The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

It is already reshaping how criminals impersonate customers, defeat controls and scale attacks. For banks, this raises an uncomfortable question: if fraudsters can convincingly look and sound like real people, what signals can still be trusted?

For years, anti-fraud strategies have been built on the assumption that a genuine customer can be distinguished from a criminal by how they authenticate. Knowledge factors, possession factors and inherence factors have formed the backbone of digital trust. Yet generative AI is eroding each of these in turn.

Voice cloning is eroding the effectiveness of call centre authentication. Deepfake video is undermining facial biometric checks. Generative AI can now produce phishing messages that are virtually indistinguishable from legitimate communications, even as behavioural biometrics attempt to adapt. The common failure across these controls is clear: too many still rely on legacy methods being able to judge whether an interaction is genuine, and that judgement is becoming increasingly unreliable.

Despite the variety of modern fraud tools, most ultimately collapse back to two-factor authentication. Whether branded as passkeys, biometrics or one-time passwords, they all rely on a challenge that the customer must interpret and respond to. They all ultimately rely on an account, password and 2FA. That makes them vulnerable to social engineering, real-time manipulation and AI-assisted persuasion.

Fraudsters no longer need to break security. They simply guide customers through it.

Why trust is moving away from the user 

The reality is that banks can no longer rely on signals that sit purely at the user interface. If the user can be convincingly deceived, any judgment-requiring task becomes a weak link.

This is where mobile network-level intelligence becomes strategically important.

Network APIs operate below the application layer, drawing on signals that customers never see and that criminals cannot intercept or influence. They do not ask a user to approve a request or enter a code. They verify facts about the device, the SIM, the network and the connection in real time.

Crucially, these signals are not exposed to generative AI manipulation. A fraudster can clone a voice or write a flawless message, but they cannot fake whether a SIM was recently swapped, whether a device is genuinely attached to a network, or whether a transaction originates from the expected mobile environment.

What makes network APIs different 

Network APIs allow banks to validate attributes that are inherently difficult to spoof at scale. Examples include device and SIM integrity, network location consistency, and indicators of account takeover activity such as recent changes at the network level.

These checks are not subject to phishing, prompt injection or deepfake techniques. They do not rely on customer behaviour or awareness. They sit outside the reach of social engineering altogether.

This does not mean they replace existing controls. Instead, they provide an additional layer of security. When combined with application and behavioural signals, network-level verification helps banks make decisions based on evidence rather than belief.

A shift in how fraud is managed 

For CISOs and fraud leaders, the rise of generative AI demands a shift in mindset. The question is no longer how to make customers authenticate better. It is how to reduce reliance on customer decision-making altogether.

As fraudsters continue to industrialise deception using AI, banks that anchor trust at the network layer will be better placed to stay ahead. 

For many security leaders, that exploration is becoming less of a future consideration and more of a necessity.

If you’d like to tell us about your situation, or if you think network APIs might be able to solve a Gen. AI fraud pain point for you, we’re all ears. Reach out to us at https://www.xconnect.net.