am back from all my travels and, as far as I know, will not be traveling again till August, and then after that for a family wedding. And then after that it'll be for MFA, the Merchant Fraud Alliance First Annual Conference, which is October 6th and 7th in Chicago. You're going to hear me talk about it a lot because I want as many merchants to come as possible. I don't want anyone to have FOMO. I want everyone there. And a little bit of a plug for it, ticket prices are going to go up on July 1st. Right now they're only $495 for merchants. Just as a reminder, we're not selling vendor tickets. We only have 15 sponsor companies, and those are the only vendors that will be able to attend the conference. That's to limit the ratio. We really want it to be a five-to-one ratio. Most conferences I've attended are one-to-one or less than one-to-one, like more merchants to vendors, and you can feel it. And this is really about merchants, and they want to find their peers. They want to learn about, you know, the solutions as well.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
01:24
And I think we've done a good job of working with 15 companies in the industry that people want to talk to and learn from. They're kind of the best of the best in their spheres. So we have, you know, a really good chargeback company. We have a couple of great behavior biometrics and device ID companies. We have a few transaction monitoring services, just things like that. So anyway, the tickets are, for merchants, they're only $495 until July 1st. We also negotiated fairly low hotel rates for downtown Chicago. So we're doing the best we can to keep this, you know, really budget friendly. So anyway, that's my plug for the day. I am working hard on the agenda and I'm really excited about it. I'll be able to start talking about specifics soon on that. One other thing to share before I dive into some fraud news stories of the week. Speaking of MFA, not multi-factor authentication, but the Merchant Fraud Alliance. It's not at all confusing in my brain, but I also came up with the name, so I can't be too, you know, can't make fun of it too much.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
02:23
But the MFA is putting on a free webinar on June 16th at 1:00 PM, and it's all about VAMP. It's all about the Visa Acquirer Monitoring Program. And it's going to be myself and Anoush, who is the head of product for VAMP. No one else knows more about VAMP than Anoush because she heads up the program. And I think the problem that people have had in the past, that merchants have shared with me about other webinars that have been done on VAMP, is that oftentimes the speakers are people that are in sales, especially for the Verifi products, the alerts. And so you can't get as much information about the specific program if you're not talking to the product, you know, people who manage the program. So I'm really excited about this.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
03:17
I got together about 20 merchants about a month ago and asked them, you know, tell me every question you've ever had about VAMP. And I wrote out two pages of notes, typed, and sent those to Anoush and her team. And they went over those and they said it was really, really helpful to understand what, you know, merchants were still struggling with. And that's the outline for our webinar, is answering those questions. They'll answer all of them that they can. So I think that that is going to be a really good educational event, especially if you're on the merchant side. If you're not and you are on the acquirer side, you definitely should have done. If you're on the banking side, you might be curious, you can totally join as well. But primarily the audience is for merchants. So make sure you register.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
04:03
I will do my very best to remember to put a link to the webinar in the show notes, because I do that on a different day than when I'm recording and sometimes I forget. If you look in the show notes and you don't see a link, just ping me on LinkedIn and I'll send you the information or look at my profile. I think I posted about it recently. So those are options to find it. Unpacking the Target price match gift card scam All right, let's dive into some fraud news, shall we?
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
04:28
There's a few, it's just kind of a potpourri of stories. I try to come up with a theme for these fraud news episodes. Or, you know, maybe there's one main article, you know, a big bust or something like that, or, you know, a new program coming out or whatever it is. But today's just going to be a potpourri of a handful of stories that I found interesting. The first one, since I already talked to merchants for the first few minutes, this next one is a merchant fraud issue that I think banks should also be aware of. But if you are working for a large retailer, especially that has gift cards or, you know, fast casual food delivery services, anyone that has gift cards, this might be a really important new scam to be aware of, even if you just sell gift cards, you know, for other companies. The title of this came from Gary Warner, who I really want to try to have on the podcast again soon. He is just, I've known him, known of him for, I don't know, the last 18 years of my career, and I've learned so much from him, whether it's just following him on LinkedIn or seeing him at conferences. So he posted about this on LinkedIn and I think it's really good to be aware of.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
05:41
There's a new Target price match gift card scam, and Gary's calling it devious, and it's involving manipulated price matching at Target. So the Target price match gift card scam, basically, it's a new variant of the Chinese organized retail fraud via gift cards that Gary hadn't seen before. He says Target is doing an admirable job fighting gift card fraud. So how did they get around this? I think I know exactly how they got around it, but I'll share that in a minute. So step one is to buy a burner gift card. You use a list of elder victim gift cards delivered by WeChat to buy a high-end iPad at Target.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
06:20
Two, you fake the price on a phone. So you open a locally edited copy of target.com on a device. Same item, much lower price. So it looks like it's on Target's website. And Target has a deal where if you buy something in the store that's more expensive than you can get it on their website, they'll do a price match. So you buy the expensive iPad in Target, you go to customer service, and it's very easy to do now, especially with AI. You create a locally edited HTML copy of target.com that shows the same item but a much lower price. Then you trigger the price match. You show the fake page to the customer service and claim the price match guarantee.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
07:02
Step four is you walk out with a real gift card. So Target issues an activated store credit gift card for the difference. Usually it's about $400 to $550 per hit. So, you know, they may buy an iPad for $1,000. They'll show a locally edited HTML page from Target that says, actually, I could have gotten this iPad online at target.com for $500. Then the Target customer service agent gives them a $500 gift card for the difference. Step five is to ship the goods overseas. So the iPads are mailed via FedEx to a Hong Kong reshipper and then, you know, they launder the proceeds. So they use the gift cards to launder the proceeds and maybe sell the gift cards or buy again and just keep this going over and over again. There's an estimate that Target has lost over $4.6 million since 2022 on gift card fraud. That actually seems low to me. I don't know for sure, but what I do know is that, you know, we've talked about Operation Red Hook before.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
08:06
Let's read his post first because he does talk a little bit about this being a variant. So he says, here's a new variant of the Chinese organized retail fraud via gift cards that I hadn't seen before. McGee Mcguy Lee of Levittown, NY, and Zhao Zhao of Flushing, NY, were arrested for their roles in gift card fraud against Target, including in Miami-Dade and Broward counties in Florida. As I mentioned before, Target is doing an admirable job fighting gift card fraud, including selling cards that don't have an activation sticker on them until it is applied at point of purchase by a Target employee. The reason they do this now, and I've talked to people that are very familiar with the situation, the reason they do this now is because of those, I think it was over a billion dollars, but it was millions of dollars of fraud through Operation Red Hook last year or the last two years, where Chinese nationals were stealing gift cards in stores by the stack, just walking out with them. Because if the cops were called, they would say, well, there's no value on these gift cards. I'm just taking some gift cards. They don't have any value on them. Well, they would take them and then very systematically they would have another group take the hidden number off for the activation code off of the card and log it in their system. And then they would have another team cover that up and make it look like it had never been tampered with and never been touched. And then another team would take those gift cards and put them in other locations. So oftentimes they would steal the gift cards, the zero-balance gift cards, on the West Coast, and then this process would happen. And then they would distribute those cards on the East Coast in different kiosks. So then again, if the cops were called, it was, well, I'm just returning these gift cards that don't have any balances on them. I'm not doing anything wrong. But unfortunately, what would happen is that unassuming consumers would buy those gift cards and put money on them. And these Chinese syndicates were continually checking the balances of these card numbers. And as soon as there was a balance on them, they would drain those cards. And so a consumer would gift a gift card to a niece or a nephew or, you know, whoever, and they would go to spend it and there would be $0 on it.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
10:28
So this has been happening for a long time. The things that Target has been doing like including, you know, selling cards that don't have an activation sticker on them until it's applied at point of purchase by a Target employee, that's because of Operation Red Hook. That's them trying to stop that type of fraud. And as we know, in fraud, it's like a balloon. When you squeeze one side, the air goes to the other side, right? It doesn't just go away. So this is their new method of trying to target companies such as Target, and I imagine Walmart and Amazon and Best Buy as well. Members of the group would purchase high-end electronics and then manipulate the HTML on a Target web page to make it seem like the same item was on sale for a much lower price online. Using this manipulated web page as evidence, they would request that Target honor their price match guarantee, which would be issued in a form of a Target gift card, which was activated for the difference in purchase price. They were not editing the actual Target website, but a local version on a singular device, which they would display to a customer service rep to receive the in-store credit in the form of a gift card.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
11:37
Lee received lists of gift cards to use for the initial purchases via WeChat group. Zhao admitted that she had been trained in manipulating the HTML to display the greatly discounted price. Target refers to this as PPMD fraud, post-purchase markdowns, and says that since 2022 it has cost them $4.6 million. Okay, that $4.6 is from post-purchase markdowns. Not all gift card fraud. That's why it's like, well, that seems low, but that's high for this specific type. I mean, sometimes I wonder how fraudsters have so much time to think these things up and then carry them out too, because they can be quite, you know, sometimes they can be pretty tedious. Lee used this technique to receive $37,725 in credit, while Zhao defrauded Target of at least $56,000 as recently as May 19th and May 20th of 2026. Lee is an illegal alien of Chinese nationality. He was confirmed on video attempting to enter the country via the Mexico-San Diego border crossing on September 22nd, 2023. Multiple Chinese individuals all use the same address, which could be helpful to anyone who wants to put this address in their system if they're a merchant to see if you've shipped to this address before. It's 2 Booth Lane, Levittown, NY 11756, and that's their address of record. The phone number used was 9173656788. I don't usually provide those things as PII, etcetera, but it's public. It's in the public domain. I would never, ever, ever provide an address or a phone number or anything like that if it wasn't public. Certainly not on the podcast.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
13:17
The pair rented a car from Avis in Maryland and went on a fraud spree performing PPMD, which remember is post-purchase markdowns fraud, in Florida, Texas, Louisiana, Georgia, Alabama, North Carolina, South Carolina, and Virginia as examples of their success. The criminal complaint filed by Homeland Security Investigations includes an example of purchasing an $1,199 iPad and receiving a PPMD credit of $450. In another, they purchased a $799 iPad and visited another store to claim a PPMD credit of $550. So they were getting that iPad for what, $250? I mean, but customer service reps are trained to appease the customer. They're not trained to question those things. And it looked like their website, so, you know, I can't discredit them too much. It's just, wow. I'm getting an iPad for $250 would make me wonder, is this legit? Why have I not seen, like, 1,000 people waiting in line to take advantage of this deal if it's real?
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
14:21
Linking this crime to elder abuse and tech support scams. The gift cards used in the original purchase were purchased in several cases by elderly adults and then used the same day to make the iPad purchase. So they would have elderly adults purchase gift cards for them under whatever scam they said it was, Social Security Administration, tax fraud, whatever it was. They'd say, you need to buy gift cards and give us the numbers over the phone. They would then use those gift cards to buy the iPads. Then they would get an iPad. Then they would get money back to then do it all over again, and cyclical. As for the electronics, while under surveillance, Lee entered a FedEx store in Hollywood, FL, to mail them. They were addressed to Yang Hong Kong, Zinda Telecom Limited in Kowloon, Hong Kong. Lee listed the return address in Brooklyn, NY. So Gary got all this information from a United States District Court, Southern District of Florida criminal cover sheet and criminal complaint. So it's great to see Operation Red Hook still doing great work. And again, if you have gift cards and you have a price match similar to Target, you really should be aware of this scam. Even if you don't have a price match, the way that they're doing things, I think, you know, could, I could see them doing this and taking advantage of price matches in between different stores. I know sometimes, I don't know if it's all the time, but like Best Buy will price match something on Amazon. If they were able to manipulate the HTML locally of Amazon on a product, they could say, hey, I could have gotten it, I bought this here, but I could have gotten it on Amazon for $500 less, and then get, you know, a price match at Best Buy to buy it there or something like that. That wouldn't even involve a gift card. I do think that there can be variations of this that we should be on the lookout for. [Episode Break: (00:06:13): One new feature that Sardine recently introduced to their product suite is called the Anomaly to Rule product. If your system suddenly experiences a huge spike in risky activity, Sardin's machine learning will suggest a new rule to detect it. In addition to creating the rule, you can decide what to do with the transactions or accounts that trigger this new rule. Some of your options include putting the system in shadow mode to gather the data but not actually take action on these accounts. Or you can send them to manual review or automatically cancel them. This feature is is so needed because often the time between spotting activity and finding the right rule to trigger can take some time. Especially if you're relying on traditional legacy rules and data analysis to manually create new rules. In this case, you can go from experiencing high risk activity to making a rule and acting upon it within hours instead of days or weeks. For more information about this feature or any of the other products within Sardine, go to www.sardine.ai to read more information or to request a one on one product demo.]
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
17:19
Another article that I thought was important to be aware of is that the race is on among the biggest banks to fix IT vulnerabilities that were exposed by Mythos AI, and they're sharing information with each other. How Mythos AI reveals major bank cybersecurity vulnerabilities So major U. S. banks are now scrambling to repair hundreds to thousands of information technology vulnerabilities uncovered by a powerful artificial intelligence cybersecurity tool developed by Anthropic, according to a new report. I think that either Frank or Matt mentioned Mythos on a previous episode a month or two ago. But Mythos is a powerful new artificial intelligence model developed by Anthropic, and it's raising urgent concerns among cybersecurity experts, policymakers, and financial institutions. As early testing suggests, it could dramatically accelerate both the discovery and exploitation of software vulnerabilities and create significant data breach threats, prompting high-level emergency discussions in Washington, DC, among the top U. S. economic and security officials.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
10:21
So basically, when you deploy Mythos on your site, it will find every single, well, I mean maybe not every single, but it will find a lot of cybersecurity vulnerabilities that your teams just weren't able to QA for, that your teams weren't aware of. And best, you know, it's a good guess if you think that cybercriminals are doing, using AI for the exact same purpose. Maybe they don't have access to Mythos, but they have, you know, other types of AI that are looking for vulnerabilities like this. So because Mythos has exposed, not exploited, but exposed all of these vulnerabilities, now companies, banks are rushing and panicking to fix them before the, you know, fraudsters and hackers identify them.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
19:07
So Reuters reported that several of the nation's largest banks, including JPMorgan Chase, Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley, have gained access to Anthropic's Claude Mythos preview model through its Project Last Wing initiative. The AI system known as Mythos is designed to rapidly identify cybersecurity weaknesses. Sorry, I just said that. Including vulnerabilities buried within proprietary and open source code, Reuters reported. The tool is proving especially effective at linking together multiple low-risk flaws into more serious threats that could expose critical banking systems. As a result, banks are accelerating software upgrades, shortening patch management timelines, and reviewing aging technology infrastructure that may no longer be supported by vendors, Reuters reported. Sources told Reuters that vulnerabilities previously scheduled for remediation over several weeks are now being patched within days. Reuters also reported that banks are uncovering weaknesses in older legacy systems and unsupported software platforms that they had not previously viewed as urgent risks. Those legacy systems, man, they can have a lot of risks for cybersecurity and for fraud as well. And sometimes they're no longer supported by the company, or if they are, there's one engineer within the company that knows maybe how to fix it or something like that, whether it's within your company or within your vendor. Either one. Some institutions are increasing automated system scans and continuous monitoring efforts as they adapt to what one source described as a machine-speed threat environment. The report said the increased workload could occasionally require banks to temporarily take systems offline more frequently to complete upgrades and repairs, though institutions are attempting to minimize customer disruptions.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
20:55
This is a wake-up call. They said cybersecurity teams are also developing new internal procedures and methodologies to work with the AI tool effectively. Adam Myers of CrowdStrike told Reuters his team spent an entire weekend building workflows and capabilities around Mythos before beginning vulnerability testing. And then they're also saying that larger banks are sharing information about identified risks and defensive measures with smaller institutions that do not have access to the technology because of its high cost and competing requirements. Anthropic prices the model at $25 per million input tokens and $125 per million output tokens, Reuters said, making it significantly more expensive than some of the company's broader AI offerings. So while Mythos is working well, it's really expensive. CEOs face hurdles with AI replacement and layoffs Thanks. We have something else I read on LinkedIn the other day that I wanted to share with you guys because we've been talking about in the last few episodes, whether it was the episode with Holly or one of my solo episodes, talking about how, you know, a lot of people in fraud are being laid off right now. And I feel like every week there's at least a couple of people that reach out to me and say, hey, I just got laid off. Let me know what you know of. I'm trying to keep my eye out on whatever I can, with priority to remote roles, especially in the U. S. because that's primarily where my audience is. However, if you're, you know, in another country, you can let me know. Like there's a Fraudology listener that pinged me the other day and said, hey, if you see anything in the Dublin area in Ireland, please let me know. And I found one like the next day. Because I have such a great network, a lot of hiring managers are posting the roles in my feed and the algorithm knows that I like to see those. So that's where I'm getting them from. It's not a secret source.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
22:46
Sometimes hiring managers do reach out to me and give me a little more context about who they're looking for or send me a job description right before it goes live. But for the most part, if you're looking at, you know, LinkedIn job postings, you'll see most of them. But sometimes the remote ones are difficult to find sometimes. So that's why I'm trying to share them with as many people as possible. But anyway, a lot of the reasons for the layoffs are AI, right? Like companies thinking that they can get more done with artificial intelligence than they can actual human employees. And I've talked a lot about, you know, my concern about the data sources for AI when it comes to fraud and how they're just not open source. And so they're going to hallucinate and give wrong information. I've shared all of that before. But this is another take on this that I thought was interesting. And, you know, it may not, you know, if you're still employed and you're worried about this, it may not hurt to mention some of these points to leadership if you're in a position to do so or at least be aware of it.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
23:50
So Sir Eskenar on LinkedIn, I don't know his real name, posted this this week and it's been making the rounds on LinkedIn. I've seen it posted a couple times. CEOs are quietly realizing the AI replacement plan has a problem. Two problems actually. One, the token costs for running AI agents are now exceeding what they were paying the employees they fired. So just like the token costs that were in that article for Mythos, they're realizing that the token costs are, you know, now more expensive than employees. Two, when the tokens run out, the AI stops. It just stops. No continuity, no workaround. Just a spinning wheel where your workforce used to be. You fired humans to save money and bought a subscription that bills you into a corner. The employees you let go knew what to do when things broke. The AI just invoices you for the outage. And then there's the permission problem that nobody wants to talk about. To do its job, the AI agent needs access. Full access. Your systems, your patents, your contracts, your future plans, everything you spent years building handed over to a process that has no loyalty, no discretion, and no skin in the game. And it also might be used to feed information to your competitors, right? If you feed, you know, an AI tool all of this information, and then you don't have the enterprise tool, or even if you do, you know, you don't know all the privacy settings, it could be that if a competitor, you know, asked ChatGPT what they should do for a certain problem, they might source your documentation and say, well, here's what your competitor did. Or they won't even tell you that. They'll just say, here's what you should do. And it's exactly what you had done. And they know that because they have access to all your information. Everything you spent years building handed over to a process that has no loyalty, no discretion, and no skin in the game. You didn't hire a replacement. You gave a stranger with no soul the keys to everything you own. Enjoy.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
25:48
I sent that to a friend of mine and said to me that was the very definition of FAFO. If you know, you know that acronym. But I thought that was interesting and something that hopefully leadership considers before making even more layoffs. A couple more stories.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
26:05
This one is from Frank McKenna, Frank on Fraud. I guess there's a trend in China of people making peace signs in their selfies. So, you know, the two-finger peace sign facing the camera. And this article says that it could actually hand criminals your fingerprints. Something I never would have thought of. But again, with AI so much is possible. That casual peace sign you throw up in selfies might be giving you away way more than you think. Chinese experts are warning that the popular pose can expose your fingerprints to fraudsters with the right software. A mainland workplace reality show in April put the risk on display. Financial expert Lee Chang used a celebrity selfie to show how clearly visible fingers in a photo can put biometric data at risk. According to Lee, fingerprints can be pulled from selfies taken within one and a half meters if the fingers face the camera straight on. Even at 1.5 to three meters out, about half the hand details can still be recovered. The show demonstrated the trick on camera. After running a photo through editing software and AI tools, fingerprint ridges became visible. That's terrifying. There's a cryptography professor at the University of Chinese Academy of Sciences that told China Newsweek that high-quality cameras can make it possible to reconstruct hand details from a basic scissor-hand pose, which is also the peace sign.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
27:27
He noted that lighting, focus, and image clarity usually make fingerprint recovery hard, but the risk goes up with higher resolution devices or when criminals get their hands on multiple photos of the same person. The bigger problem is permanence. Fingerprints are like facial data. Once leaked, you can't change them. Lee warned that that could open the door to financial losses and identity fraud. His advice is straightforward. Blur, pixelate, or smooth out your hands before posting selfies, and don't register your fingerprints on unfamiliar devices. He goes on a little bit more, but it's all just backing all of that up. I think that that is kind of scary and worth being made aware of. AI-powered phishing attacks overwhelm community lenders Here's another article kind of related to the previous one, with AI's help, fraudsters are targeting smaller banks. Criminals are customizing their scam attacks, and community banks have a fight on their hands. I know this is something that Hailey Windham is very passionate about. Not just this, but community banks and credit unions in general. But this article from U. S. News & World Report says that with the help of AI tools, many scammers have shifted their focus from customers at large banks to smaller institutions. In bank scams of the past, criminals have often impersonated big banks, sending texts to thousands of consumers and playing the odds that some would have accounts with those institutions. Recent scam reports suggest that fraudsters are now using AI tools to compile lists of banks' customers and customize attacks. Those AI tools have enabled scammers to target their schemes to customers of banks of all sizes. So they're basically saying that, you know, fraudsters impersonating banks were calling up customers, trying to convince them to reveal enough personal information to allow the criminals to hack into deposit accounts. On the surface, this was not unusual at all. Banks and consumers are regularly fighting off these types of schemes, and they are the kind of scam that Uri Rivner says he sees daily. As the CEO and co-founder of Refine Intelligence, which makes software that helps banks prevent fraud, I know Uri Rivner well. I went to Jerusalem actually with him once for a day. That was fun. I didn't realize that he was in this article. That's great. But this one stood out both in its size and its strategy. Rivner says that by the end of the day, the banks he was tracking experienced a 1,700% spike in attacks. And instead of pretending to be representatives of the largest U. S. institutions, he says scammers were taking aim at smaller lenders.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
29:58
Half of the banks targeted, he says, had less than $3 billion in total assets. What we noticed is an explosion of bank impersonation attacks against regional banks and small community banks. These scams also appeared to incorporate AI tools in ways that some fraud experts have warned about, including those in our 2026 Banking Predictions article. The scale is beginning to be alarming. Small banks certainly haven't been immune from fraudsters in the past. In fact, U. S. News highlighted one particularly sophisticated scam that targeted a customer of a Massachusetts community bank last year.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
30:30
But many scammers have been more inclined to take aim at customers of the largest U. S. banks. That's because the criminals often don't actually know where you bank. Instead, they may send out a text to thousands of individuals alerting them to a supposed problem with their Chase or Bank of America account. It's a shotgun approach, with scammers playing the odds that a significant portion of those receiving the message will have an account with one of those banks. As fraudsters might joke, that's why it's called phishing and not catching. Before, the attacks were very blunt force attacks where they cast a wide net, says Scott Incan, senior vice president of strategic initiatives and policy for the Independent Community Bankers of America.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
31:09
It wasn't very targeted and communications were filled with grammatical errors and targeting errors. But now, because they have access to AI and other tools, they can target customers much more accurately. They can obviously impersonate other people, and they can do it at scale. Scammers have started deploying AI agents on web searches, asking them to scour both leaks of data and publicly available documents to compile a list of customers of a specific bank. Fraud experts say this makes attacks on smaller banks much more fruitful for the characters of the banks, called bad actors.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
31:41
Uri Rivner says that's what appeared to have happened in the attacks he was monitoring. As we heard about similar attacks starting six months ago, now the scale is beginning to be alarming. Rivner spoke with officials of some of the banks targeted to develop a clearer picture of how the attempted scam unfolded. He says after scammers had identified customers of a bank, the next step was to call them all at once. He surmises that this was a calculated approach intended to overwhelm a bank's capacity to respond. In the past, a small group of scammers might run down the list one by one, but now AI bots can make hundreds of calls simultaneously. And while many small banks have robust AI-powered security defenses that can detect suspicious activity, a flood of questionable transactions could make it difficult for a bank with limited staff to review those transactions or contact customers. And many of those customers may still be on the line with the person they believe is from the bank.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
32:35
It also makes it more difficult for consumers to call the bank and find out if they actually were the ones that called them. Some banks told Rivner that criminals apparently used AI to customize scams to a particular bank. For example, one bank official told him that customers were told they needed to provide sensitive information to help the bank transition them to the bank's new website. That bank indeed was going through a website change. You've always had a trade-off between scale and quality, says Rivner. But for the first time, criminals can do it at scale and with very high quality.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
33:07
I think that's a really good point. Community banks have advantages and vulnerabilities in the fight against fraud. Incan says he's not familiar with the scam surge Rivner saw, but he says it wouldn't surprise him. He says scam attacks on bank customers tend to come in waves. I think the institutions of all sizes are experiencing just a massive increase of fraud and scams across the board. So it's very much an industry problem. Certainly community banks have been hit by these frauds and scams just the same way that the large banks have. There are some indications that smaller banks may be seeing a greater uptick in scams than their larger peers or online-only competitors.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
33:42
More than 70% of credit unions and regional community banks reported an increase in fraud in 2025, according to the Alloy State of Fraud Report, which surveyed institutions of all sizes. It's a higher percentage than was reported by both big banks and fintechs. It's also a jump from what smaller institutions reported the previous year, when 52% said that fraud attempts had increased. So they have 70% of credit unions and regional and community banks say that they've seen an increase in fraud last year. That's pretty significant. Community banks, fortunately, have been preparing for this for quite some time, says Incan. This is something they've been looking at and developing strategies for. So I think they're all very well equipped to handle these surges. I hope he's right. Then they just talk about some of the benefits of community banks and that type of thing. But the other, you know, they talk a lot in this article, not, you know, a lot, but they touched on the fact that often scammers that are doing, you know, smishing or phishing don't know which, you know, which bank you bank with.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
34:45
Actually, there is a way for them to know, and that is to buy lists of credit card numbers, even if they're dead credit card numbers that have all been reissued because somebody already used them for fraud. Fraudsters can use those databases or those, you know, logs to look at the first six digits of the credit card that was used and correlate that with your name and phone number. So now they have your name, your phone number, and they know which bank you bank with. So now when they call, they can impersonate your specific bank rather than saying they're from Chase Bank and hoping that you have a Chase card. That's not something that was in this article, but it's something that I'm adding because I think it's important to be aware of. And those lists can go for pennies on a dollar because, again, they don't really have any purpose. You can't commit fraud on them. You can't use those card numbers again for a transaction.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
35:33
So a lot of, you know, carders or the people that are selling credit cards in bulk just don't care about those. So they're like, sure, you want this, I'll give it to you for 20 bucks. Like whatever, it's no big deal. Or I've seen it with the same organized crime syndicate where one department, for lack of a better word, is in charge of monetizing those credit card numbers on the list that they harvested. And then after they've monetized those credit card numbers for as many goods and services as they can, then they send those numbers off to another group that does phishing and text message phishing and that type of thing. And they then look up the first six digits, find out who their bank is, and do very personalized phishing attacks, which I guess is called spear phishing, is the proper terminology. But those are things to be aware of as well. It's not really a mystery anymore. It's not this magical mystery of where you bank. It's pretty darn easy to figure it out.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
36:37
Sometimes they'll just call and say that they're your bank. They won't say the name, but when they say the name, it gains more trust, less defenses are up. So chances are there's more accuracy there for the scam. All right, that's where I'm going to leave it today, guys.
A smiling woman with short brown hair and glasses, wearing a black and white striped blazer.
Karisse Hendrick
36:51
I always appreciate you listening to this podcast. I appreciate hearing from you when I've said something that has been interesting to you or you just want to reach out. It always makes my day, and I will look forward to talking with you more next week.