How to Stop Call Center Fraud

Socially Engineered Schemes Target the 'Helpful' Channel

By , March 16, 2012.
How to Stop Call Center Fraud

While many banks and credit unions have invested in technology to thwart phishing attacks and online fraud, some have ignored the call center. As a result, fraudsters have redirected their aim.

See Also: Malware & Spear Phishing: How to Defend the Enterprise

To address the threat posed by these socially engineered attacks, security experts advise financial institutions to ramp up employee education as well as adopt critical practices, such as enhanced user authentication and out-of-band verification of transactions initiated via the call center.

In recent weeks, U.S. banks have reported upticks in call-center schemes that rely on social-engineering tricks. The attack: Convince customer service representatives to share or change account details.

The problem is not a new one. Late last year, Gartner fraud analyst Avivah Litan talked about phone-based scams that continually hit banks and credit unions.

"The misfortune here for the banks is that they can have the best fraud-detection systems out there that flag suspect transactions, but it all breaks down when they call the 'hacker' to verify the transaction as OK," Litan said, referencing the Ice IX Zeus variant, which earlier this year caught the attention of security experts because it targeted telephone numbers. [See Banking Malware Finds New Weakness.]

Litan also wrote a report that touched on call-center risks. Her report notes that while most U.S. banking institutions devote great deals of attention to online user authentication and verification for electronic funds transfers, they pay little, if any, attention to authentication and verification at the call center.

"The call centers typically validate customers by asking basic information - all easily stolen - such as account number, phone number, address, DOB [date of birth] and the last four digits of their Social Security number or tax ID," Litan says.

The Ebb and Flow of Fraud

Call centers at top-tier U.S. banks are proving to be sweet spots for fraudsters, says Julie McNelley, a fraud analyst with Aite.

"In October 2011, I published a piece about where financial institutions were feeling the most pain, and one of the responses to that was the call center."

Among the security specialists within North American banking institutions Aite surveyed, more than half identified themselves as leading fraud departments for the top 35 banks in the United States. "The call center was a concern among larger institutions," McNelley says.

Matt Speare, who oversees security for M&T Bancorp., which, with $80 billion in assets, is the United States' 17th largest bank holding company, says smaller institutions have the advantage of more direct customer relationships on their sides when it comes to avoiding call-center scams.

"The larger you get, the more extraction you have between the customer and the call center," Speare says. "In a smaller institution, the people who answer the phone are more likely to know the customer, so they won't be so easily fooled."

Institutions also are more likely to fall victim to social engineering schemes that target branch and call center staff as they undergo conversions linked to acquisitions. "Any time there is a change event, like an acquisition, there is opportunity for a fraudster to exploit a weakness," Speare says.

For M&T, the change event that proved fortuitous for fraudsters came in May 2011, when M&T acquired Wilmington Trust Corp. "We did not see anything significant, but we did see an uptick," Speare says. "You have acquired customers being migrated over, usually over a weekend, and the bad guys know that's going to occur. So they will attempt to hit you on the day that conversion is going on."

Fraudsters call in to have an account opened or some credential changed, knowing call-center staff won't be able to fully verify all the details until a few days after the conversion is complete. "The employee is trying to be helpful, so they sometimes end up giving out information they shouldn't or they set up accounts or make changes based on information provided by those who are not the actual accountholders," Speare says.

But even banks that are not in a transition phase tell Speare they are seeing increases in call-center schemes. "I think it's more about desperation than anything," he says.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE DHS Official Warns of Shutdown Risks

Suzanne Spaulding, a top Department of Homeland Security official, says the nation's IT security...

Latest Tweets and Mentions

ARTICLE DHS Official Warns of Shutdown Risks

Suzanne Spaulding, a top Department of Homeland Security official, says the nation's IT security...

The ISMG Network