In the first post in this series about the rise of the modern fraudster, we explored how cybercriminals – the twenty-first century’s version of bank robbers – are continually looking for new opportunities to part consumers from their cash and credit.
As financial institutions layer on more security to prevent cyberattacks and online fraud, the criminals have begun looking for new ways to earn their dubious livings. In this post, we’ll explore the ways fraudsters are using call centers and self-service customer support technology to score.
Making Cardholders Accomplices in the Fraud
Large data breaches, of which there have been many lately, are usually just the beginning of rampant credit and debit card fraud. During these breaches, the goal is to steal as much personal customer information as possible. While customers may feel relieved when a data breach exposes only personal contact information such as name, address, e-mail and telephone number but no financial information, it’s critical to understand how criminals use this personal information to gather the missing pieces of information.
In cases when criminals do hit the motherlode of card or account information including social security number, account numbers and card numbers, they still lack personal identification numbers (PINs) since those are not stored on the card. While they can perpetrate fraud without he PIN, a PIN will give them access to cash at the ATM. Now, it’s time for them to get busy and start collecting the information they need to complete the fraud.
It’s critical to note at this point that no company is immune. Larger companies – witness the hacks of Home Depot and Anthem – may attract more attacks simply because of the volume and sensitivity of the customer data they hold, but smaller companies aren’t off the hook, either. Most companies, regardless of size, maintain information that is of at least some value to fraudsters, and these companies are often considered “easy marks” by hackers because of their lack of sophisticated security barriers.
The Fraudulent Company Call Angle
To aggregate the information they need to completely compromise an account, the criminals will go to work posing as company representatives. They will call victims and claim to be employees at the customer’s financial institution. While most people have been told never to hand out personal information to “company representatives” who call claiming to be from a bank or any other business claiming an account or personal relationship, fraudsters have many advantages to skirt that issue and convince unsuspecting consumers to give up their personal, confidential information. They sound professional, and they already have a lot of a customer’s personal information, making them seem legitimately calling on the consumer’s behalf.
Good morning. This is John Smith with ABC Bank. We were going through your account information and saw some discrepancies. I’m calling to ensure that your information is up to date. I have your name, your address and your e-mail, and your account number as 12345678. Just to confirm all this is correct, I just need you to enter your PIN.
The customer, confident the call is legitimate (after all, if it wasn’t, the caller wouldn’t have all that personal information, right?) enters his or her PIN, and the fraudsters now have everything they require. They can make a duplicate card from nearly any card with a mag strip – hotel key cards are popular – and either sell the cards or go shopping. One common practice is to use self-checkout kiosks at retail stores such as Walmart to buy gift cards and then resell those cards.
Fraud in the Contact Center’s IVR
Now that the criminals have gathered PIN numbers, they will look for the most convenient automated process – which tends to be the contact center’s IVR -- to try and use the information they’ve collected to their advantage. They can use the IVR to check balances and pending deposits to determine when the most lucrative time to clear the account will be, and then perpetrate fraud by purchasing something via the internet or over the phone (known in the industry as a “card not present” transaction), creating a counterfeit card or engaging in an account address change and having a new card sent to that address.
If the fraudsters have some but not all personal information, the IVR becomes a method for them to validate the information they have, and probe for additional information. If they have an account number, a social security number and a date of birth, but no PIN, they can engage in a brute force attempts by repeatedly calling into the IVR and guessing various PINs (too many people still use obvious numbers such as birth dates for PINs). Alternatively, they can reach a live agent and pose as a customer in an attempt to squeeze information out of the agent, or ask to reset a PIN. Fraudsters will often call back until they reach a lesser-trained, more sympathetic agent who will fall for a sob story (“I’m stranded in an airport and my PIN isn’t working!”) or be persuaded that the caller is legitimate (after all, he knows a lot of personal information about the customer, so it must be the customer himself, right?). If agents seem confident that the call is truly the customer – and fraudsters are very good at making it seem so – the agent may provide the missing information or approve a new card to be sent to a new mailing address.
Working through live agents presents a risk, however. Agents may notice a pattern of repeated calls, and better trained agents may report instances of probing as potential fraud. For this reason, the IVR remains a favorite tool of crooks precisely because it’s impersonal, automated and, in many cases, not monitored for patterns of fraudulent behavior. It provides critical information – balance and deposit data – quickly and easily, supplying crooks with all the information they need to drain an account at the most lucrative time. For this reason, the IVR is a critical place to halt fraudsters engaging in phishing, probing and validation activities in their tracks. Many organizations don’t realize how ill prepared they are to handle this ever-changing, complex fraud channel and may not even realize the volume and scope of fraudulent activity taking place right now on their watch.
A Highly Organized Criminal Enterprise
While we may preserve a mental image of a cybercriminal being a poorly socialized individual operating from a dim basement for personal gain, the reality is that global financial cybercrime is big business. Stolen card data from large scale (and even not-so-large scale) data breaches is highly profitable. Criminals collect the card information, separate it by bank based on the bank identification numbers, or BINs, and sell this information in bulk to organized criminals.
According to the Identity Theft Resource Center, some groups – Eastern European criminal enterprises, for example – will offer for sale on the black market a “bucket” of Citibank or Bank of America cards, with prices varying depending on the amount of information available. Costs will run between $8 per record for card information – which requires more footwork to use – to $30 to $40 for a complete dossier of personal information including social security numbers, names and birthdates. With the latter information, fraudsters can simply open a new account in a victim’s name.
As businesses have gone multi-channel with their support, so too have fraudsters. Today, they have a variety of channels open to them to collect information, put it all together and take over an account. Social media can be used to validate information, and criminals are bold and skilled enough to contact their victims directly to phish for missing information. Once they have collected everything they need, they simply head to the call center or the IVR to complete the account takeover.
As fraud has become more complex and multichannel, stopping it also needs to be a process with multiple layers. Today, companies need to be proactively tracking and monitoring activity and taking a variety of active steps to stop the criminals. There is no “one size fits all” answer, or magic shield – like Harry Potter’s invisibility cloak – that will do the trick. To improve business processes, protect customers and guard against multiple types of breaches, organizations today need to be thinking about the variety of ways they can stop different types of fraud.
In the call center, this means building a multi-layered solution that offers a combination of safety measures that works on both the customers’ and company’s behalf. An effective and more cost-effective option is to include automated ANI (automatic number identification) verification, behavioral analytics and the ability to identify red flags in real-time, and automated knowledge-based authentication options. These safeguards, often put in place for live calls at a more costly manner requiring live agent assistance, must also be applied to the IVR, where no one is actively watching and criminals are counting on this fact. Adding security to live call center channels but ignoring the IVR is a bit like guarding the front door but leaving the windows wide open. No company wants to be the one robbed by fraudsters who used the company’s own customer support technology against it.
Stopping financial cybercrime is one the largest challenges to global business today. Criminals are highly adaptive: shut down access to one piece of information, and they will simply change their tactics and find another way to get in. Industry experts have asserted that an organization must continually shift their own tactics when it comes to fraud prevention. What this means is that fraud protection is a living, breathing process that must grow and adapt, and any solutions chosen to protect the organization must do the same. In Part 3 of this blog series, we’ll discuss the best ways companies can engage in multi-layered and multi-channel fraud prevention.