Fraudsters live and die today by executing on what some may call — prank calls. Only the punchline hits businesses in their pockets, leaving law enforcement and companies to ask, “How do we know stop them?” They are robocalls, voice phishers and caller ID spoofers using cybercrime techniques to launch scam campaigns through the telephony channel that many people have long trusted.
I am excited for Marzuoli to discuss her latest research findings on the most menacing trends of the telephony channel and describe the calling patterns she tracked via a telephony honeypot. She will share with you her original thesis and how she used Pindrop’s honeypot to gather and analyze accurate and timely information on unwanted phone calls across the United States. By determining how these bad call sources can be quickly and accurately identified using features extracted from honeypot call audio, Pindrop Labs stands to aid law enforcement and businesses across the globe that are combatting rising telephony fraud.
Using machine learning and semantic information collected from honeypot call audio, Marzuoli and her team collected over 500,000 calls over five months from 90,000+ unique source phone numbers. Leveraging this data, Pindrop Labs developed a method to “fingerprint” high-risk call sources, attempting to hide behind phone numbers, and detect them in the first few seconds of a call.
In total, Marzuoli’s research included 1,072,840 calls placed to a honeypot by 209,755 sources and to 57,818 destinations. Out of these calls, she sampled over 100,000 for recording and analysis. The eye opening results were shared with Federal Communications Commission and the Federal Trade Commision. We look forward sharing to these results and what can be done to protect consumers and stop robocall scams.
I will be in the audience as she takes the stage and we will both be available after the session. I hope you will join us at Black Hat on August 4, 2016 at 5 pm PST in the South Seas CDF room. More details on her session are available here.
The UK sees more than 2x the amount of call center fraud than the US
The UK is no stranger to phone fraud in financial institutions. The recent data compiled in Pindrop’s 2016 Call Center Fraud Report shows that 1 in every 700 calls made to enterprise call centers in the UK is fraudulent. This is over two times higher than the fraud call rate in the US.
A major factor that’s causing the high levels of fraud in the UK is the chip card technology implemented in 2004. Because chip cards make it harder to commit card-present fraud, attackers began to move towards card-not-present channels, notably the call center, to continue making fraudulent transactions.
This shift gives the US valuable insight into the future of call center fraud due to the recent transition of chip-and-pin cards stateside. According to the Aite Group, fraud attacks in the call center grew 79% in the UK following the chip card roll out.
Fraud calls in the UK are mostly domestic
72% of fraud calls to financial institutions originate within the UK. The US sees a much lower number of domestic calls at only 48%. Again, the high percentage in domestic fraud calls is linked to chip cards. When chip cards were first introduced in Europe, card-present fraudsters moved to non-physical attacks like call center fraud, rather than relocate out of the country. In addition to the UK, similar trends have been seen in other European countries who have implemented chip cards. France, for example, saw an increase in domestic card-not-present attacks by more than 360% between 2004 and 2009 (Iovation, Fighting CNP Fraud: 5 Things to Consider).
Most UK fraud comes from mobile devices
UK financial institutions see 64% of fraud calls coming from mobile devices, while the US only sees 37%. In the UK, it is easier to program mobiles phones to show a restricted caller ID. In fact, 70% of fraud calls in the UK use a restricted caller ID rather than spoofing a phone number, a common trick in the US.
The state of call center fraud in the UK gives us a glimpse into the future of fraud in the US. Phone fraud has risen 45% since 2013 stateside. Fraudsters will go down the path of least resistance, which in financial institutions is the phone channel. As physical and cyber security increases and data breaches become more frequent, bad actors exploit data over the phone. To combat fraud, financial institutions should implement security solutions around authentication and voice biometrics to ensure the safety of their customers.
Today we are pleased to announce our latest Pindrop Labs research, the 2016 Call Center Fraud Report. Our team has analyzed over 10 million calls to major enterprise call centers in the US and UK using patented PhoneprintingTM technology. The report outlines impact by vertical, attacker device type, and attacker location for enterprises in the US and UK, as well as new trends and attack vectors used by organized crime.
Strong online and mobile security plus the abundance of breach data and the rollout of EMV chip cards in the US means cybercriminals are changing tactics, exploiting the weakest link in the organization: the call center. The rate of call center fraud attacks has grown 45 percent since 2013. Other key findings and data points in the report include:
- In 2015, enterprises lost an average of $0.65 to fraud per call.
- In the UK, fraud rates are at 1 in 700 calls, which is more than double the 1 in 1,700 calls in the US.
- Credit card issuers and device insurance industries face the highest fraud rates, while credit unions and life insurance face lower fraud rates, but high fraud exposures.
Download the full report at https://www.pindrop.com/2016-CALL-CENTER-FRAUD-REPORT/
Read more from the Pindrop Director of Research, David Dewey, on Medium.
This week the NPR shared a Pindrop researcher’s undercover IRS phone scam conversation with a real fraudster. More than 5,000 victims have been duped out $26.5 million since 2013.
BBC reported this week that last year in the UK, fraud losses totaled ₤755m. Pindrop’s Matt Peachey sat down with BBC to discuss the need for multi-layered security, including monitoring behavior.
The Guardian: The terror of swatting: how the law is tracking down high-tech prank callers – In 2014, a swatting attack was launched on an Atlanta suburb police station that led to a year-long investigation in the US and Canada. This hoax was implemented by a 16-year-old who initiated nearly 40 attacks on homes, schools, and businesses.
The Boston Globe: Why police are having a tough time finding culprits in school robocalls – Dozens of Massachusetts schools are being plagued with a series of hoax robocalls including threats of bombs and roaming shooters. Why can’t authorities trace the calls? Using VoIP, these callers are able to hide their identities.
Ars Technica: “This is the IRS regarding your tax filings” says trio of overseas robocallers – While the FTC searches for a technology to combat robocalling, scammers have now started posing as agents of the IRS using robocalls. Pindrop has found that the wave of IRS scammers can be traced back to 3 distinct groups operating outside the US.
CreditCards.com: Credit card companies may be analyzing your voice – While credit card companies often record phone calls from cardholders, it’s not always for the purpose of quality assurance. Many banks are now analyzing calls and using advanced voice biometrics to root out criminals in the fight against call center fraud.
This is Money: You’re on your own if a conman raids your bank account – This week, This is Money and Money Mail have reported that just 2 out of 1,000 cases in identity theft are investigated and that 70% of customers affected by scams never get a penny back.
ITProPortal: Nationwide develops behavioral authentication prototype – Nationwide’s Innovation Lab, BehavioSec and Unisys are developing an authentication system that uses a customer’s behavior to allow access rather than requiring an additional password to access their banks account from their mobile device.
The first step in protecting against phone scams is understanding how they work. That’s why in this series, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
You’re a small business owner running a website through a popular hosting site. You have purchased the unique URL that fits your company, and you set up your website. You muddle your way through figure out SEO, meta tags, and keywords to get your website found upon a quick Internet search. Then, from a local number, you get a phone call from a Google specialist claiming they have a front page position for your business with unlimited clicks, 24 hours a day. Your business is struggling to gain traction on the Internet so you immediately press one at the behest of the specialist. You set your website up with the Google specialist. Quick and easy, you pay the local specialist for the front page spot and you hang up.
What Really Happened
You realize shortly after hanging up with the Google specialist that your website is not displayed on Google’s front search page. You also realize that several withdrawals have been made from your account that you have not authorized. Soon after, you catch on to what has happened. You’ve been scammed, and the fraudsters stole your credit card information. How did this happen?
- Robocalling – Scammers use robocalls to attack a multitude of people quickly while also being able to conceal their identity and location through Caller ID spoofing
- Vishing – Fraudsters use the phone channel to persuade victims to divulge sensitive information, like credit card numbers, to initiate account takeovers
- Impersonation – by falsely implying that they are associated with Google, they are gaining your trust and/or intimidating you with their importance
Google Listing Scam Examples
Another day, another “Google Listing” call – A variation of the robocalls surrounding the Google Listing scam. According to Pindrop Labs research, there are 8 variations of robocalls connected to this scam.
Avoid and report Google scams – A list of scams tied to the Google name.
Pindrop Labs presents Emerging Consumer Scams of 2016 – Pindrop Labs has researched and discovered the 5 emerging phone scams effecting consumers in 2016, including the Google Listing Scam, and will be presenting a webinar on these findings on Wednesday, February 24th from 2:00-2:30pm ET.
Pindrop Labs Research Scientist, Aude Marzuoli, has discovered new findings that will start unraveling bad actors who hide behind multiple phone numbers. In her research, Marzuoli has found that 66% of calls made to Pindrop’s PhonypotTM, a telephony honeypot of clean numbers used as bait to reel in scammers and robocallers, are coming from just a handful of sources.
“In 2015, the Phoneypot received about 8 million calls from about 880,000 phone numbers. Our analysis shows that 1.8% of the sources that called the Phoneypot generated 66% of the online complaints.” – Aude Marzouli
These sources are hard to pin down because each of them calls from many different numbers, but research from Pindrop Labs is now making it easier to identify those bad actors.
Marzuoli will be speaking at this year’s M3AAWG General Meeting in San Francisco February 17th.
Robocalling, voice phishing and caller ID spoofing are common cybercrime techniques used to launch scam campaigns through the telephony channel, which unsuspecting users are traditionally trusting. More than 660,000 online complaints regarding unwanted phone calls were recorded on the top six prominent websites in 2015. More reliable than online complaints, the Phoneypot at Pindrop Security, a telephony honeypot, provides complete, accurate and timely information about unwanted phone calls through out the United States. In 2015, the Phoneypot received about 8 million calls from about 880,000 phone numbers. Our analysis shows that 1.8% of the sources that called the Phoneypot generated 66% of the online complaints. However 68% of sources calling the Phoneypot only call once or twice, hence being able to catch a bad actor operating several phone numbers, can be difficult. Using a combination of natural language processing and machine learning, we developed a tool to identify bad actors hiding behind several phone numbers (whether real or spoofed numbers, or restricted or anonymous phone numbers), no matter if they are calling frequently or not. The results show that only a handful of bad actors are responsible for the majority of the spam and scam calls, and that they can be uniquely phoneprinted based on their audio signature.
It’s that time of year again. We’ve asked Pindrop Labs researchers to break out their crystal balls and make some predictions for the coming year in phone fraud. Below are a few of the trends that our team will be watching for in 2016.
Scammers Hit the Campaign Trail
2016 is an election year, which means fraudsters will be getting political. Already, the Pindrop scam scanner has been seeing a major uptick in phone spam from political robocalls. New robocalling technology is allowing candidates to organize live “town hall” meetings over the phone. It is also easier than ever for voters to donate money quickly and easily over the phone.
Prediction: In 2016, consumers should be on the lookout for fraudulent callers asking for campaign donations. Pindrop researchers recommend never donating to a political campaign during an unsolicited phone call.
Creative Data Breaches
In 2015, data breaches at Ashley Madison and toymaker vTech proved that cybercriminals are after more than your Social Security Number and mother’s maiden name. Fraudsters are building out profiles of their targets with information stolen from data breaches, and using those details for sophisticated social engineering and spear-phishing attacks. Creative fraudsters are exploiting all kinds of information, from children’s chat records, to travel plans, and even sexual preferences.
Prediction: Creative data breaches will continue in 2016. Pindrop Labs researchers point out that the healthcare industry and companies involved in the Internet of Things (IoT) are particularly vulnerable. They also see popular “sharing economy” sites, like Uber and AirBnB as lucrative potential targets for data breach hackers.
Mobile Wallet Pick Pockets
One of the major cybersecurity stories in 2015 was the introduction of Apple Pay and the subsequent flood of fraudulent activity. Fraudsters quickly learned how to manipulate Apple Pay authentication procedures by socially engineering call center agents. Though many financial institutions have improved Apple Pay security measures, Apple Pay competitors are gaining popularity. Financial Institutions now need to contend with Google Wallet, Samsung Pay, Android Pay, PayPal, Chase Pay, and more.
Prediction: As mobile wallets become more mainstream, fraudsters will find new loopholes and workarounds to take advantage of those new technologies.
Impersonating Uncle Sam
2015 has been the year of the IRS scam. Fraudsters are no longer targeting just vulnerable populations like immigrants and the elderly. Instead, they’re blasting scam robocalls, blanketing the country with scary messages from the “IRS.” Fraudsters have learned that Americans are generally intimidated when it comes to law enforcement, the federal government, and complicated financial filings. Adding to the difficulties, in late 2015, Congress passed a law allowing government sponsored robocalls to collect debt owed to the government – think back taxes and overdue student loans. Before, the government told consumers they would never call to collect back taxes, but the line may now be muddled.
Prediction: IRS scammers will expand into “collecting” other types of government debt. College graduates with outstanding student loans should be on high alert.
Earlier this week, news broke that hackers had accessed the personal email accounts of CIA director John Brennan and Homeland Security Secretary Jeh Johnson. These attacks on some of America’s most security-focused leaders sound like they must have been incredibly sophisticated – maybe the result of organized crime leaders or international espionage. But as it turns out, the attacker was simply a teenager with access to a phone.
How did a self-described “pot smoking teenager” manage such a high-profile attack? He used a technique known as “social engineering,” which is a fancy way of saying he tricked a few call center agents. Wired reporter Kim Zetter described the process in an article posted Monday night:
- The hacker started with Brennan’s mobile phone number. After looking it up online, they found that he was a Verizon customer.
- The hacker called Verizon, pretending to be another Verizon employee having technical issues. Verizon call center agents helped the hacker access Brennan’s account number, PIN, backup mobile number, AOL email address and the last four digits on his bank card.
- Working down the daisy chain, the hacker next called AOL, impersonating Brennan himself. He claimed he was locked out of his email account and needed the password reset. AOL customer service reps asked security questions, but the hacker was able to answer correctly using information collected from the earlier Verizon call.
- The hacker reset the password to Brennan’s AOL email and downloaded several years worth of information, including Agency related documents, a log of Brennan’s phone calls, and his contact lists.
The hacker used a similar method to break into Jeh Johnson’s Comcast email account. And we’ve seen this kind of high profile call-center based attack before. In 2012 hackers called Apple to reset reporter Mat Honan’s accounts and take over his Twitter. Earlier this year, novelist Andy Weir was the target, with the hackers calling Comcast to get access to his social media accounts.
Hackers today use the phone channel as a way to quickly and easily gain access to online accounts. They work across industries, gathering information on their targets from different organizations to build a profile before their final attack.
The message is clear: Call centers are the weakest link. All organizations are vulnerable when it comes to the phone channel, because the main line of defense for most call centers is little more than a friendly customer service agent asking a caller for their mother’s maiden name.
Call centers must find better ways to authenticate callers, before agents are able to give away valuable personal information. Organizations that rely on a call center should follow the lead of some of the largest US financial institutions, which are now implementing solutions based on PhoneprintingTM and voice biometrics to authenticate callers based on risk.
Phoneprinting analyzes 147 characteristics of the background audio of a call to determine the caller’s location, device type, and other characteristics, creating a unique identifier for each caller. Within the first 30 seconds of a call, Phoneprinting can tell a call center agent whether the call is suspicious, if the phone number is being spoofed, or the caller is a known fraudster.
Gartner vice president and distinguished analyst Avivah Litan addressed the issue in an article for Forbes last year writing, “The best security is always layered security, and this principle holds true when securing the telephony channel… Phoneprinting combined with voice biometrics provides the strongest method for detecting fraudsters who call into enterprises.”
With any major data breach, we expect to see an increase in phone scams. Attackers sell hacked customer data on the black market. Other criminals use the information to mount social engineering attacks on consumers. The recent attack on dating website Ashley Madison, however, could take these types of phone scams to a new level.
Ashley Madison is a site dedicated to helping its users arrange extramarital encounters. Their tagline is “Life is short. Have an affair.” On July 19, Brian Krebs broke the news that hackers had accessed information from up to 37 million Ashley Madison users, complete with contact information, pictures, and profile information. With this breach, Pindrop Labs predicts that attacks on consumers will be particularly vicious. Some attacks we’re expecting to see are:
- Extortion & Blackmail
The most obvious use for Ashley Madison user data is extortion schemes. Attackers who gain access to user profiles have names, contact information, sexual orientation, and potentially embarassing photos of people who are actively trying to have an extramarital affair. Attackers could simply call Ashley Madison users and threaten to make the affairs public or to publish the photos. Many users would pay to keep their information secret.
- Catfishing & Dating Scams
In addition to names, pictures, and contact information, hackers have allegedly stolen entire profiles from the dating site. The information contained on these profiles is often intensely personal, and includes information on fantasies and other intimate details.
This makes Ashley Madison users particularly vulnerable to catfishing schemes, where a person is targeted and lured into a relationship by means of a fictional persona, who then scams victims for money. Attackers who buy Ashley Madison profiles could target users over the phone, email, or other dating sites, with the knowledge that a specific user would be particularly attracted to certain activities, body types, or personalities.
- Phone Spam
A slightly less threatening result of the attack for Ashley Madison users might be a big uptick in phone and email spam. Ashley Madison users are likely more primed than most to respond to products typically advertised in spam, such as diet pills and enhancement products.
- Robocalling Attacks
Even if Ashley Madison manages to keep the hackers from publishing user information, their users remain at high risk for phone scams. This is because we now know that the site is extremely popular in many specific areas. Since news of the attack first broke, reporters have filed stories full of “fun Ashley Madison statistics” like the fact that 1 in 5 Ottawa residents is a subscriber, Washington D.C. and San Antonio are the two US cities with the most members per-capita, and the top 20 Chicago Area suburbs for Ashley Madison affairs.
Phone scammers can simply target areas with known high concentrations of Ashley Madison users, robocalling individuals at random and leaving voicemails threatening blackmail. (Similar techniques are already widely used for the IRS scam and deportation scams.) In a city like Ottawa, up to 20% of people who receive such a call will have reason to believe that the threat is real.
With this breach, Ashley Madison and their clients have learned the hard way that the Internet is no place for secrets. Sites and apps that claim to keep user secrets are actually prime targets for attackers. A similar attack on AdultFriendFinder in March of this year resulted in the exposure of more than 3.5 million people’s dating and personal interests. In 2014, hackers discovered a security flaw in the Tinder dating app that exposed users’ exact locations, and Snapchat’s data breach that year leaked information on 4.6 million accounts. Cupid Media, which runs several “niche” dating services, suffered an attack in 2013, exposing information on 42 million users.
News of the Ashley Madison attack has prompted Pindrop Labs to raise the current phone fraud threat level to 3, indicating a high risk of phone-based threats. Click here to learn more about Pindrop Labs.
We know that at least 1 in every 2200 calls to an enterprise call center is fraud, but how can we tell which one it is? Distinguishing between a legitimate caller and a phone fraudster is not always an easy task. Certain techniques used by phone fraudsters can be fairly easily identified, but other, less obvious tactics make phone fraud harder to detect.
For our latest phone fraud report, Pindrop Labs analyzed millions of calls to enterprise call centers across several industries to learn about techniques used by phone fraud attackers today. Below are the most common detectable phone fraud tactics:
- Spoofing –Falsifying the originating phone number by spoofing the Automation Number Identification (ANI) is used to impersonate an account owner or to hide a suspicious originating number. Spoofing is cheap or free, and easy to use. If we analyze the audio of a call to determine it’s geographic origin, and that information does not match the Caller ID, we can be sure that the caller is using spoofing technology, and is a likely attacker.
- Voice Distortion – Attackers often alter their own voice by using accents, lowering/raising vocal range, changing language or using distortion technology. In doing so, they can impersonate a legitimate customer, even a customer of another gender.
- Voice Over IP (VoIP) – VoIP has minimized or eliminated the cost of phone calls, both domestic and international. There is evidence to suggest that VoIP service is easier to steal than other kinds of telephony services as well. Attackers take advantage of cheap, free, and stolen VoIP, using it at a much higher rate than the general public. They use VoIP lines for 53 percent of their calls, compared to 7.8 percent of the general public.
- International Calling – 64 percent of fraud calls originate in a country other than the country of the attack target. They rely on international attacks in part because it complicates the legal system. It is difficult to track phone fraud attacks in general. Once law enforcement has to start working across borders, the process becomes nearly impossible.
To learn more about phone fraud, download a free copy of the 2015 State of Phone Fraud Report.