The complex ecosystem of private banking and asset management creates unique security challenges, particularly in transaction authorization flows. Smaller asset managers often relay client orders to larger custodian institutions, creating potential security gaps where attackers can insert fraudulent instructions via compromised email accounts or endpoint devices. These attacks are particularly effective when kept below standard verification thresholds (e.g., €50K) and can result in significant aggregated losses while evading traditional security controls and reputation damage. Additionally, smaller institutions typically lack the data volume, security resources and technical capacity to develop robust detection models independently.

This pilot will implement an impersonation detection system leveraging email content analysis, federated learning across institutions, adaptive monitoring, and LLM-based contextual reasoning. The approach will enable even smaller financial institutions to benefit from collective intelligence without compromising client data privacy. The following use cases are envisaged:

This use case focuses on the detection of potential impersonation attacks through sophisticated analysis of email communications containing trading or transfer instructions. The system will perform deep analysis of email content, structure, and metadata to identify anomalous patterns that might indicate fraudulent activity. The solution will take advantage of CyberAId LLM agents with few-shot learning on financial communication patterns, in order to detect subtle linguistic deviations from established client communication norms, unusual attachment types, suspicious embedded links, or atypical formatting choices.

The system will also analyse email header information and sending patterns, cross referencing these against known client communication preferences and history. This approach will enable the identification of sophisticated impersonation attempts even when the transaction details themselves appear legitimate and fall below typical verification thresholds, addressing a critical security gap in current financial systems.

This use case implements CyberAId-PROACTIVE’s federated learning network that enables collaborative threat model development across financial institutions of various sizes without compromising sensitive client data. The system will establish secure connections between custodian banks and smaller asset managers, facilitating the development of shared impersonation detection models trained on diverse datasets while keeping actual client data within its originating institution.

By implementing differential privacy mechanisms and secure aggregation protocols for model updates, the solution ensures regulatory compliance while significantly enhancing detection capabilities for smaller institutions. This federated approach allows asset managers with limited data resources to benefit from detection capabilities trained across a much broader landscape of transactions and client behaviours, dramatically improving security posture without requiring data centralization or transfer between organizations.

This use case will also form a basis for the evaluation and proof-of-concept of adding quantum security in form of quantum-two-factor authentication to protect the connections and interaction between the transaction partners.

This use case builds upon UC#1.2 focusing on the automatic optimization of CyberAId-MONITOR configurations based on insights generated through the federated learning system. The solution will dynamically adjust Wazuh detection rules, correlation parameters, and alert thresholds based on patterns identified across the institutional network, ensuring that security monitoring continuously evolves to match emerging impersonation techniques.

This automated adaptation of security monitoring parameters based on collective intelligence ensures that even smaller institutions benefit from advanced detection capabilities typically only available to large financial organizations with dedicated security teams. The continuous refinement of detection rules based on cross institutional learning creates a security monitoring system that stays ahead of evolving attack methodologies and secures a crucial financial supply.