Call Center Fraud: How to Respond

Institutions Look for Ways to Address the Threat

By , December 10, 2013.
Call Center Fraud: How to Respond

Call center fraud is one of the leading threats banking institutions will continue to battle next year, so they're looking for ways to mitigate the threat.

See Also: More Threat Vectors, More Security & Compliance Challenges

Malware and call center fraud "are two big threats to financial institutions as we approach 2014," says Shirley Inscoe, a financial fraud analyst at financial consultancy Aite. "2013 saw the largest institutions being targeted in their [call] centers by organized fraud rings to an extent never before experienced. Some executives stated they felt this was partially due to having beefed up their online security." When banking institutions strengthen controls in one area, it is common to see fraudsters shift their efforts to another, less protected area, Inscoe says. And call centers are typically ill-prepared to stave off fraud, she says.

Cross-Channel Attacks

Avivah Litan, a financial fraud expert and distinguished analyst for consultancy Gartner, says 30 percent of all banking institution fraud is perpetrated across multiple channels, such as the online-banking and call center channels.For example, attackers may strike an institution's online-banking site with a distributed-denial-of-service attack to distract attention away from fraud attempts via other channels, such as the call center, she says.

During a DDoS attack, when the online-banking site is unavailable, fraudsters can take advantage of call center staff who are overburdened with calls by socially engineering them to give up account details over the phone, Litan says.

But cross-channel attacks can be launched in other ways, too, Inscoe explains.

"Organized fraud rings are targeting call centers, armed with some information gleaned from data breaches, hacking, etc., and then calling repeatedly to gain additional information so they can successfully impersonate the client," she says. "Once they have enough information, they may ask for a password reset to gain online access, request a debit card or request a wire transfer be sent. The resultant fraud may originate through the contact center or a different channel."

Detecting Call Center Fraud

Banking institutions have a hard time detecting call center fraud because it continues to evolve. And cross-channel schemes that exploit call center staff via social engineering are getting increasingly stealthy.

Good anomaly detection technologies and systems, along with employee fraud-prevention training, are vital to curbing account takeover incidents and identity theft, says Marjorie Meadors, who oversees card fraud prevention for Republic Bank & Trust, Louisville-based bank with $3.2 billion in assets.

"Call center fraud definitely has not declined, and we don't see it declining anytime soon," Meadors says. "When fraudsters call in, they already have a lot of information about accountholders that they obtain from public records, and there's little we can do to stop that. They have all of your information, so they can answer many of the traditional security questions."

The vulnerability of so-called knowledge-based authentication, which is based on questions about previous loan history, residential addresses and even insurance, is a growing concern (see Gartner's Litan on Fixing Authentication).

When call center fraud first began to increase about five years ago, Republic began using LexisNexis for its knowledge-based questions, Meadors says. "LexisNexis uses three questions that are pulled from public records, so it's not perfect, but it's better than what we had before," which was a set of internally defined questions, she explains.

More recently, Republic has focused most of its attention on call-center staff education, Meadors says. "Our staff knows more about what to look for," she says. "But we have to constantly train our staff, because those committing fraud are really good."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Hotel Company Reveals Second Breach

White Lodging Services Corp. has revealed a malware attack against point-of-sale systems at 10 of...

Latest Tweets and Mentions

ARTICLE Hotel Company Reveals Second Breach

White Lodging Services Corp. has revealed a malware attack against point-of-sale systems at 10 of...

The ISMG Network