In an era where technology has become both a powerful tool and a potential weapon, Polyguard is emerging as a critical shield against the rising tide of AI-powered fraud. Co-founders Joshua McKenty and Khadem Badiyan are at the forefront of combating sophisticated scams that leverage deepfakes, caller ID spoofing, and generative AI to target unsuspecting individuals and businesses. Their innovative approach goes beyond traditional fraud detection, offering a cutting-edge solution that uses advanced smartphone hardware to generate tamper-evident identity proofs and protect both institutions and individuals from increasingly convincing digital threats.
VMblog: Can you give us an overview
of Polyguard and how it combats the growing threat of deepfake and
AI-powered fraud?
Polyguard
protects both institutions and individuals from malicious voice and video
calls, which have become more and more effective through the combination of
deepfakes, caller ID spoofing, and generative AI content. We developed a method
to securely verify remote identity, and we've deployed that both as a mobile
application, and integrated into common call center software. Practically
speaking, it means you know who's calling (for sure!) before you answer the
call. While fraud chains often start with email or text messages, and sadly
often end in wire transfer or Venmo, the critical link in the middle of the
chain is the persuasive voice or video call, where Polyguard's defenses are
unique.
VMblog: What are the most alarming ways deepfake and AI-powered fraud are
targeting people today, and why has this become such a critical concern for
businesses, financial institutions, and consumers?
The most
scary new form of deepfake-powered fraud is called "virtual kidnapping," and it
takes advantage of voice cloning and caller ID spoofing to convince the target
that their child, wife, or parent has been kidnapped and a ransom must be paid
immediately. Unlike "pig butchering" scams, which happen over weeks or months
and often involve cryptocurrency payments to a completely fictitious love
interest, virtual kidnapping is over in minutes. What's even more alarming than
these new types of attacks, however, is the way that generative AI has turbocharged
all of the traditional online scams. Each recipient of a "toll payment" or "UPS
shipping charge" text scam might now be receiving a perfectly personalized
version of the attack, complete with full name, address, and plausible account
details-all the way down to the name of your cat, which they've scraped off of
social media or purchased on the dark web. Because these attacks are completely
automated, the scale is truly enormous-in some countries, over a quarter of all
phone calls are scams already.
VMblog: How does Polyguard's real-time defense technology stop these scams
before they happen, and what sets it apart from existing fraud detection tools?
Traditional
identity verification, still used by most financial institutions, relies on
what are called "knowledge proofs"-things like your mother's maiden name, your
date of birth, or the last couple of transactions you made on your VISA.
Unfortunately, most of us have had those critical pieces of data leaked onto
the dark web in one of the hundreds of large-scale data breaches over the past
decade, so they're unreliable. Most of today's fraud detection tools fall into
one of two other categories: voice fingerprinting, and AI detection. The first
category has been made quickly obsolete by the advancement of deepfakes, and
the second category relies on small flaws in the AI-generated content; flaws
that are quickly fixed in each new version of deepfake software.
Polyguard
relies on advances in modern smartphone hardware to generate tamper-evident
proofs of your identity. New iPhones have 3D cameras, and secure cryptographic
enclaves, which we use to perform facial recognition at a certainty level
beyond even the built-in FaceId technology. But most importantly, we enable
this identity verification in BOTH directions-protecting not just the financial
institution, but the consumer as well. Because we safely store your identity
data on the phone (not in the cloud), Polyguard signs and verifies the call
before your phone even starts ringing.
VMblog: Many people misunderstand the risks of deepfake and AI fraud. What
are the biggest misconceptions, and what role should financial institutions and
enterprises play in addressing them?
There are
two really dangerous misconceptions about fraud today, especially AI-powered
fraud like deepfakes. The first is that it only targets the wealthy-the sad
fact is that thanks to the combination of data breaches and automation, every
human with a cell phone is a target. The second mistake is the dangerous idea
that anyone (either human or AI) can "spot" a deepfake. The reason this feels
true is because we've all seen bad deepfakes on social media, with six fingers
on each hand, or strange glitching eyeballs. And so we imagine that all
deepfakes are bad. This is like judging the risk of counterfeiting by the
quality of today's monopoly money.
VMblog: What are the biggest challenges in developing real-time AI fraud
prevention, especially as these attacks continue to evolve?
When
viruses first became a major problem, we saw a rise in the number of anti-virus
companies, who were cleverly promoting their products by warning folks when
their computer might have become infected. Almost immediately after that,
however, attackers started using "Scan your computer now" buttons as a way to trick
users into infecting themselves. Any defense technology that relies on teaching
users a new behaviour can itself become an attack vector against those users.
Identity
verification relies on personal and private data-things like driver's licenses,
passports, and biometric scans. As an industry, we have to be incredibly
careful not to create giant "honeypots" of personal information. The credit
reporting agencies are important partners in the fight against fraud and
identity theft, and yet the Equifax data breach was one of the worst
contributors to identity theft in history.
VMblog: What proactive steps can businesses and individuals take to
protect themselves from deepfake and AI fraud?
One key
step for consumers is simply to accept that Caller ID is broken-for less than
the cost of a cup of coffee, I can impersonate any phone number in the world.
So when you're answering the phone, don't be afraid to ask for proof-even if
the caller claims to be the police, the bank, or your doctor. For key members
of your circle of trust, especially children or aging parents, it's worth the
awkwardness to set up a "codeword."
For
businesses, it's important to get the right tools in place. As Matt Linton
(Google DFIR leader) always says, "Hypervigilance is not a strategy." Because
so much of business-to-business identity relies on domain names, having the
business domain name protected properly is critical. I'm always shocked at how
many businesses don't have SPF, DKIM, and DMARC records set up properly, or
haven't protected common "look-alike" domains. Obviously, installing Polyguard
is important as well.
VMblog: What's next for Polyguard?
Today, the
Polyguard system works best for businesses and individuals that have our
product installed and configured. We're working with telecommunications
companies and financial software providers now to more deeply integrate key
identity verification methods into the software and hardware that consumers and
businesses are already using. We're committed to eradicating fraud from the
earth-one identity at a time.
##