Telephone banking scams are nothing new. Once a hot target, security measures eventually forced criminals to turn to the online channel. Now that so many financial institutions have invested heavily in security tools to detect and stop online fraud, fraud analysts like Gartner’s Avivah Litan are warning that banking institutions need to shift their attentions back to authenticating and verifying customers at the call center.
In the BankInfoSecurity article, “How to Stop Call Center Fraud,” Aite fraud analyst Julie McNelley said call centers are once again becoming a sweet spot for fraudsters, particularly with the top-tier U.S. banks.
“In October 2011, I published a piece about where financial institutions were feeling the most pain, and one of the responses to that was the call center… The call center was a concern among larger institutions.”
Interestingly, Matt Speare, who oversees security at M&T Bancorp, said one of the reasons large institutions have more trouble with call-center scams is because the larger they get, the further removed they are from their customers.
“The larger you get, the more extraction you have between the customer and the call center. In a smaller institution, the people who answer the phone are more likely to know the customer, so they won’t be so easily fooled.”
Speare added that banks undergoing conversations linked to acquisitions can be vulnerable to social engineering schemes, something his company experienced in 2011.
“Any time there is a change event, like an acquisition, there is opportunity for a fraudster to exploit a weakness… We did not see anything significant, but we did see an uptick. You have acquired customers being migrated over, usually over a weekend, and the bad guys know that’s going to occur. So they will attempt to hit you on the day that conversion is going on.”
Fraudsters typically set the social engineering trap by building a profile from personal information they’ve collected online. When they call a bank’s call center to open an account or change credential information on a legitimate account, they are fully armed with the data needed to answer specific account or security questions required by knowledge-based authentication (KBA) solutions.
Once they’ve convinced the customer service representative they are the accountholder, they can prompt the accommodating call center agent to provide more information and even make changes to the account. This, of course, puts the criminal in position to clean out the bank account.
One of the most effective ways to reduce Caller ID spoofing and social engineering crimes over the telephone channel is validating the Caller ID and ANI. Unfortunately, today’s sophisticated social engineering schemes outsmart more traditional telephone authentication methods that rely solely on personally identifiable information (PII) like KBA. To recognize call center fraud, banks need to proactively identify fraudulent calls before the phone is picked up.
By automatically locating the physical location of the landline phone or mobile device prior to being answered, the TrustID® network-based Physical Caller Authentication solution gives financial institutions a leg up on criminals attempting to socially engineer banks over the telephone. Invisible to criminals and non-intrusive to legitimate customers, TrustID uses the Caller ID and ANI as trusted credentials for authenticating customers, and in doing so, helps banks stop call center fraud and improve the overall customer experience.authentication credentials, Avivah Litan, bank fraud, bank security, call center fraud, caller authentication, Julie McNelley, KBA, knowledge-based authentication, Matt Speare, personally identifiable information, phone fraud, Physical Caller Authentication, PII, telephone authentication, telephone channel, TrustID