When American Express’s machine-learning detectors spot a suspicious transaction, the company may send a one-time verification code to make sure you’re really you, and you really want to buy those 25 Stanley Cups.
Tina Eide, EVP of global fraud and risk management at Amex, has noticed that threats actors have turned up their social game and have gotten better at sucking up that temporary credential right into their tumbler.
“Social engineering has become very prevalent. Leveraging the customer and reaching out to the customer, and almost getting them involved unknowingly, is really a trend at the moment,” Eide told us.
Eide shared her advice for consumers and spoke about authentication factors the company is exploring in 2025.
This conversation has been edited for length and clarity.
What is a typical example of social engineering for Amex?
The social engineering is really focused on getting that one-time password. It’s my number one piece of advice for customers: Protect that one-time password. It is a dynamic password. It’s unique for that situation only, and when we send it to you, we send you context. We tell you that “This password is for a transaction at this merchant,” or “This passcode is so that you can add your card to your digital wallet.” What’s happening is customers are not necessarily reading all of the text. They may be on the phone with somebody who’s pretending to be from a financial institution, or pretending to be from a merchant asking for that, and the customer just grabs the number and reads it off.
As you reflect on a year of fraud, what tactics stand out?
What we’re seeing now is what I would consider perfect PII. In the past, it was, “I have a little bit of your information, and maybe I would make up the rest to apply for a card.” Now the prevalence of your personal information being out there and available and knowable is such that bad actors are applying for accounts with everything that belongs to you: your name, your address, your email, your phone, your social security. So, from a detection perspective, looking at that PII alone is no longer sufficient.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Has generative AI had an impact on fraud?
I would say that on the bad actor side, yes, I think, a significant impact. One: the leveraging of bots to generate a gigantic amount of scale and sophistication. So, “I know I want a bot, and I know I want to send out this text message.” The GenAI comes into play where I want it to look like a USPS text message. I want the website that I finally click to look very authentic. Generative AI, I believe, has been very helpful for bad actors to create more legitimate looking texts and websites.
What are some additional authenticators that are important for you to examine in 2025?
One authenticator that works well, because there’s a lot more real estate than there would be in a text message, would be a push notification. My first piece of advice was protect your one-time password. My second bit of advice would be [to] allow your financial institutions to send you push notifications in their apps. You need to turn that on a lot of times, but the information that we are sending you is incredibly valuable. You can also turn on a notification that allows you to see every time a charge happens on your account…Voice is also something that is very valuable. As we continue to explore and learn, there will be more, I’m sure.