Martin Dodd, Managing Director, Connect, Lloyds Banking Group
With the spotlight remaining on the evolving threat of online fraud, phone fraud is an area that is often overlooked. It is, however, an area where fraudsters, aided by new technology, still look for opportunities.
Smarter thinking, collaboration and using innovation are helping organisations to stay a step ahead. We recently announced that we are implementing Pindrop’s patented Phoneprinting™ technology to help further protect our customers against potential fraudsters. The technology allows our contact centre colleagues to be in a better position to identify the authenticity of a caller, and therefore provide a better experience for the millions of customers who call us every day.
The science behind Phoneprinting
How it works is really impressive, identifying in real-time 147 unique characteristics of a call as it comes in and then using this insight to calculate a risk score. The risk score helps our colleagues to decide whether a caller is legitimate or a potential fraudster. We can then adapt the questions that we need to ask to verify and authenticate it’s a genuine customer that we are speaking to.
We’re always looking to be on the front foot where potential fraudsters are concerned and we know that we need to apply a number of different layers of detection and prevention. Technology like Pindrop’s Phoneprinting gives us an additional level of reassurance that we are detecting potential fraudsters faster and are therefore improving the experience for genuine customers with quicker authentication and shorter call times.
Development and expansion
We are integrating Phoneprinting across all of our contact centres across the UK, with the technology benefiting Lloyds Bank, Halifax and Bank of Scotland customers.
We know that fraudsters will continue to see potential opportunities as technologies evolve but we are committed to continuing to lead the industry in this important area.
To learn more about how to combat phone fraud in the call centre, read this whitepaper by customer experience expert, Martin Hill-Wilson.
Last week, Pindrop joined nearly 35,000 attendees at the NRF Annual Convention and EXPO in New York City. According to speakers from the event, retail brands will need to focus on their customers, their technology, and their leadership in 2017. Customer priorities are constantly adapting as available technology changes. These new innovations and technical capabilities will continue to transform the retail experience for customers, and brands will need to hone in on how to administer an experience that is not only timely, but also secure. According to Vishaal Melwani, CEO of menswear retailer Combatant Gentlemen, “there will be more emphasis placed on the omnichannel experience as companies continue to look for fresh ways to connect with consumers through the intersection of offline and online” in 2017.
While the retail experience is becoming increasingly omnichannel, retailers are still neglecting the phone channel, the weakest link in security, as a common point of access for customers. Despite the intent to administer positive customer experiences, contact centers agents often fall victim to the methods that enable fraud attacks. Today, Caller ID is freely spoofed and knowledge-based authentication questions (KBA’s) are easily bypassed. Criminals either socially engineer the answers, find them online, or purchase them on the black market. Fraud efforts are becoming increasingly aggressive in their attempts to fool contact center agents into processing fraudulent card-not-present (CNP) transactions.
According to Aite Group, an independent research firm, 72% of executives expect call center fraud loss to continue to grow, with $4 billion in counterfeit card fraud moving into the phone channel. These fraud attacks increase operational costs, decrease customer satisfaction, and jeopardize brand reputation as customer data is repeatedly lost to fraud. Retailers’ existing security systems are not robust or secure enough to handle the increasing volume of data filtering across web-enabled devices and processes. A digitally-influenced retail experience may enable brands to conduct business from a variety of access points, but it is also putting their enterprises under siege. By adopting next-generation security measures, including data loss prevention methods, cloud-based solutions, and contact center protection initiatives, retailers are sheltering sensitive digital content and lessening their exposure to fraud.
Businesses of all sizes need to assess which data is most at risk from a cyberattack and ensure their security solution protects against potential threats. Learn more.
Aite Group, an independent research and advisory firm focused on business, technology, and regulatory issues, interviewed 25 executives at 18 of the top 40 largest U.S. financial institutions based on asset size in order to provide an evaluation of the current state of fraud. New research proves that contact centers are being attacked more than ever before. Aite’s Senior Analyst, Shirley Inscoe, joined Pindrop’s Director of Research, Dr. David Dewey, to discuss the growing threat of fraud in the contact center during this session.
With the rollout of EMV chip cards, fraudsters have redirected their attacks to the contact center for data mining and account takeover. Sixty-one percent of fraud can be traced back to the contact center, but it doesn’t end there – fraud is a cross-channel problem. Many enterprises fail to identify the contact center as the root cause of fraud loss, enabling fraud in others channels, such as debit card, credit card, and check order takeover. Meanwhile, fraudsters are capitalizing on this misdiagnosis and targeting the contact center as the weakest link in security.
Contact center fraud loss is expected to double from $393M to $775M by 2020. As chip cards continue to gain momentum in the United States, organized fraud rings will continue targeting the phone channel, replacing traditional counterfeit card fraud. Current authentication factors in the contact center often fail due to the data fraudsters acquire through social engineering tactics in order to reset account credentials. Armed with data, organized fraud rings probe agents at enterprises for the information they need to access customer funds, and the point of least resistance is often the contact center.
Organized fraud rings are using automated attacks, specifically robotic fraudsters, targeting interactive voice recordings (IVRs), to keep their cost down while still managing to dramatically increase market coverage. Despite the intent to administer positive and timely customer experiences, contact centers agents often fall victim to the social engineering methods that enable fraud attacks. Fraud attacks increase operational costs, decrease customer satisfaction, and jeopardize brand reputation as customer data is repeatedly lost to fraud. Contact centers will continue to enable cross-channel fraud until technology solutions are implemented to thwart it.
Analysts at Aite Group have identified five key security and service steps that legacy solutions are failing to perform. These are the features that are keeping Caller ID, KBA, and voice biometrics from being viable anti-fraud and authentication solutions for the contact center. With 61% of account takeovers traced back to the contact center, this $400 million problem needs immediate resolve.
Protecting personal data in the contact center relies on a best-in-class security solution that benefits both the organization and the customer through:
- Universal Coverage. Customers must be authenticated and fraudsters must be identified on their first call. This prevents fraudsters from being able to enroll as illegitimate customers and alleviates customer privacy concerns.
- Accuracy. The right solution accurately differentiates between legitimate and illegitimate customers. Legacy solutions, such as Caller ID verification and KBA, fail to provide the accuracy needed.
- Speed. Contact center agents must be informed about the legitimacy of callers before they provide access to personal data. KBA takes a long time, which frustrates legitimate customers and offers fraudsters many chances to collect data.
- Low Friction. Customers want service that requires little effort on their part. Most voice biometrics solutions require an enrollment process, which leads to longer call times and lower customer satisfaction.
- Foolproof Technology. Fraudsters are currently using voice distortion, spoofing, social engineering, gateway hacking, and more to circumvent traditional security measures. The right solution needs to withstand these attempts to break through protection.
How do the largest global contact centers stop fraud and protect their customers?
According to a recent survey of 25 executives at 18 of the 40 largest US financial institutions, Phoneprinting™ is the highest ranked contact center anti-fraud solution. Pindrop’s patented technology analyzes 147 different factors in the audio of a phone call in order to create a unique signature that allows contact centers to accurately detect fraud. Avivah Litan, VP Distinguished Analyst at Gartner, describes phoneprinting technology and voice biometrics as “complementary technologies” that mutually benefit both contact center agents and security teams. This phoneprint allows a fraud analyst to create a unique signature for an illegitimate caller, while also determining the caller’s true geographic location, device type, and more. Unlike a phone number or a voice, this information is impossible for fraudsters manipulate. Phoneprinting allows Pindrop’s customers to catch over 80% of fraud calls with less than a 1% false positive rate.
Phoneprinting provides universal protection for all incoming calls to the contact center, allowing contact center agents to identify unknown attackers on their very first call while also creating a robust intelligent blacklist of known attackers. Contact centers are empowered with the technology necessary to stop fraud loss, reduce operations costs, protect brand reputation and compliance, and improve the customer’s overall experience.
This week, Financial Times met with Pindrop CEO, Vijay Balasubramaniyan, to discuss the future of voice authentication. Voice is an “extremely rich” and quick way of authenticating someone’s identity.
GB Times reported after an over 70 Chinese wire fraud suspects were deported from Kenya to China in April, a gang of Chinese and Taiwanese fraudsters were arrested in Turkey on suspicion of phone fraud. The gang reportedly stole information from over 3,000 Chinese tourists.
Forbes: Scam Alert: Why the IRS won’t call you – Fraudsters frequently use psychological attempts to scare people into give up personal information used for identity theft. Once the fraudsters have possession of that sensitive information, they can open credit accounts and start stealing away. Generally anyone who asks for money immediately over the phone is a fraudster.
Tech Dirt: AT&T Falsely Blames the FCC for Company’s Failure to Block Annoying Robocalls – AT&T is pointing fingers at the FCC as the cause of the company’s lack of robocall-blocking technology. Recently, the FCC gave permission to the carriers who wanted to offer consumers robocall-blocking services. AT&T is one of the only companies that did not implement such technology.
South China Morning Post: Phone scam targets Hongkongers, exploits rocky relations between China and Philippines – Crime bosses behind an Asia-wide phone scam operation that has fleeced hundreds of Hongkongers out of HK$350 million in less than a year has shifted their sights to the Philippines as law enforcement tightens.
The Morning Call: Arrests Made in IRS Phone Scam – Five more people were arrested in Miami due to their involvement in an IRS phone scamming ring. Accused of stealing over $2 million from 1,500 people, the perpetrators targeted people all over the US. Progress is being made in combatting IRS scams, and the number of successful calls is dropping drastically.
The Journal News: Harrison cops go to Maine to bust phone scammer – Harrison Police traveled to Maine to arrest known fraudster, Donovan Wallace after cheating a woman out of over $23,000. Wallace is also linked to similar scams along the East Coast and a ringleader in Jamaica, where authorities are helping with the investigation.
KRON4- Bay City News: Elderly man falls victim to IRS phone scam in Santa Clara – An elderly Santa Clara man made 3 deposits totaling over $5000 when a fraudster posing as an IRS agent informed him that he was being audited for $5,900. The victim made 3 deposits while on the phone with the fraudster, and 2 were claimed before the police got involved. No arrests have yet been made.
This week Find Biometrics stated Citi and HSBC banks, two of the largest in Hong Kong, are preparing to launch biometric identification systems for their call centers. This transition will improve both customer service as well as efficiency in the call centers, according to the banks.
The Washington Post reported that the potentially lethal form of prank-calling known as swatting might soon come with 20 years of jail time. The bill that just passed out of the House Energy and Commerce Committee and will soon be in a floor vote in the House.
BBC: The prank call crimewave – After a string of prank calls that led to several fast food restaurants smashing their windows, BBC Trending looked at similar events from 2009. Using a now defunct website, pranksters have been organizing themselves to initiate these calls.
BBC: Gang jailed over pensioner phone scam – Eight men from London have been jailed for a phone scam that defrauded UK pensioners out of more than ₤1m. One accomplice to the crime was X Factor contestant Nathan Fagan-Gayle who received a 20-month jail sentence for money laundering.
Huffpost Crime: Military Phone Scams: Phone Fraud and Identity Theft a Growing Issue for Military Personnel – Recently, fraudsters have moved towards military personnel who are currently serving to steal identities from. These con artist will use social reconnaissance to obtain profile pictures and social media posts to convince victims to send money overseas.
Consumerist: FCC Trying To Minimize Annoyances From New Robocall Debt Collection Loopholes – After a bill passed last fall that included a loophole to allow debt collectors to use robocalls to chase down consumers, the FCC is fighting for a way to lessen the frustration by limiting the amount of robocalls made.
ITProPortal: When vishing and phishing attack – Because of the success of phishing attacks, social engineers have turned to voice phishing, or “vishing” to extract sensitive information from victims over the phone. ConsumerProtect.com has created an infographic on the subject.
Los Angeles Times: Getting phone calls seeking divine assistance? You may be a victim of ‘spoofing’ – A Long Beach resident says he’s received dozens of calls from seekers of divine assistance from a televangelist known as Prophet Manasseh Jordan. Callers claim that the resident’s number appeared on their Caller ID screen during Jordan’s robocalls.
This week the Guardian shared the story of account takeover fraud at Nationwide bank in the UK. In this multi-part attack, fraudsters took over the target’s mobile account, registered for mobile banking, and increased overdraft protections all by contacting call centers. Fraudsters monetized the attack using Apple Pay.
Consumer Reports published the results of a new study on Monday that found millennials are the most likely to lose money to a phone scam. 38 percent of millennial men report having lost money to a phone scam, compared to 11 percent of average Americans.
Schneier on Security: Bypassing Phone Security through Social Engineering – Undercover police officers in the UK used social engineering techniques to bypass iPhone security when investigating a terrorist suspect. Police impersonated the suspect’s work manager, asking for proof that he was in the office on a particular day.
The Sidney Morning Herald: Fraudsters rip off $5m from elderly victims using telephone scam – In one case, the scammers netted $600,000. The scam started with a phone call from someone purporting to be the manager of a Rolex store, who said that a youth posing as their nephew had been detained trying to use Albert’s credit card.
No Jitter: Hacking as a Service Part Two: Help is Here – At this point, a caller has been deemed safe enough to be allowed into the system and potentially into the ear of a real human being. Even still, security measures can be applied by listening in on the call to programmatically find anomalies.
The Atlantic: The Long Life (and Slow Death?) of the Prank Phone Call – Advances in technology apparently bring with them new possibilities for playfulness at someone else’s expense. There’s still something to be said for the visceral thrill of trying to fool someone voice to voice, it seems—even if you don’t quite pull it off.
South China Morning Post: Phone scammers pretend to be Hong Kong immigration officers – Bogus immigration officers have duped Hongkongers out of about HK$1 million in the latest round of phone scams as con artists have come up with a new ruse, the Post has learned. About 20 victims fell for the new tactic.
Gizmodo: Do Not Call the Number in This Instagram Ad – Yesterday on my Instagram feed was a sponsored post claiming “Millions of Americans are applying for Obama’s New Student Debt Forgiveness Program” and promising I could qualify in less than five minutes if I tagged a friend and called a toll-free number.
This week, Mashable reported that NPR accidently hacked listener’s Echoes with a radio broadcast, proving the devices can be ‘hijacked’ by a speaker outside the home. NPR listeners reported the news story prompted Alexa to reset thermostats, play news summaries, and more. As the Echo begins to offer more features like paying for music and pizza, larger security concerns are beginning to arise.
According to Forbes, the IRS is warning consumers about a new variation on the IRS phone scam. Consumers are reporting that scammers are calling, saying they need to verify some information to process your return. Those details generally lead to identity theft.
FTC Blog: Avoiding imposter scams – Maria got a phone call one day. The caller, who claimed to be an attorney, told Maria there was a court order against her and that she had to pay hundreds of dollars to settle an old debt. If she didn’t pay, there would be dire consequences.
New York Post: ‘Prophet’ harassing NYers with robocalls demanding cash: suit – Self-proclaimed “prophet” Yakim Manasseh Jordan, 25 — who lives a “lavish lifestyle” with multi-million dollar homes and luxury cars — bombards personal phone lines across the country with up to six automated calls a day, according to the class action lawsuit.
Atlanta Business Chronicle: Georgia Department of Revenue gets ‘spoofed’ – The Georgia Department of Revenue (DOR) reported its phone lines have been subject to Caller ID spoofing. Spoofing occurs when the Caller ID of the caller appears to be coming from a valid number. DOR was first made aware of the scam on March 10.
On the Wire: On the Wire Podcast: David Dewey – In this episode of the podcast, Dennis Fisher talks with Dewey about the research, how the card issuers have addressed the problems he found, and what can be done to further secure mobile payment systems.
On the Wire: IRS Phone Scammers Shift Tactics – The variety of IRS tax scams is continuing to increase, and the agency is now telling consumers to be wary of a recent shift in scammers’ tactics. The latest version involves scammers calling to “verify” details of tax returns and harvesting valuable personal information.
BBC: Pensioner loses £20,000 in phone scam – The woman was contacted by someone claiming to be from the Visa Fraud Unit over suspicious account activity. She was asked to transfer funds to another account to “protect” them but when she did so the money was taken and the scam completed.
On Tuesday, BBC Radio investigators demonstrated two ways to take over a NatWest bank account using the phone. Using social engineering, a fraudster could simply report a victim’s phone lost or stolen, then ask to have their phone number switched to a new SIM card, owned by the criminal. Alternately, the fraudster can simply steal the victim’s phone.
The FBI recently announced a Jamaican lottery scammer has been sentenced to 10 years in prison. According to Special Agent John Gardner, “The Jamaican lottery scammers are like an organized cyber crime group. They are closely knit, highly structured, and have U.S. associates—money mules—who help launder their money.”
Wired: Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid – TDoS attacks are similar to DDoS attacks that send a flood of data to web servers. In this case, the center’s phone systems were flooded with thousands of bogus calls that appeared to come from Moscow, in order to prevent legitimate callers from getting through.
PYMNTS: Apple Pay’s Low-Tech Security Problem – “Fraudsters and hackers are like water: They’re going to take the easiest path to get what they want. Right now, this is that easiest path … There’s no point of even trying to find a vulnerability in EMV because this works so well,” said Pindrop’s David Dewey.
The Telegraph: Thousands of immigrants targeted for cash in phone scam – Immigrants are being targeted by fraudsters posing as Home Office staff who demand money in exchange for allowing them to remain in the UK, it has been claimed. Visa holders have been pressured into handing over thousands of pounds.
eSecurity Planet: 3 Ways to Defeat ‘Microsoft’ and ‘Dell’ Phone Scams – Technological solutions can also make a significant difference. Knieff suggests looking into voice solutions from companies like Pindrop, which can watch out for recognized criminals. Advanced data loss prevention solutions are also worth looking at, Knieff said.
Consumerist: Lawmakers Renew Push To Curb Unwanted Robocalls – Sen. Ed Markey (MA) introduced the HANGUP Act, which would close the robocall loophole. Even though robocalls is one of the few issues that is not currently a partisan issue, the bill has been sitting idle in committee since being introduced.
On The Wire: Bypassing Phone Fingerprint Sensors With an Inkjet Printer – Researchers at Michigan State University have developed a clever hack that allows them to scan and then print a target user’s fingerprint and then use it to unlock a mobile phone via the fingerprint sensor.
This week, Forbes reported on Pindrop’s 2016 RSA session, “The Art of Avoiding Authentication.” Pindrop’s Director of Research, David Dewey, tested how Apple Pay’s call center authentication option could be compromised at major financial institutions.
On Tuesday, American Banker‘s Penny Crosman interviewed Pindrop’s CEO, Vijay Balasubramaniyan, on how fraudsters are using the phone channel. Balasubramaniyan pointed out, “If you’re able to detect suspicious IVR activity, you can forewarn banks on average 30 days before account takeover even starts happening. It’s almost like ‘Minority Report.”
Krebs on Security: Credit Unions Feeling Pinch in Wendy’s Breach – Even if thieves don’t know the PIN assigned to a given debit card, very often banks and credit unions will let customers call in and change their PIN using automated systems that ask the caller to verify the cardholder’s identity by keying in static identifiers.
Money: IRS System Meant to Protect ID Theft Victims Seems to Have Been Hacked – Knowledge-based authentication (sometimes called KBA), asks taxpayers four multiple-choice questions about their credit history — such as “On which of the following streets have you lived?” And these questions can be easily answered with random guessing.
Speech Technology Magazine: Pindrop Launches IVR Anti-Fraud Solution – Pindrop recently launched IVR Anti-Fraud, which the company says is the first comprehensive call center fraud detection capable of monitoring all customer voice channel interactions. Fraudsters can use IVR systems as their gateway into more extensive fraud.
The Wall Street Journal: Cybersecurity Startups Describe New Fundraising Hurdles – “VCs were much more discerning and they wanted proof that you have a real product that is delivering a strong return on investment to customers,” said Vijay Balasubramaniyan, CEO and co-founder of Pindrop.
On The Wire: Sidestepping Apple Pay Enrollment Authentication – “Authentication through an app is very secure, because if they’re doing it properly they know specifically it’s your device they’re sending the authorization to,” Dewey said. “A phone call is the weakest of these possible options.”
Network World: New products of the week 2.29.2016 – Our roundup of intriguing new products: Pindrop’s ‘IVR Anti-Fraud analyzes multiple layers of information to help identify suspicious callers for live agent calls in contact centers in the financial services, retail, insurance, and government industries.