A tricky call center scam that recently plagued a community bank in Georgia illustrates how these fraud threats are getting tougher to detect.
In early March, First State Bank of Blakely, Ga., a $330 million institution with seven banking branches, was hit with a limited, yet consistent, series of Skype calls from fraudsters feigning to be customers. Jonathan Miskell, the bank's internal auditor and security coordinator, says the callers, who used unidentifiable Skype numbers, requested balance information on two separate accounts.
The fraudsters never made it far enough to actually attempt any fraudulent transactions. But the attempts highlight new methods that criminals are using to attempt account-takeover fraud, says fraud expert Avivah Litan, an analyst for consultancy Gartner.
"Most of it is related to cross-channel fraud, i.e. fraud committed via the call center and Internet," she says. "The telephony channel is the weakest link in the chain, when it comes to bank authentication of customers. And, certainly, banks should expect to see an uptick in call center fraud during DDoS [distributed-denial-of-service] attacks, as fraudsters take advantage of the disruptions to bank service and distracted bank security staff."
Banks and credit unions may also see an increase in call center traffic as fraudsters try to overwhelm and confuse customer-service staff via telephony-denial-of-service attacks.
This same type of flooding already has been documented against the SMS/text mobile gateway, Litan adds. That activity prevents SMS/text messages from getting out to institutions' mobile banking customers and members.
The U.S. Department of Homeland Security and the Federal Bureau of Investigation recently issued a warning after dozens of telephony-denial-of-service attacks took aim at the emergency communications centers that dispatch first responders. The targets so far have only been administrative telephone lines, not 911 emergency lines (see DDoS 'Cousin' Targets Emergency Call Centers).
Banking institutions' investments in technology to curb call center fraud have jumped significantly in the last 12 months, says Vipul Vyas, vice president of financial solutions for Victrio, a provider of voice biometrics authentication (see: Voice Biometrics as a Fraud Fighter).
"They're looking for better ways to authenticate the customer when they call in," Vyas says. "As they've locked down their online channels, they are seeing more call center fraud."
In March 2012, increases in call center fraud, the result of enhanced online protections, started getting attention from banking leaders and security experts. To address new socially engineered attacks aimed at call-center staff, security experts, including Litan, advised institutions to ramp up employee education as well as adopt enhanced user authentication and out-of-band verification practices for transactions initiated via the call center.
"The call centers typically validate customers by asking basic information - all easily stolen - such as account number, phone number, address, DOB [date of birth] and the last four digits of their Social Security number or tax ID," Litan said in 2012.
Today, call-center fraud continues to plague institutions, but they are reacting with new defenses and new technology, such as biometrics, Vyas says.
The Victrio technology alerts institutions when voices linked to previous fraud incidents are detected on calls. It relies on a database of biometric voice prints that enables its users to screen calls in real-time.
Recently, Victrio has picked up on some new trends, such as fraudsters socially engineering customer service staff by making false emergency or ransom requests - demanding cash immediately needed from accounts. The company also has seen a rise in and telephony DoS attacks designed to incapacitate call centers after initial calls for fraudulent transactions are made.
"We definitely see some of these new behaviors in the fraudsters," Vyas says. "We also now see them going to voice over IP carriers, like Skype, or changing numbers phones very quickly." Using technology such as Skype - a proprietary VoIP service and software application - makes the numbers difficult to trace, he adds.
The Skype Case
In the Skype scam that hit First State Bank of Blakely, the caller-ID authentication layer alerted a branch employee that something was suspicious, says Miskell, the bank's security coordinator.
"The branch that got the calls had caller ID, so when the call came in as an odd Skype number, the customer service representative asked some follow-up questions," he says. "The caller knew enough about the account to poke around, but could not produce a date of birth or a Social Security number on it. They were directly calling and acting as an imposter of the account, but because of the way the ID showed up as Skype number, it immediately raised a flag."
Litan says VoIP calls made through Skype can be spoofed so that they appear to come from a customer's number, in which case the caller-ID filter would make little difference.
"The spoofing of phone numbers coming into call centers is definitely a technique that fraudsters use," she says. But certain biometric and call center fraud-prevention products can help detect that type of spoofing, Litan adds.
For First State Bank of Blakely, the Skype scam experience offered some valuable lessons, Miskell says. The bank is now reviewing different solutions, such as caller ID across all of its branches, to address growing call-center fraud risks.
"This has been educational for us, and a reminder that we constantly have to review the technology that we have in pace," Miskell says. "In this case, the branch did the right thing. But that might not have been the case everywhere. Banks just always need constant reminders of the trends that are out there."