Fraudsters use a call center for data mining and account takeovers – for example, by changing an account password or customer address – and this becomes a launching point for cross-channel attacks.
The caller told the bank’s customer service representative (CSR) that his daughter is going to school in another country, and he wants to send her money via electronic funds transfer to pay her tuition. He needs to send the money to the overseas bank account as soon as possible. He’d tried to do this online but couldn’t complete the transaction and he needs help from a knowledgeable service agent. The CSR asked him a series of security questions to authenticate his identity. He provided the right account number, address and answers to the various security questions.
Wanting to help this long-time customer, the CSR set up the funds transfer transaction and scheduled it for the next business day. The caller thanked her for being so helpful. What the CSR didn’t know is that she unwittingly just helped a fraudster steal thousands of Indian rupees from a real customer’s account.
This story is far from unique. Call center fraud is a large and growing problem. The research and advisory firm Aite Group claims that 61% of all fraud cases can be traced back to a call center. Fraudsters use a call center for data mining and account takeovers – for example, by changing an account password or customer address – and this becomes a launching point for cross-channel attacks. Aite predicts that call center related fraud losses will double by 2020. That prediction might prove true given that in 2017, 40% of businesses saw their call center fraud levels increase.
Nilesh Dherange, CTO for Gurucul says, “Several factors are causing the increase. The transition to EMV (chip) cards drove a six-fold increase in call center fraud attempts the year EMV was implemented. In addition, the vast amount of account numbers and other personal data that has been stolen through data breaches make it easier for criminals to pass through the knowledge-based authentication process that most call centers use. Then they use social engineering to dupe the helpful CSRs.”
A cat and mouse game makes fraudulent behavior harder to spot.
A criminal might make several calls to “prime the pump” for his eventual fraud attack. For example, he might call one time to reset an account password and call again days later to provide a new mailing address. Those activities, in and of themselves, don’t typically raise a red flag for risk, especially when a different CSR handles each call. However, viewed holistically with other transactions, these actions could paint a pattern of high-risk behavior. A CSR would not see this pattern due to his limited view of a single call ticket, so technology must be used to root it out.
Another common trick that fraudsters use is to spoof the phone number shown through Caller ID using software readily available on the Internet. The fraudster can appear to be calling from the victim’s geographic region or actual phone number. This makes data such as the phone number and the call location origin poor sources of caller authentication.[…]