With Internet Hurdles Higher, Fraudsters Pick up the Phone

Electronic-payment security experts predicted fraudsters would turn their attention to less-guarded telephone-based banking systems as a result of banks' efforts to beef up online-banking security in the wake of federal regulations promulgated in 2005. Now comes a new study about identity fraud, which, while not showing a causal relationship, gives some credence to those predictions linking lower Web-based fraud and higher phone fraud. Javelin Strategy and Research's fourth annual such study, conducted in October 2007 and based on 5,000 telephone interviews with consumers, says ID fraud is on the wane. Javelin estimates 8.1 million consumers were ID-fraud victims last year, 300,000 fewer than in 2006. By another measure, an estimated 3.58% of U.S. adults were ID fraud victims last year compared with 3.74% in 2006 and 4.70% in 2004. Estimated fraud losses fell 12% from $51 billion the year before to $45 billion in 2007. Pleasanton, Calif.-based Javelin attributes ID fraud's decline to greater consumer awareness and vigilance about the crime, more consumer monitoring of financial accounts, and consumers' updating of the anti-spyware and anti-virus software on their computers. While overall ID fraud declined, the study says the average out-of-pocket loss borne by the victim rose 25% from $554 in 2006 to $691 last year. As they've always done, criminals are taking the path of least resistance. In its January cover story, Digital Transactions News' sister publication Digital Transactions magazine quoted security experts as saying payment fraudsters could well turn their attention to telephone banking as financial institutions fortify their online-banking sites' authentication systems. The Federal Financial Institutions Examination Council, the consortium of five regulatory agencies, in 2005 issued guidance saying banks needed to upgrade by the end of 2006 authentication systems based only on the traditional user name and password. In response to a flurry of questions from banks and credit unions, the government clarified its position in mid-2006 but stuck to the deadline, at least officially. Regulators said little about the effort in 2007, but an official in the U.S. Treasury Department's Office of the Comptroller of the Currency told the magazine that most banks indeed upgraded security by the deadline, although some asked for more time. The FFIEC's guidelines also apply to telephone banking, though most financial institutions initially concentrated on online banking. That may have left an opening for financial criminals. “Fraudsters are turning to lower-tech methods by utilizing telephone theft more than ever before,” says a Javelin release. Javelin also says that mail-based financial fraud is on the rise. Rachel G. Kim, associate analyst at Javelin, says other research by her firm shows that 48% of the top 25 U.S. financial institutions still don't have so-called multifactor authentication systems in place for telephone banking. “It's just common sense for fraudsters to go after those channels that are less protected,” she tells Digital Transactions News. “Telephone, I think, has been somewhat overlooked.” Phone-based fraud schemes run the gamut from callers purporting to represent non-profit organizations, who ask consumers for contributions and persuade them to divulge sensitive financial information, to so-called “vishing.” Akin to “phishing,” which directs customers to fake Web sites, vishing schemes direct callers to rogue interactive voice response (IVR) systems that masquerade as a real bank phone system and capture customer account data. Combined, mail and phone-based incidents rose dramatically, from 3% of ID fraud in 2006 to 40% in 2007, the study says. While she didn't have an exact breakdown on hand, Kim says that of the two, the data are “leaning more toward phone.” And instead of opening new credit card or financial accounts with their fraudulently obtained data, criminals increasingly are using the information to open cell-phone accounts. Wireless phone accounts amounted to 32% of fraudulent new-account openings last year compared with 19% in 2006, Javelin estimates. Javelin's study for the first time broke down ID fraud by region, with the New England and Plains states reporting the fewest incidents and California, Illinois, Idaho, West Virginia, and Delaware reporting the highest fraud rates. Funding for the survey came from CheckFree Corp., now part of Fiserv Inc., Visa Inc., and Wells Fargo & Co.