Aite Group, an independent research and advisory firm focused on business, technology, and regulatory issues, interviewed 25 executives at 18 of the top 40 largest U.S. financial institutions based on asset size in order to provide an evaluation of the current state of fraud. New research proves that contact centers are being attacked more than ever before. Aite’s Senior Analyst, Shirley Inscoe, joined Pindrop’s Director of Research, Dr. David Dewey, to discuss the growing threat of fraud in the contact center during this session.
With the rollout of EMV chip cards, fraudsters have redirected their attacks to the contact center for data mining and account takeover. Sixty-one percent of fraud can be traced back to the contact center, but it doesn’t end there – fraud is a cross-channel problem. Many enterprises fail to identify the contact center as the root cause of fraud loss, enabling fraud in others channels, such as debit card, credit card, and check order takeover. Meanwhile, fraudsters are capitalizing on this misdiagnosis and targeting the contact center as the weakest link in security.
Contact center fraud loss is expected to double from $393M to $775M by 2020. As chip cards continue to gain momentum in the United States, organized fraud rings will continue targeting the phone channel, replacing traditional counterfeit card fraud. Current authentication factors in the contact center often fail due to the data fraudsters acquire through social engineering tactics in order to reset account credentials. Armed with data, organized fraud rings probe agents at enterprises for the information they need to access customer funds, and the point of least resistance is often the contact center.
Organized fraud rings are using automated attacks, specifically robotic fraudsters, targeting interactive voice recordings (IVRs), to keep their cost down while still managing to dramatically increase market coverage. Despite the intent to administer positive and timely customer experiences, contact centers agents often fall victim to the social engineering methods that enable fraud attacks. Fraud attacks increase operational costs, decrease customer satisfaction, and jeopardize brand reputation as customer data is repeatedly lost to fraud. Contact centers will continue to enable cross-channel fraud until technology solutions are implemented to thwart it.
1. What are the key challenges of authenticating callers into the call center and IVR channels?
Traditional contact center anti-fraud and authentication methods no longer stand up to the advanced tactics leveraged by today’s criminals. Most contact centers rely on caller ID, a facility that identifies and displays the telephone numbers of incoming calls made to a particular line, but these telephone numbers can be easily spoofed. Contact centers also rely on knowledge-based authentication (KBA), asking questions that only the legitimate consumer can supposedly answer, to identify a caller. KBA has an average failure rate of 10-15%, and this rate can sometimes go as high as 30%. Most of these failures comes from legitimate customers, not criminals. Meanwhile, over 60% of these criminals can successfully answer these questions because of data they’ve already stolen.
2. What are the most effective methods for securing the phone channel?
“We need to reduce our reliance on static data,” says Avivah Litan, VP Distinguished Analyst at Gartner. All of the data compromises from the last few years have resulted in hoards of data being stolen by criminals and put into databases that are being resold to other criminals. Enabling accurate identity assessment in the contact center relies on endpoint-centric measures, which look at the originating call and the originating phone that is making that call in order to assess the legitimacy of the user that’s calling. Litan describes phoneprinting technology combined with voice biometrics as “the strongest method for detecting fraudsters who call into enterprises.”
3. What are call centers most concerned about and how are their needs satisfied?
Contact center and fraud teams have a mutual interest in protecting customers, their data, and the overall security and reputation of an organization. Call center agents aim to provide high levels of productivity and consistent customer satisfaction. Security teams aim to eliminate weak call center authentication processes and reduce dependence on call center agents for screening out fraudsters. Phoneprinting combined with voice biometrics provides user authentication and fraud detection, enabling both contact center and security teams.
Aite Group, an independent research and advisory firm focused on business, technology, and regulatory issues, interviewed 25 executives at 18 of the top 40 largest U.S. financial institutions based on asset size in order to provide an accurate evaluation of the most effective technology solutions to protect against fraud. On Tuesday, Aite’s Senior Analyst, Shirley Inscoe, joined Pindrop’s Director of Research, Dr. David Dewey, for an online discussion of the growing threat of fraud in the contact center.
Top 10 Takeaways
- As EMV continues to gain momentum in the US, organized fraud rings will move to the phone channel, replacing traditional counterfeit card fraud.
- The contact center is the cross-channel fraud enabler. Current authentication factors in the contact center often fail due to various data fraudsters can acquire through social engineering tactics.
- The majority of financial institutions (72%) expect contact center fraud loss to continue in an upward trajectory.
- The root source of fraud, the contact center, is often misdiagnosed due to fraud enablement in other channels, such as debit card, credit card, and check order takeover – online fraud that exists from reset credentials being reset by the contact center agent.
- Fraud will move downstream toward smaller institutions and credit unions as phone fraud solutions are integrated into larger firms.
- Organized fraud rings are using automated attacks, specifically robotic fraudsters, targeting interactive voice recordings (IVRs), to keep their cost down while still managing to dramatically increase market coverage.
- In the U.S., Contact center fraud is expected to double to a $775 million problem by 2020.
- 61% of account takeover losses trace back to the contact center.
- For every 1-second authentication is reduced, an organization can save $1 million annually.
- Of the 23 different technology solutions reviewed by leading executives, Pindrop’s phoneprinting and voiceprinting technologies hold the highest combined ranking on industry awareness of the product, overall product ranking, and likelihood of recommending to colleagues.
75% of Tuesday’s webinar attendees confirmed having seen a recent rise in fraud. Contact centers will continue to enable cross-channel fraud until technology solutions are implemented to thwart it. Ensuring optimal protection against fraud in the contact center requires multiple layers of security that provide high coverage, high accuracy, high speed, and low friction without being easily fooled by fraud techniques, such as spoofing, voice distortion, and social engineering. Pindrop’s technology provides multi-factor authentication through layered intelligence scores, reason codes, and risk factors.
Thank you for listening!
Contact center fraud attacks have increased substantially in recent years due to the EMV transition and data breaches. Despite the intent to administer positive and timely customer experiences, contact centers often fall victim to social engineering methods that enable fraud attacks.
Fraud attacks increase operational costs, decrease customer satisfaction, and jeopardize brand reputation as customer data is repeatedly lost to fraud. Aite Group, an independent research and advisory firm focused on business, technology, and regulatory issues, interviewed 25 executives at 18 of the top 40 largest U.S. financial institutions in order to examine the current condition of the market and determine the most effective technology solutions for solving cross-channel fraud.
Current State & Fraud Loss Prevention Highlights
- Contact center fraud loss is expected to double by 2020.
- 61% of fraud can be traced back to the contact center, but it doesn’t end there. Fraud is a cross-channel problem.
- Contact center security vulnerability severely burdens a business.
- The right technology solution provides security without minimizing customer satisfaction.
According to Aite, guaranteeing optimal protection against fraud in the contact center requires multiple layers of security. Since contact centers have been under attack more than ever before, several types of security solutions have been created to solve the problem. Of the 23 different technology solutions reviewed by leading executives, Pindrop’s phoneprinting and voiceprinting technologies hold the highest combined ranking on industry awareness of the product, overall product ranking, and likelihood for referral.
Join Aite’s Senior Analyst, Shirley Inscoe, and Pindrop’s Director of Research, Dr. David Dewey, for an online discussion on the growing threat of fraud in the contact center and the best practices for detection and prevention.
Contact Centers: The Fraud Enablement Channel
September 13, 11:30 AM – 12:30 PM
On Tuesday, Pindrop released its annual Call Center Fraud Report. SC Magazine spoke to Pindrop’s research director, David Dewey about the drivers behind this year’s increase in phone fraud. According to Dewey, new US chip cards make it harder for fraudsters to reproduce phony cards, so the bad guys are crafting social engineering attacks that target call centers in order to make malicious transactions.
Dark Reading spoke to both Pindrop’s David Dewey and Chris Hadnagy, CEO of Social Engineer LLC. Hadnagy confirmed the Pindrop report findings, pointing out that voice represents the next big attack vector. Organizations should expect to see an increase in call center fraud and multi-vectored attacks.
Fox5: ID thief: here’s how to stop me – He would research his victims’ birthday and other personal info already online. Then he’d call merchants who use overseas customer service reps. When he would get the security answers wrong, they’d be more likely to cut him some slack.
Finextra: The Transatlantic State of Phone Fraud – Pindrop’s VP and GM of EMEA, Matt Peachey sat down with Fintextra to discuss the 2016 Call Center Fraud Report released by Pindrop Labs. The report has uncovered a loss at £0.51 to fraud in call centers in 2015.
Pindrop: Pindrop’s 2016 Call Center Fraud Report Reveals 45% Increase in Phone Fraud Attacks – Pindrop today announced research indicating increases in phone fraud incidents and costs in multiple areas in its 2016 Call Center Fraud Report. Researchers at Pindrop Labs analyzed over 10 million calls to major enterprise call centers in the US and UK.
Forbes: The Day I Was Almost Defrauded By ‘The IRS’ – I thought I would know the signs. I have spent years teaching graduate students about fraud schemes, developed fraud training seminars for corporations around the world, and have even conducted prison interviews with convicted white-collar felons.
Security Magazine: Call Center Fraud Attacks Have Increased 45% Since 2013 – Strong online and mobile security, coupled with the rollout of EMV chip cards in the US means cybercriminals are changing tactics, exploiting the weakest link in the organization: the call center. The rate of call center fraud attacks has grown 45 percent since 2013.
FindBiometrics: Call Center Fraud on the Rise: Pindrop – Pindrop, the developer of call analytics security solutions, has released a new report indicating alarming trends in call center fraud. Composed by Pindrop Labs researchers using Pindrop’s Phoneprinting technology to analyze more than 10 million call center calls in the US and UK
This week the Guardian shared the story of account takeover fraud at Nationwide bank in the UK. In this multi-part attack, fraudsters took over the target’s mobile account, registered for mobile banking, and increased overdraft protections all by contacting call centers. Fraudsters monetized the attack using Apple Pay.
Consumer Reports published the results of a new study on Monday that found millennials are the most likely to lose money to a phone scam. 38 percent of millennial men report having lost money to a phone scam, compared to 11 percent of average Americans.
Schneier on Security: Bypassing Phone Security through Social Engineering – Undercover police officers in the UK used social engineering techniques to bypass iPhone security when investigating a terrorist suspect. Police impersonated the suspect’s work manager, asking for proof that he was in the office on a particular day.
The Sidney Morning Herald: Fraudsters rip off $5m from elderly victims using telephone scam – In one case, the scammers netted $600,000. The scam started with a phone call from someone purporting to be the manager of a Rolex store, who said that a youth posing as their nephew had been detained trying to use Albert’s credit card.
No Jitter: Hacking as a Service Part Two: Help is Here – At this point, a caller has been deemed safe enough to be allowed into the system and potentially into the ear of a real human being. Even still, security measures can be applied by listening in on the call to programmatically find anomalies.
The Atlantic: The Long Life (and Slow Death?) of the Prank Phone Call – Advances in technology apparently bring with them new possibilities for playfulness at someone else’s expense. There’s still something to be said for the visceral thrill of trying to fool someone voice to voice, it seems—even if you don’t quite pull it off.
South China Morning Post: Phone scammers pretend to be Hong Kong immigration officers – Bogus immigration officers have duped Hongkongers out of about HK$1 million in the latest round of phone scams as con artists have come up with a new ruse, the Post has learned. About 20 victims fell for the new tactic.
Gizmodo: Do Not Call the Number in This Instagram Ad – Yesterday on my Instagram feed was a sponsored post claiming “Millions of Americans are applying for Obama’s New Student Debt Forgiveness Program” and promising I could qualify in less than five minutes if I tagged a friend and called a toll-free number.
On Tuesday, BBC Radio investigators demonstrated two ways to take over a NatWest bank account using the phone. Using social engineering, a fraudster could simply report a victim’s phone lost or stolen, then ask to have their phone number switched to a new SIM card, owned by the criminal. Alternately, the fraudster can simply steal the victim’s phone.
The FBI recently announced a Jamaican lottery scammer has been sentenced to 10 years in prison. According to Special Agent John Gardner, “The Jamaican lottery scammers are like an organized cyber crime group. They are closely knit, highly structured, and have U.S. associates—money mules—who help launder their money.”
Wired: Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid – TDoS attacks are similar to DDoS attacks that send a flood of data to web servers. In this case, the center’s phone systems were flooded with thousands of bogus calls that appeared to come from Moscow, in order to prevent legitimate callers from getting through.
PYMNTS: Apple Pay’s Low-Tech Security Problem – “Fraudsters and hackers are like water: They’re going to take the easiest path to get what they want. Right now, this is that easiest path … There’s no point of even trying to find a vulnerability in EMV because this works so well,” said Pindrop’s David Dewey.
The Telegraph: Thousands of immigrants targeted for cash in phone scam – Immigrants are being targeted by fraudsters posing as Home Office staff who demand money in exchange for allowing them to remain in the UK, it has been claimed. Visa holders have been pressured into handing over thousands of pounds.
eSecurity Planet: 3 Ways to Defeat ‘Microsoft’ and ‘Dell’ Phone Scams – Technological solutions can also make a significant difference. Knieff suggests looking into voice solutions from companies like Pindrop, which can watch out for recognized criminals. Advanced data loss prevention solutions are also worth looking at, Knieff said.
Consumerist: Lawmakers Renew Push To Curb Unwanted Robocalls – Sen. Ed Markey (MA) introduced the HANGUP Act, which would close the robocall loophole. Even though robocalls is one of the few issues that is not currently a partisan issue, the bill has been sitting idle in committee since being introduced.
On The Wire: Bypassing Phone Fingerprint Sensors With an Inkjet Printer – Researchers at Michigan State University have developed a clever hack that allows them to scan and then print a target user’s fingerprint and then use it to unlock a mobile phone via the fingerprint sensor.
This week, Forbes reported on Pindrop’s 2016 RSA session, “The Art of Avoiding Authentication.” Pindrop’s Director of Research, David Dewey, tested how Apple Pay’s call center authentication option could be compromised at major financial institutions.
On Tuesday, American Banker‘s Penny Crosman interviewed Pindrop’s CEO, Vijay Balasubramaniyan, on how fraudsters are using the phone channel. Balasubramaniyan pointed out, “If you’re able to detect suspicious IVR activity, you can forewarn banks on average 30 days before account takeover even starts happening. It’s almost like ‘Minority Report.”
Krebs on Security: Credit Unions Feeling Pinch in Wendy’s Breach – Even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let customers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers.
Money: IRS System Meant to Protect ID Theft Victims Seems to Have Been Hacked – Knowledge-based authentication (sometimes called KBA), asks taxpayers four multiple-choice questions about their credit history — such as “On which of the following streets have you lived?” And these questions can be easily answered with random guessing.
Speech Technology Magazine: Pindrop Launches IVR Anti-Fraud Solution – Pindrop recently launched IVR Anti-Fraud, which the company says is the first comprehensive call center fraud detection capable of monitoring all customer voice channel interactions. Fraudsters can use IVR systems as their gateway into more extensive fraud.
The Wall Street Journal: Cybersecurity Startups Describe New Fundraising Hurdles – “VCs were much more discerning and they wanted proof that you have a real product that is delivering a strong return on investment to customers,” said Vijay Balasubramaniyan, CEO and co-founder of Pindrop.
On The Wire: Sidestepping Apple Pay Enrollment Authentication – “Authentication through an app is very secure, because if they’re doing it properly they know specifically it’s your device they’re sending the authorization to,” Dewey said. “A phone call is the weakest of these possible options.”
Network World: New products of the week 2.29.2016 – Our roundup of intriguing new products: Pindrop’s ‘IVR Anti-Fraud analyzes multiple layers of information to help identify suspicious callers for live agent calls in contact centers in the financial services, retail, insurance, and government industries.
On Wednesday, reporter Kevin Roose published a story of his experience after asking to be hacked. The most surprising attack was also the most simple. The attacker simply called Roose’s cell phone company, impersonating his wife, and quickly gained access to the account, changing the password and adding a new phone line.
On Friday, Brian Krebs exposed an apparent data breach at Dell. Fraudsters have obtained Dell customer support and purchase histories as well as contact information and are using the information as tools in consumer phone scams. The cases illustrate the way fraudsters work across phone and online channels.
CBC: Canada Revenue Agency scam calls and emails have many red flags – When the phone call begins, the man identifies himself as an investigative officer with Revenue Canada and he even gives his supposed identification number. The problem is the man doesn’t work for Revenue Canada.
The New York Times: A Robot That Has Fun at Telemarketers’ Expense – While the simple robot does not possess anything near artificial intelligence, it does understand speech patterns and inflections, so it can monitor what the telemarketer is saying, and then do its best to try to keep the person on the end of the line engaged.
Bankless Times: Pindrop touts new voice-fraud detection technology – “Most companies do not have sufficient insights into customer IVR activity, much less the amount of fraud and unnecessary costs hiding there,” Vijay Balasubramaniyan explained. “Alarmingly, our beta test showed that IVR fraud rates are on par with live agent phone fraud.”
Pindrop: Pindrop Launches First IVR Fraud Protection Solution – Pindrop, the pioneer in voice-fraud prevention and authentication, today launched IVR Anti-Fraud, making Pindrop the first and only company to offer comprehensive call center fraud detection to all customer voice channel interactions.
Telegraph: Bank security: annoying AND useless – Fraudsters managed to get past NatWest’s telephone security and make a transfer from our reader’s Isa to another of her accounts. They then convinced their victim that the high balance in the latter account was a mistake and to send the money to the criminals’ bank.
Pindrop Blog: Phone Scam Breakdown: Google Listings Scam – You’re a small business owner running a website through a popular hosting site. Then, from a local number, you get a phone call from a Google specialist claiming they have a front page position for your business with unlimited clicks, 24 hours a day.
On Friday, British authorities announced that they have arrested a 16-year-old suspected of being involved with a group that used social engineering phone calls to hack into the Department of Justice web portal, the FBI network, and the private email accounts of high-ranking U.S. intelligence officials.
This week, French authorities arrested yet another teenager using social engineering on the phone channel to commit crimes. Police have arrested Vincent L., 18, from Paris, for failing to cooperate with authorities in an investigation related to a series of fake bomb threats that took place in France, Australia, the UK, and the US.
Popular Science: Hacker Calls FBI’s I.T. Department, Gaines Access to Network – On Sunday, a hacker threatened to dump the contact information of thousands of FBI and Department of Homeland Security employees online. So how did a person break into the systems of two of America’s most high-profile agencies? A phone call, it appears.
Dark Reading: Man Admits To Laundering $19.6 Million in Hacking, Telecom Fraud Scam – Hackers compromised businesses’ PBX systems. They would then identify unused extensions, reprogram them so they could be used to make long distance phone calls charged back to the victim business.
CNN: FBI, British police nab alleged ‘crackas’ hacker – British police have arrested a teenager who allegedly was behind a series of audacious — and, for senior U.S. national security officials, embarrassing — hacks targeting personal accounts or top brass at the CIA, FBI, and Homeland Security Department.
Washington Post: British teen arrested in hacking of top U.S. intelligence officials – British authorities have arrested a 16-year-old suspected of being involved with a group that hacked into the private email accounts of high-ranking U.S. intelligence officials, according to U.S. officials and British police.
Business 2 Community: Death, Taxes, And Data Theft: You Can Only Protect Yourself From One – Cybersecurity startup Pindrop is one company that is benefitting from an increased interest in combating identity threats. Their unique software fights fraud by using a voice technology system called phone printing.
Forbes: Watch Out For These Top Tax Scams – Aggressive and threatening phone calls by criminals impersonating IRS agents remains an ongoing threat to taxpayers. The IRS has seen a surge of these phone scams as scam artists threaten police arrest, deportation, license revocation and other things.
Softpedia: Phone Hacking Group Is Selling Fake Bomb Threats for Bitcoin – According to French law enforcement, the service has been used by Evacuation Squad, a group that has terrorized cities across the globe by calling in fake bomb threats and sending SWAT teams to various celebrities and high-profile public figures.
On the Wire: UK Launches Task Force to Address Fraud – Phone fraud, vishing, and other forms of financial fraud have emerged as serious threats to many financial institutions and their customers. Banks and government agencies have begun forming alliances to help address the issue.
Credit Union Times: 5 Biggest Phone Scams in Circulation – The Atlanta-based Pindrop detected a number of emerging phone scams, some of which involve Google listings, health insurance and the MasterCard settlement. The voice fraud prevention and authentication firm also gathered data on fraudsters’ frequency.
Dark Reading: 20 Cybersecurity Startups To Watch In 2016 – President Barack Obama outlined a Cybersecurity National Action Plan this week, featuring an expanded cybersecurity budget, a new federal chief information security officer, and an emphasis on promoting multi-factor authentication.
FTC Blog: Phony calls about health insurance – President Barack Obama outlined a Cybersecurity National Action Plan this week, featuring an expanded cybersecurity budget, a new federal chief information security officer, and an emphasis on promoting multi-factor authentication.
On The Wire: Owning VOIP Phones With Zero Clicks – President Barack Obama outlined a Cybersecurity National Action Plan this week, featuring an expanded cybersecurity budget, a new federal chief information security officer, and an emphasis on promoting multi-factor authentication.