Recently, Pindrop Security researchers were alerted to a phone scam targeting a financial institution (learn more). As part of the scam, fraudsters had purchased phone numbers that were similar to a financial institution’s main phone line and were using those numbers to target consumers who misdialed. A recording set up by the fraudsters would then offer a call back to the customer and ask for information about the consumer’s account by pushing a free gift card and soliciting their credit card information.
We decided to investigate the extent of the scam, which we’ve dubbed ‘misdial traps,’ to better understand the risk posed to banks and financial services institutions.
To do so, we took a sample of approximately 600 banks and financial institutions and determined the most-likely ‘misdialed’ variations of their main phone numbers. We then ran those variations against our database of phone number reputations to determine how many were likely being used by phone fraudsters.
The results confirmed that the scam is common. Of the 600 institutions we analyzed, 103 appear to be similarly afflicted by the misdial trap scam. The size of the affected institutions varies widely, and includes mid-size banks as well as some in the top twenty. Some institutions also have multiple numbers under attack. This is just over 17 percent, or one out of every six banks. Considering there are nearly 17,000 financial institutions in the U.S., this scam presents a sizeable threat.
Pindrop is taking necessary steps to notify each of the institutions affected by the misdial trap. For information about how to determine if your financial institution is affected by the misdial trap, please see our scam advisory.
Fraud is a multi-channel activity, and phone fraud costs banks and financial institutions nearly $2 billion each year, yet investment in anti-fraud technologies tends to focus heavily online. The misdial trap scam is the latest example of how sophisticated criminal rings are taking advantage of vulnerabilities in the phone channel to collect consumer information and defraud banks.
-Scott Strong, Raj Bandyopadhyay, David Dewey, Yatin Kanetkar and Valerie Bradford