"Have I reached the party to whom I am speaking?" Lily Tomlin would use this line whenever she would play her character Ernestine the telephone operator on the classic TV comedy show "Laugh-In." But to the thousands of financial institutions that operate call centers, the question of whether their customer service representatives are talking to an actual customer is no laughing matter.
In a recent report on call center phone fraud, Pindrop Security cites a number of alarming statistics based on their clients' actual experiences: one in every 2,500 calls to a call center is fraudulent; the average fraud loss per call received is $0.57; and the average potential loss to an account from phone fraud is more than $42,000. It seems that the call center has become an increasingly attractive target for fraudsters.
A call from someone not authorized to access the bank account in question may not directly result in a financial loss on that call. In fact, Pindrop's research indicates that it takes an average of five calls before the fraudster gathers enough information to strike. They use those preliminary calls to gain account or customer information that will help them subsequently to generate a fraudulent transaction, whether it's through the call center or another channel. Some of the calls are from criminals who are simply trying to get account information such as credit and debit card information that they can sell to others. Some of the calls attempts to change account settings such as statement mailing address or call-back phone numbers. With a simple address change, the criminal can gain more information about the accountholder and also keep the victim from being alerted to fraud on their account. Often, a call that results in a direct loss occurs when the fraudster obtains sufficient account credentials to generate a fraudulent wire transfer or ACH transfer from the targeted account.
While these criminals might be looked at as "low-tech hackers" compared to the sophisticated hackers who probe computer systems or worse, the evidence from law enforcement shows that these groups are just as well-organized and sophisticated. They are often based outside the United States, which makes investigations and prosecutions difficult. Sometimes they use technology to change their voice or to show a fake phone number on the bank's caller ID system. The fake phone number helps the fake caller avoid suspicion when the call is coming from outside the customer's area of residence.
To address this growing attack vector, financial institutions are adopting new technology to help them detect potentially fraudulent calls. Voice biometric technology can detect altered voices or even compare the caller's voice to a database to verify the caller's legitimacy. In addition, phone call and device "fingerprinting" gathers enough information from the caller's device to allows the call to be scored, just like a card transaction, on how likely it is to be fraudulent.
It is clear that criminals are attacking all physical and virtual channels of banks, sometimes using information obtained through one channel to carry out fraud in another channel. Portals and Rails believes it is important that you approach your fraud mitigation strategy from a cross-channel perspective. Please let us hear about your challenges and successes with such efforts.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed