Targeting security weaknesses in the phone channel

Fraud over the phone channel is a significant problem for businesses, both small and large. Recently, phone hackers targeted a small architecture firm in Georgia, costing them more than $166,000. The firm had only seven employees, and a few VoIP connected phone devices. For larger businesses with call centers, the risk of phone fraud grows exponentially, as does the average fraud loss.

Banks, retailers and credit card companies all use call centers to provide services. Those call centers represent one of the most attractive targets for fraud attacks. While online security has been a top priority for organizations over the past decade, the phone channel has not seen similar innovation.

In fact, security on the phone channel has been static for nearly 40 years. Adding to the problem, when institutions strengthen online controls, fraudsters often shift their efforts to a less protected area of the enterprise – the call center.

According to the Communications Fraud Control Association, in 2013, account takeover fraud cost global businesses $3.62 billion. That number could be even larger, as phone fraud in the call center often goes under reported. In a report analyzing over 100 million calls, Pindrop Security found that one in every 2,900 calls to a call center is fraudulent. Furthermore, for every phone call received, Pindrop estimates that call centers incur an average fraud loss of $0.57. For many call centers that receive millions of calls per year, this translates to over $10 million in annual fraud loss.

Phone fraudsters use a mixture of technology and social engineering to break into accounts over the phone. Caller ID spoofing is one of the most popular and easy to use techniques for phone fraud. It is the practice of manipulating the telephone network to indicate that the originator of a call is different from the true originator. There is a wide selection of legal spoofing tools available that work on both smartphones and computers.

Fraudsters also exploit call centers by socially engineering call center agents to provide critical account information. Fraudsters can mislead call center representatives by exploiting the human-to-human interactions that are an inherent part of all phone calls. They might pretend to have forgotten a password, get angry, or even flirt with operators.

Increasingly, fraudsters are using a combination of phone and online tools to set up and execute attacks. Often one channel is used for reconnaissance, looking for information like account numbers, addresses, and account balance. Then, that information is used through another channel to break into an account.

Recent security breaches at Staples, Home Depot, Target, and others provide an illustration of these tactics. When hackers attack a large retailer, they acquire enough information to overcome the limited security protocol in place at most call centers. In many banks, if fraudsters can overcome a few Knowledge Based Authentication (KBA) questions, they can change PIN numbers and passwords on accounts, the first step in a complete account takeover. Already financial institutions are reporting a rise in fraud attempts linked to these retail breaches.

Though most enterprises train call center representatives on fraud prevention, agents are not in a position to offer substantial protection against fraud. Agents might encounter a fraudulent phone call once a month, and most of those are seemingly innocuous requests, such as balance and password or contact information changes. Relying on call center agents to service customers and detect fraudsters is not likely to succeed unless you have a very small, experienced and well-trained team.

So how can enterprises fight fraud in the call center? There is no single solution that will protect against all phone fraud. Rather, companies should look to build multi-layered security strategies. These should include analysis of call audio for anomalies (to detect deception), verification of factors such as the number and voice, and attacker information sharing through a consortium of information across similar companies. By relying on multiple factors, enterprises create a gauntlet that is increasingly difficult for fraudsters to defeat.