Cyber risk is something that most businesses are starting to be aware of, thanks to high-impact data breaches at retailers like Home Depot and Target. But fraud within the phone channel is less likely to be a focus for companies—even though it’s a growing trend.
The most common form of fraud involves caller ID spoofing and voice phishing, or “vishing” for short. First, the bad actors break into the phone network and manipulate the caller ID function, so when they make outbound calls, they look as though they’re from a legitimate source.
Then, the fraudsters start making phone calls, with the purpose of using social engineering to purloin credit and debit card information from unwitting consumers.
On the consumer front, vishing can also start with a different touchpoint, like a text or email. For instance, an email purporting to be from a bank may come in that says something like:
“Our monitoring system has detected unusual transaction on your credit card. Please call our 24-hour customer service hotline at [snip] for verification. For your security we have placed your card on temporary hold while awaiting your confirmation.”
“Vishing can start with an email or a text, but the ultimate goal is to get you on the other end of a telephone line,” said Christopher Boyd, a researcher at MalwareBytes, in a blog. “From there, the scammers will go about harvesting your data by pretending to be your bank and asking for card information.”
Victims are often asked for various pieces of information that add an air of legitimacy to the proceedings before asking for the real objective: a card number, expiration, three-digit code and PIN number.
But the danger goes beyond individuals: any business that uses a preponderance of voice communications—especially IP voice communications—can be targeted. And banks, service providers, retailers, payments companies and others that rely heavily on contact centers for customer service are at particular risk.
“While online security has been a top priority for organizations over the past decade, the phone channel has not seen similar innovation,” explained Vijay Balasubramaniyan, CEO of Pindrop Security, in a blog. “Security on the phone channel has been static for nearly 40 years. Adding to the problem, when institutions strengthen online controls, fraudsters often shift their efforts to a less protected area of the enterprise – the call center.”
For instance, the bad guys can socially engineer call center agents themselves, to provide critical account information. “Fraudsters can mislead call center representatives by exploiting the human-to-human interactions that are an inherent part of all phone calls,” Balasubramaniyan explained. “They might pretend to have forgotten a password, get angry, or even flirt with operators.”
In a report analyzing over 100 million calls, Pindrop Security found that one in every 2,900 calls to a call center is fraudulent. Furthermore, for every phone call received, Pindrop estimates that call centers incur an average fraud loss of $0.57. For many call centers that receive millions of calls per year, this translates to over $10 million in annual fraud loss.
Those aforementioned breaches are taking a toll too: when hackers attack a large retailer, they gain access to information that they can use to overcome call center protocols. From there, they can change PIN numbers and passwords on accounts and gain the keys to the kingdom, as it were.
“Though most enterprises train call center representatives on fraud prevention, agents are not in a position to offer substantial protection against fraud,” Balasubramaniyan said. “Relying on call center agents to service customers and detect fraudsters is not likely to succeed unless you have a very small, experienced and well-trained team.”
Instead, he advocates that businesses implement a multilayered approach that includes analytics to detect behavioral anomalies, better caller verification using not just the number being called from but also voice recognition and other factors, and information-sharing.
“Relying on multiple factors, enterprises create a gauntlet that is increasingly difficult for fraudsters to defeat,” he said.