Call Center Fraud: How to Respond
Institutions Look for Ways to Address the ThreatCall center fraud is one of the leading threats banking institutions will continue to battle next year, so they're looking for ways to mitigate the threat.
See Also: 2024 Report: Mapping Cyber Risks from the Outside
Malware and call center fraud "are two big threats to financial institutions as we approach 2014," says Shirley Inscoe, a financial fraud analyst at financial consultancy Aite. "2013 saw the largest institutions being targeted in their [call] centers by organized fraud rings to an extent never before experienced. Some executives stated they felt this was partially due to having beefed up their online security." When banking institutions strengthen controls in one area, it is common to see fraudsters shift their efforts to another, less protected area, Inscoe says. And call centers are typically ill-prepared to stave off fraud, she says.
Cross-Channel Attacks
Avivah Litan, a financial fraud expert and distinguished analyst for consultancy Gartner, says 30 percent of all banking institution fraud is perpetrated across multiple channels, such as the online-banking and call center channels.For example, attackers may strike an institution's online-banking site with a distributed-denial-of-service attack to distract attention away from fraud attempts via other channels, such as the call center, she says.
During a DDoS attack, when the online-banking site is unavailable, fraudsters can take advantage of call center staff who are overburdened with calls by socially engineering them to give up account details over the phone, Litan says.
But cross-channel attacks can be launched in other ways, too, Inscoe explains.
"Organized fraud rings are targeting call centers, armed with some information gleaned from data breaches, hacking, etc., and then calling repeatedly to gain additional information so they can successfully impersonate the client," she says. "Once they have enough information, they may ask for a password reset to gain online access, request a debit card or request a wire transfer be sent. The resultant fraud may originate through the contact center or a different channel."
Detecting Call Center Fraud
Banking institutions have a hard time detecting call center fraud because it continues to evolve. And cross-channel schemes that exploit call center staff via social engineering are getting increasingly stealthy.
Good anomaly detection technologies and systems, along with employee fraud-prevention training, are vital to curbing account takeover incidents and identity theft, says Marjorie Meadors, who oversees card fraud prevention for Republic Bank & Trust, Louisville-based bank with $3.2 billion in assets.
"Call center fraud definitely has not declined, and we don't see it declining anytime soon," Meadors says. "When fraudsters call in, they already have a lot of information about accountholders that they obtain from public records, and there's little we can do to stop that. They have all of your information, so they can answer many of the traditional security questions."
The vulnerability of so-called knowledge-based authentication, which is based on questions about previous loan history, residential addresses and even insurance, is a growing concern (see Gartner's Litan on Fixing Authentication).
When call center fraud first began to increase about five years ago, Republic began using LexisNexis for its knowledge-based questions, Meadors says. "LexisNexis uses three questions that are pulled from public records, so it's not perfect, but it's better than what we had before," which was a set of internally defined questions, she explains.
More recently, Republic has focused most of its attention on call-center staff education, Meadors says. "Our staff knows more about what to look for," she says. "But we have to constantly train our staff, because those committing fraud are really good."
Banking institutions need to be aware that attackers attempting call center fraud may patiently wage their schemes over an extended period, Meadors says. "They call in to change an address and then wait ... several months before calling back to socially engineer more out of call center. This is why financial institutions should focus on training and anything else that's out there ... that can help them filter and screen calls."
Voice Biometrics
Some institutions are considering more advanced approaches, such as voice biometrics. But many of these technical investments are too costly for smaller banks and credit unions, Inscoe says.
"Large FIs [financial institutions] are piloting or implementing voice or call products that analyze incoming calls and/or voices," she says. "Some are also looking at a voice biometrics solution, most often using voice recordings of confirmed fraudsters to create a hot file of negative voiceprints. Using that hot file in real-time, they can identify the callers in the future and avoid allowing them to successfully impersonate clients."
As call center fraud continues, banking institutions will ramp up their technology investments, Inscoe says. "The use of malware detection, behavioral analytics, call and voice solutions and various forms of biometrics are all technologies that will be in growing demand," she says.