Call centers remain a prime target for criminals looking to perpetrate fraud. In 2016, call-center fraud jumped 113% from 2015, according to Atlanta-based Pindrop Labs’ annual Call Center Fraud Report.
Fraudulent activity took place with one in every 937 call-center calls, compared to one in 2,000 calls in 2015“With tools like this, criminals can quickly iterate through a list of stolen account numbers to discover which ones are still active,” Dewey says. “Criminals can also try all of the combinations of a PIN to find the one that works. IVR systems are generally open to the public, provide more and more extensive functionality, and go completely unmonitored.”
The rise in call-center fraud is being driven by a combination of improved techniques to bypass security to obtain consumer-account information and technical, human, and organizational weaknesses within the call center.
Criminals commit call-center fraud by posing as a credit or debit card holder and using information stolen in a data breach or gathered through social media and elsewhere on the Web to answer questions intended to authenticate the customer. After passing himself off as a legitimate customer, a criminal can gain access to a cardholder’s account, change the account’s PIN, or mine an account for additional information that can be used to steal a consumer’s identity.
“Attacker sophistication and experience, availability of information from data breaches or the dark Web, weak call-center security and EMV technology are pushing fraudsters toward the call center,” David Dewey, director of Pindrop Labs, tells Digital Transactions News by email. “Fraudsters have migrated their attacks to the call center because socially engineering the call-center agent is far easier than honing their skills as a hacker. A call-center agent’s job is to provide quality customer service, not stop fraud.”
Criminals are also turning to technology to help them beat call centers’ fraud defenses, such as writing software applications that interface with an interactive voice recognition system and enable them to reset a victim’s PIN, test account numbers, or find more information on a potential victim.
“With tools like this, criminals can quickly iterate through a list of stolen account numbers to discover which ones are still active,” Dewey says. “Criminals can also try all of the combinations of a PIN to find the one that works. IVR systems are generally open to the public, provide more and more extensive functionality, and go completely unmonitored.”
Criminals are also using applications such as Skype or Google Voice to hide their identity and location from caller-identification systems. “Caller ID is now no better or more reliable than email addresses for authentication,” says Dewey
While losses associated with individual call-center fraud events remain about 65 cents per call—the same as in 2015—the increasing volume of the fraud is boosting total losses. “If the loss per call remains constant, but the volume of fraud calls doubles, that call center is now losing twice as much money,” Dewey says.