Machine learning is changing cyber-fraud — and helping fight it

September 22, 2025 | 4 minute read

In an increasingly connected digital economy, rapid advances in technology such as machine learning (ML) are being leveraged for both business objectives and malicious intent. As more cyber criminals harness the power of the latest ML tools to launch ever-more effective scams and thefts, businesses are also adopting the technology to sharpen their cyber-defenses. In this environment, it’s critical not only to safeguard your business against ML-enabled cyber-fraud, but also to understand the risks involved in deploying the technology in your fraud-detection arsenal.

How is machine learning used in cybersecurity

As criminals continue using cutting-edge technologies to enable fraudulent activities, tech-adept businesses are countering these advances by adopting ML and other AI tools to improve their cyber-defenses. A recent survey by Forbes found that more than half of U.S. businesses use cyber security and fraud management tools that employ some form of AI.1 These tools help them identify indicators of compromise across multiple data access points, monitor activity and rapidly respond to cyber threats, dramatically reducing labor hours required for initial triage of potential threats.

 

Despite the move toward adopting ML cyber-security capabilities, this use of the technology is nascent, so it’s important to keep some best practices in mind as you consider integrating ML into your cyber security framework.

 

Validate your data models. ML relies on vast data models for its so-called intelligence. Without transparency into the models it builds from your data, they are at risk for inaccuracies, bias and even data poisoning by bad actors. Be sure to implement data-driven procedures to identify, investigate, discipline and remediate model variances and inaccuracies. Human system validation is required to verify and validate your models on regularly.

 

Implement strong governance. Because ML-enabled cyber security tools process large quantities of potentially sensitive data, it’s critical for businesses to implement strong governance frameworks to establish guidelines for data management that ensure legal compliance, privacy and security.

 

Understand your external data sources. Data management and data security are especially important if you use a security service or tools that use shared data models and external data sources. Be sure to contractually require transparency and visibility into the efficacy of the data model.

More than half of U.S. businesses use AI for cybersecurity and fraud management.1

Enable robust model training. Use a combination of supervised and unsupervised model training to improve the accuracy and efficacy of your data models. Unsupervised training is more scalable and can help you discover patterns and gain insights from large volumes of raw data. Supervised training, on the other hand, is more time consuming but can help you classify the data and make accurate predictions based on data labeled and annotated by human experts.

 

Empower and educate employees. Be sure to continuously educate your employees on new threats, processes and response procedures. Empower all levels of staff to question messages and other information they receive to determine validity, since ML can make fraudulent communications and data harder to identify. Employee knowledge, in fact, is becoming more critical as the frontline for cyber security shifts from an organization’s four walls to its data. This evolution requires that each department — finance, HR, operations, etc. — gathers and analyzes its own information and integrates that data across the security fabric of the organization.

How ML is changing the cyber-fraud landscape

At the same time, cyber-criminals are adopting new ML technologies to research and design targeted and sophisticated fraud schemes. They’re using ML to automate and expedite more convincing and personalized phishing attacks, including investment scams and business email compromise. They are also using generative AI tools (e.g., search engines, chat clients and learning systems), voice-cloning software and deepfake videos to create incredibly detailed and realistic lures. (For more on deepfake technology and cyber crime, see “How to protect your business from deepfakes.”)

Forbes asked U.S. business leaders how they currently use or plan to use AI. Top responses: improved customer experience (56%) and cyber security and fraud management (51%).1

Chat clients and learning systems can fast-track cyber-scammers’ social engineering methods and improve their effectiveness by generating customized bait messages based on vast amounts of personal and social data, making them much more personalized and persuasive. Natural language technologies help create complex and multifaceted phishing messages that are scrubbed of obvious grammatical errors, misspellings and oddly worded sentences. Cyber criminals are also using AI and ML tools to attack and gain unauthorized access to accounts and networks, often by analyzing behavior patterns or using ML to identify vulnerabilities.

How to protect your business from ML-enabled cyber-fraud

The good news for businesses is that although these ML-enabled threats can be more convincing and sophisticated, they’re based on familiar tactics such as social engineering, so following these tried-and-true security best practices can help protect your business.

  • Verify all unsolicited communications by independently confirming sender information.
  • Don’t send sensitive information to anyone whose identity you can’t confirm.
  • Be careful when posting personally identifiable information on social media and be compliant with your company’s social media policies.
  • Manage account and network access by using multifactor authentication and maintaining good password hygiene.

 

Ultimately, people — and not technology alone — form the foundation of effective cyber security. Employee cyber security awareness and training for new ML solutions present an opportunity to refocus your organization on creating a culture of security, one in which employees have the knowledge and agency to proactively spot and then protect against cyber-crimes.

 

For additional information on machine learning and cyber-fraud, see Bank of America resources on fraud and cybersecurity.

1 Kathy Haan, Forbes, “How Businesses Are Using Artificial Intelligence in 2023,” April 2023.

Explore more

Security & Information Management

Phishing. Vishing. Smishing. Keeping up with threats from scams, fraud and cyberattacks is difficult. Our resources and insights can help you protect your company and customers.

Important Disclosures and Information

Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.

 

Not all materials on the Center for Business Empowerment will be available in Spanish.

 

Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.

 

Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.

 

Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S" or “Merrill") makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp."). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.

 

Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.

 

“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.

 

Investment products: