The wealth of information housed by contact centers can be leveraged by fraudsters for data mining and cross-channel attacks. In an effort to prevent phone fraud, many businesses implement authentication methods; however, most fail to administer the authentication required to provide a layered defense system. As social engineering and fraud technologies have become more advanced, standard authentication methods have proven to become less sufficient. “You have to assume the criminals can get through one layer [of authentication]; they can get through two, they can even get through three,” says Avivah Litan, Vice President with the consultancy Gartner. “But if you have multiple layers, up to five, and you’re continuously authenticating that user and continuously looking at their activities against their profile, you should be in pretty good shape.”
Multiple layers of security allow organizations to meet regulatory requirements and effectively safeguard customer data. Knowledge-based authentication (KBA), has served as a standard authentication method for years; however, 10-15% of KBA fails entirely, proving that authentication requires another layer of security in order to ensure data protection. A layered approach to authentication starts with “protecting the endpoint, trying to secure the browser, going all the way up to looking at the navigation, building profiles of users and accounts and looking for anomalies, doing that across channels,” says Litan. This kind of identity assessment analyzes endpoint and user data, metadata, and ehavior as it identifies linkages across and between entities.
No singular authentication method used on its own is sufficient enough to keep determined fraudsters out. Creating a layered defense system makes it more difficult for an illegitimate caller to access desired information, such as a physical location, computing device, network, or database. If one barrier is broken or compromised, the fraudster still has at least one more barrier to breach before successfully accessing the desired information. This system ensures that each layer defends the previous layer, making it more difficult for a fraudster to circumvent the security of the entire system.
Aite Group, an independent research and advisory firm focused on business, technology, and regulatory issues, interviewed 25 executives at 18 of the top 40 largest U.S. financial institutions based on asset size in order to provide an accurate evaluation of the most effective technology solutions to protect against fraud. On Tuesday, Aite’s Senior Analyst, Shirley Inscoe, joined Pindrop’s Director of Research, Dr. David Dewey, for an online discussion of the growing threat of fraud in the contact center.
Top 10 Takeaways
- As EMV continues to gain momentum in the US, organized fraud rings will move to the phone channel, replacing traditional counterfeit card fraud.
- The contact center is the cross-channel fraud enabler. Current authentication factors in the contact center often fail due to various data fraudsters can acquire through social engineering tactics.
- The majority of financial institutions (72%) expect contact center fraud loss to continue in an upward trajectory.
- The root source of fraud, the contact center, is often misdiagnosed due to fraud enablement in other channels, such as debit card, credit card, and check order takeover – online fraud that exists from reset credentials being reset by the contact center agent.
- Fraud will move downstream toward smaller institutions and credit unions as phone fraud solutions are integrated into larger firms.
- Organized fraud rings are using automated attacks, specifically robotic fraudsters, targeting interactive voice recordings (IVRs), to keep their cost down while still managing to dramatically increase market coverage.
- In the U.S., Contact center fraud is expected to double to a $775 million problem by 2020.
- 61% of account takeover losses trace back to the contact center.
- For every 1-second authentication is reduced, an organization can save $1 million annually.
- Of the 23 different technology solutions reviewed by leading executives, Pindrop’s phoneprinting and voiceprinting technologies hold the highest combined ranking on industry awareness of the product, overall product ranking, and likelihood of recommending to colleagues.
75% of Tuesday’s webinar attendees confirmed having seen a recent rise in fraud. Contact centers will continue to enable cross-channel fraud until technology solutions are implemented to thwart it. Ensuring optimal protection against fraud in the contact center requires multiple layers of security that provide high coverage, high accuracy, high speed, and low friction without being easily fooled by fraud techniques, such as spoofing, voice distortion, and social engineering. Pindrop’s technology provides multi-factor authentication through layered intelligence scores, reason codes, and risk factors.
Thank you for listening!
This week, Financial Times met with Pindrop CEO, Vijay Balasubramaniyan, to discuss the future of voice authentication. Voice is an “extremely rich” and quick way of authenticating someone’s identity.
GB Times reported after an over 70 Chinese wire fraud suspects were deported from Kenya to China in April, a gang of Chinese and Taiwanese fraudsters were arrested in Turkey on suspicion of phone fraud. The gang reportedly stole information from over 3,000 Chinese tourists.
Forbes: Scam Alert: Why the IRS won’t call you – Fraudsters frequently use psychological attempts to scare people into give up personal information used for identity theft. Once the fraudsters have possession of that sensitive information, they can open credit accounts and start stealing away. Generally anyone who asks for money immediately over the phone is a fraudster.
Tech Dirt: AT&T Falsely Blames the FCC for Company’s Failure to Block Annoying Robocalls – AT&T is pointing fingers at the FCC as the cause of the company’s lack of robocall-blocking technology. Recently, the FCC gave permission to the carriers who wanted to offer consumers robocall-blocking services. AT&T is one of the only companies that did not implement such technology.
South China Morning Post: Phone scam targets Hongkongers, exploits rocky relations between China and Philippines – Crime bosses behind an Asia-wide phone scam operation that has fleeced hundreds of Hongkongers out of HK$350 million in less than a year has shifted their sights to the Philippines as law enforcement tightens.
The Morning Call: Arrests Made in IRS Phone Scam – Five more people were arrested in Miami due to their involvement in an IRS phone scamming ring. Accused of stealing over $2 million from 1,500 people, the perpetrators targeted people all over the US. Progress is being made in combatting IRS scams, and the number of successful calls is dropping drastically.
The Journal News: Harrison cops go to Maine to bust phone scammer – Harrison Police traveled to Maine to arrest known fraudster, Donovan Wallace after cheating a woman out of over $23,000. Wallace is also linked to similar scams along the East Coast and a ringleader in Jamaica, where authorities are helping with the investigation.
KRON4- Bay City News: Elderly man falls victim to IRS phone scam in Santa Clara – An elderly Santa Clara man made 3 deposits totaling over $5000 when a fraudster posing as an IRS agent informed him that he was being audited for $5,900. The victim made 3 deposits while on the phone with the fraudster, and 2 were claimed before the police got involved. No arrests have yet been made.
The UK sees more than 2x the amount of call center fraud than the US
The UK is no stranger to phone fraud in financial institutions. The recent data compiled in Pindrop’s 2016 Call Center Fraud Report shows that 1 in every 700 calls made to enterprise call centers in the UK is fraudulent. This is over two times higher than the fraud call rate in the US.
A major factor that’s causing the high levels of fraud in the UK is the chip card technology implemented in 2004. Because chip cards make it harder to commit card-present fraud, attackers began to move towards card-not-present channels, notably the call center, to continue making fraudulent transactions.
This shift gives the US valuable insight into the future of call center fraud due to the recent transition of chip-and-pin cards stateside. According to the Aite Group, fraud attacks in the call center grew 79% in the UK following the chip card roll out.
Fraud calls in the UK are mostly domestic
72% of fraud calls to financial institutions originate within the UK. The US sees a much lower number of domestic calls at only 48%. Again, the high percentage in domestic fraud calls is linked to chip cards. When chip cards were first introduced in Europe, card-present fraudsters moved to non-physical attacks like call center fraud, rather than relocate out of the country. In addition to the UK, similar trends have been seen in other European countries who have implemented chip cards. France, for example, saw an increase in domestic card-not-present attacks by more than 360% between 2004 and 2009 (Iovation, Fighting CNP Fraud: 5 Things to Consider).
Most UK fraud comes from mobile devices
UK financial institutions see 64% of fraud calls coming from mobile devices, while the US only sees 37%. In the UK, it is easier to program mobiles phones to show a restricted caller ID. In fact, 70% of fraud calls in the UK use a restricted caller ID rather than spoofing a phone number, a common trick in the US.
The state of call center fraud in the UK gives us a glimpse into the future of fraud in the US. Phone fraud has risen 45% since 2013 stateside. Fraudsters will go down the path of least resistance, which in financial institutions is the phone channel. As physical and cyber security increases and data breaches become more frequent, bad actors exploit data over the phone. To combat fraud, financial institutions should implement security solutions around authentication and voice biometrics to ensure the safety of their customers.
This week, Wall Street Journal reported that telephone scammers posing as tech support, lottery reps or even government officials are inundating U.S. homes as cheap technology and the rapid rise in Internet access globally makes it easier to set up an unlawful phone operation.
Bankless Times reported that Pindrop’s analysis of more than 10 million calls to UK and US-based enterprise call centers looks at vertical impact, attacker device type and location along with trends and vectors used by organized crime groups.
On the Wire: Phone Fraud Scam Targets College Students For ‘Federal Student Tax’ – The FTC is warning about a new variant on phone fraud scams that attempts to bully college students into paying a non-existent student tax. The scam is similar to many of the IRS phone scams that have been ongoing for several years, but with the novelty of pressuring students who likely are much more vulnerable.
Beta News: 5 popular tactics scammers and hackers use to steal your identity – Beta News reported that fraudsters are using reconnaissance, social engineering, and vishing among other tactics to steal identities. These tactics, although sneaky can be enacted through a simple Google search or phone call.
The Lincoln Journal Star: ‘Barrage’ of political robocalls before primary election leaves regulators looking for fixes – Nebraskans are receiving a barrage of calls. Leading up to the primary election, a new salvo of political robocalls hit Nebraska phones essentially every day for 60 days straight.
Edmonton Journal: ‘Digital swatting’ may be behind worldwide school bomb threats, including one in Edmonton – Two schools in Alberta and two in Saskatchewan were among those that received phone threats of explosives being present in school buildings, and police forces in Alberta are exploring the possibility of a link between the threats.
CBS6: Worried grandma loses $40,000 in phone scam – A Virginia woman was a victim in a Grandparents Scam attack when a fraudster posing as her grandson asked for bail money following his arrest. After a 12-day period and several wire transfers, she realized the caller was not her grandson, but in fact a fraudster.
This week Find Biometrics stated Citi and HSBC banks, two of the largest in Hong Kong, are preparing to launch biometric identification systems for their call centers. This transition will improve both customer service as well as efficiency in the call centers, according to the banks.
The Washington Post reported that the potentially lethal form of prank-calling known as swatting might soon come with 20 years of jail time. The bill that just passed out of the House Energy and Commerce Committee and will soon be in a floor vote in the House.
BBC: The prank call crimewave – After a string of prank calls that led to several fast food restaurants smashing their windows, BBC Trending looked at similar events from 2009. Using a now defunct website, pranksters have been organizing themselves to initiate these calls.
BBC: Gang jailed over pensioner phone scam – Eight men from London have been jailed for a phone scam that defrauded UK pensioners out of more than ₤1m. One accomplice to the crime was X Factor contestant Nathan Fagan-Gayle who received a 20-month jail sentence for money laundering.
Huffpost Crime: Military Phone Scams: Phone Fraud and Identity Theft a Growing Issue for Military Personnel – Recently, fraudsters have moved towards military personnel who are currently serving to steal identities from. These con artist will use social reconnaissance to obtain profile pictures and social media posts to convince victims to send money overseas.
Consumerist: FCC Trying To Minimize Annoyances From New Robocall Debt Collection Loopholes – After a bill passed last fall that included a loophole to allow debt collectors to use robocalls to chase down consumers, the FCC is fighting for a way to lessen the frustration by limiting the amount of robocalls made.
ITProPortal: When vishing and phishing attack – Because of the success of phishing attacks, social engineers have turned to voice phishing, or “vishing” to extract sensitive information from victims over the phone. ConsumerProtect.com has created an infographic on the subject.
Los Angeles Times: Getting phone calls seeking divine assistance? You may be a victim of ‘spoofing’ – A Long Beach resident says he’s received dozens of calls from seekers of divine assistance from a televangelist known as Prophet Manasseh Jordan. Callers claim that the resident’s number appeared on their Caller ID screen during Jordan’s robocalls.
This month HUB Magazine featured Pindrop CEO, Vijay Balasubramaniyan, as the cover story. In the article, Balasubramaniyan explains Pindrop’s beginnings as well as how he sees the future of voice authentication and security.
Market Wired reported every second, 963 robocalls are made somewhere in America. Research indicated that 2.5 billion robocalls were made to US phones in March, which is a 13% increase to February numbers. For the 4th straight month, Atlanta has been the top city for robocalls.
On the Wire: Hear a Real Bank Phone Fraud Call from a Fake Cop – Fraudsters are expanding upon a common phone scam that targets senior citizens. These phone scammers are now showing up at victims’ homes to take their debit cards in person, stating that their new one will be coming in the mail.
The Telegraph: New phone scam leaves victims with ₤300 bills for calls they never made – Ofcom has launched an investigation into mobile customers being targeted for a new scam which can leave them with a bill for hundreds of pounds for phone calls customers never made. Some victims have been hit with bills of more than ₤300.
Los Angeles Times: China is dialing 911 over Taiwanese phone scammers – Over a decade ago, Taiwan’s central police agency set out to crush telephone fraud. Although they were successful on the island, Taiwanese fraudsters have moved overseas to swindle victims from at least 2 dozen countries.
Gulf News Crime: 21 phone scam suspects arrested in Sharjah – 21 men have been arrested for running a phone scam in which they convince victims to transfer money in exchange for prizes. The fraudsters were using multiple mobile phones and SIM cards to remain under the radar.
The Daytona Beach News Journal: FBI investigates Palm Coast ‘swatting’ incidents that led to standoff – After a stand off between a Florida county SWAT team and an innocent man, the FBI has teamed up with local forces to find the caller of this swatting incident. The FBI considers swatting to be a public safety issue.
Venture Beat: Watch me control my Tesla with Amazon Echo – Over the weekend, Jason Goecke of Tropo hacked his Tesla using a drone, Goland, an Amazon Echo, and AWS Lambda. The result was the ability to ask Alexa to ask “KITT” to pull in or out of Goecke’s garage.
This week Consumerist shared that the phone scam tactic of slamming (switching someone’s long-distance carrier without their knowledge or permission) is back in the fraudster’s arsenal.
Shanghai Daily reported this week that 4 drivers who defrauded a car-hailing service out of 100,000 yuan (US $15,462) have been jailed for 8 months to 1 year, fined 1,000 yuan, and ordered to return the money to the company.
BBC: The massive phone scam problem vexing China and Taiwan – A recent diplomatic row between Taiwan and China has cast light on a massive international telecoms fraud problem. It is said to involve thousands of scammers, some of them pretending to be government officials to extract money from victims.The scam has reportedly cost mainland Chinese victims billions of dollars.
The News Courier: Officials talk safeguards at Fraud Summit – A number of officials gathered to discuss popular scams and what citizens should do if they suspect their identity has been stolen. Though most officials said there’s a high probability that someone will encounter identity theft at least once in their life, there are a number of ways information can be safeguarded.
NJ.com: Bamboozled: Could ROBOCOP finally stop unwanted robocalls? – And advocacy group Consumers Union estimates that overseas scammers have been fined more than $1.2 billion from Do Not Call registry violations, but it said the FTC has only been able to collect less than 9% of the fines.
Bob’s Guide: Integrating AI into the Financial Services Customer Experience – Optimists see AI to be the savior of customer experience in the financial services industry. Schwab Intelligent Portfolio is one of the most talked about AI financial products, using their voice, consumers can have and maintain an investment portfolio without human interaction.
Polygon: PlayStation Network getting two-factor authentication, Sony confirms – Sony is making a long-awaited effort to shore up security on the PlayStation Network — the company is planning to add two-factor authentication to the service. With this new authentication method, Sony users will have to use their username and password as well as a code sent to a phone via text message or phone call to sign in to their account.
Toronto Sun: Ontario man’s prank sick-day phone call goes viral – A 23-year-old from St. Thomas, Ont. uploaded a prank phone call video to YouTube on Saturday entitled “Calling in sick to places you don’t work!” The video has had more than 1 million views so far.
This week the NPR shared a Pindrop researcher’s undercover IRS phone scam conversation with a real fraudster. More than 5,000 victims have been duped out $26.5 million since 2013.
BBC reported this week that last year in the UK, fraud losses totaled ₤755m. Pindrop’s Matt Peachey sat down with BBC to discuss the need for multi-layered security, including monitoring behavior.
The Guardian: The terror of swatting: how the law is tracking down high-tech prank callers – In 2014, a swatting attack was launched on an Atlanta suburb police station that led to a year-long investigation in the US and Canada. This hoax was implemented by a 16-year-old who initiated nearly 40 attacks on homes, schools, and businesses.
The Boston Globe: Why police are having a tough time finding culprits in school robocalls – Dozens of Massachusetts schools are being plagued with a series of hoax robocalls including threats of bombs and roaming shooters. Why can’t authorities trace the calls? Using VoIP, these callers are able to hide their identities.
Ars Technica: “This is the IRS regarding your tax filings” says trio of overseas robocallers – While the FTC searches for a technology to combat robocalling, scammers have now started posing as agents of the IRS using robocalls. Pindrop has found that the wave of IRS scammers can be traced back to 3 distinct groups operating outside the US.
CreditCards.com: Credit card companies may be analyzing your voice – While credit card companies often record phone calls from cardholders, it’s not always for the purpose of quality assurance. Many banks are now analyzing calls and using advanced voice biometrics to root out criminals in the fight against call center fraud.
This is Money: You’re on your own if a conman raids your bank account – This week, This is Money and Money Mail have reported that just 2 out of 1,000 cases in identity theft are investigated and that 70% of customers affected by scams never get a penny back.
ITProPortal: Nationwide develops behavioral authentication prototype – Nationwide’s Innovation Lab, BehavioSec and Unisys are developing an authentication system that uses a customer’s behavior to allow access rather than requiring an additional password to access their banks account from their mobile device.
The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
You’re a small business owner running a website through a popular hosting site. You have purchased the unique URL that fits your company, and you set up your website. You muddle your way through figure out SEO, meta tags, and keywords to get your website found upon a quick Internet search. Then, from a local number, you get a phone call from a Google specialist claiming they have a front page position for your business with unlimited clicks, 24 hours a day. Your business is struggling to gain traction on the Internet so you immediately press one at the behest of the specialist. You set your website up with the Google specialist. Quick and easy, you pay the local specialist for the front page spot and you hang up.
What Really Happened
You realize shortly after hanging up with the Google specialist that your website is not displayed on Google’s front search page. You also realize that several withdrawals have been made from your account that you have not authorized. Soon after, you catch on to what has happened. You’ve been scammed, and the fraudsters stole your credit card information. How did this happen?
- Robocalling – Scammers use robocalls to attack a multitude of people quickly while also being able to conceal their identity and location through Caller ID spoofing
- Vishing – Fraudsters use the phone channel to persuade victims to divulge sensitive information, like credit card numbers, to initiate account takeovers
- Impersonation – by falsely implying that they are associated with Google, they are gaining your trust and/or intimidating you with their importance
Google Listing Scam Examples
Another day, another “Google Listing” call – A variation of the robocalls surrounding the Google Listing scam. According to Pindrop Labs research, there are 8 variations of robocalls connected to this scam.
Avoid and report Google scams – A list of scams tied to the Google name.
Pindrop Labs presents Emerging Consumer Scams of 2016 – Pindrop Labs has researched and discovered the 5 emerging phone scams effecting consumers in 2016, including the Google Listing Scam, and will be presenting a webinar on these findings on Wednesday, February 24th from 2:00-2:30pm ET.