While it is never a pleasant task to report not so good news, the reality is that when it comes to security awareness is the first step toward prevention. This is the reason why the release by phone fraud prevention and call center authentication for banks and enterprise call center provider Atlanta, GA-based Pindrop Security of its new report, "KYF: Know Your Fraudster - Phone Fraud in Financial Institution Call Centers 1H 2013," is something that commands attention. The report provides an insightful view into the risk that phone fraud poses to financial institution call centers through analysis of phone fraud activity during the first six months of 2013.
"Phone fraud is a significant vector for organized cybercrime, and the impact that it has on financial institutions and other enterprises will only continue to grow as phone fraudsters scale their efforts," said Vijay Balasubramaniyan, co-founder and CEO of Pindrop Security. "Financial institutions need to familiarize themselves with best practices to mitigate phone fraud in order to prevent their customers' accounts from a future breach."
Unfortunately, while it may not make the headlines in the way major data breeches do, phone fraud is a multimillion-dollar industry. And, those who perpetrate it are extremely skilled and like the famous quote from the bank robber Willy Sutton, “I rob banks because that is where the money is.” Ipso facto, financial institution call centers are a leading target for phone fraudsters. Indeed, these bad actors use a variety of social engineering and account manipulation techniques to steal via wire transfers, Account Clearing House (ACH), and cards. As a result, and despite various efforts to mitigate risks, financial services companies lose millions of dollars to phone fraud.
What you need to know
Key findings from the report include:
Phone fraud has a significant financial impact.
1 in every 2,500 calls into a financial institution’s call center is fraudulent, and for every phone call there is a $0.57 loss.
The average potential loss from phone fraud per financial account was $42,546.
The two account categories with the highest losses were $1-$25,000 and $75,000-$99,000, which correspond to average credit card account size and average home equity line size, respectively.
Phone fraud is organized and scaling.
Individual fraudsters targeted anywhere from 5-10 accounts to as many as 200-300 accounts.
More than half of fraud calls are from fraud groups working together - in groups ranging from 2 to 12 members.
Roughly half of all fraud calls originated from mobile devices, while one third came from VOIP and the remainder (14 percent) from landlines. This contrasts with legitimate calls, of which 14 percent are VOIP and the remainder split between mobile devices and landlines.
Fraudsters are increasingly targeting consumers directly.
During 2012, Pindrop Security counted over 2.4M consumer complaints of phone fraud attempts. By comparison, Pindrop detected 2.3M complaints for the first half of 2013.
More than 73,000 consumer complaints indicated that the fraudster was impersonating a financial institution. Nine of the top ten financial institutions were named in these fraud attempts.
Phone fraud has a significant financial impact: Pindrop analysis revealed that 1 in every 2,500 calls into a financial institution's call center is fraudulent, and for every phone call into a financial institution call center there is a $0.57 loss. The average loss per financial account was $42,546.
Two charts from the report are useful in understanding what is going on. The first shows that fraudsters tend to target accounts in the lower end of the range, seemingly because it is easier pickings.
Source: Pindrop Security, KYF: Know Your Fraudster - Phone Fraud in Financial Institution Call Centers 1H 2013
The second is the one relating to the source of attempts, and highlights how mobile devices have become the weapons of choice.
Source: Pindrop Security, KYF: Know Your Fraudster - Phone Fraud in Financial Institution Call Centers 1H 2013
What is most distressing about the findings is Pindrop’s citation of recent research by Aite Group analyst Shirley Inscoe who found that only 23% of surveyed institutions,“truly track fraud losses by delivery channel and quantify losses tied to contact center activity regardless of whether a policy was violated.”
Tracking the bad guys
Data for the report was collected using Pindrop Security's Phoneprinting(TM) technology. This is a comprehensive analysis solutions which analyzes the audio content of a phone call based on measuring 147 unique characteristics of the phone caller's audio signal to form a unique fingerprint for the phone call, and determine where the call originated and whether the call was made from a landline, mobile phone, or specific Voice over Internet Protocol (VoIP) provider. Pindrop says that it, “routinely identifies over 80 percent of inbound fraud calls to enterprise contact centers, saving millions of dollars in losses and contact center expenses each year.”
The big items that tend to be good indicators of fraudsters are: call frequency, number of accounts targeted, number of fraudsters collaborating, and location. The latter is a very good indicator. As Pindrop points out, international calls, especially those that spoof a US-based telephone number, will almost always be an attacker, and spoofing is easily done with smartphone apps and VoIP software.
Phoneprinting provides an overall risk score for every call as well as detail on each of the key attributes we measured. With fraud clearly on the rise and contact centers in general huge targets, tools for evaluating the intentions of who is calling can be very valuable as a first line of defense it deterring those with malicious intent.