Executive Summary
In the past two years, call center fraud has grown at an alarming rate. Attackers target call centers to gain access to funds, as well as gathering, testing and augmenting personal data to use in future fraud attacks or to sell on the black market. To learn more about these attacks, the research team at Pindrop Labs has analyzed more than 10 million calls to major enterprise call centers between 2011-2016. These researchers believe the rise in the number of attacks can be traced to a migration of fraudsters to the phone channel, which is the weakest link into an organization. Factors influencing this migration include the US rollout of chip credit card technology, the global increase in data breaches, and stronger online and mobile security.
|
Enterprise call center fraud is expensive and growing fast.
The rate of fraud calls has grown 45 percent since 2013. In the same period, call center losses to fraudulent transactions rose 14 percent.
Use Phoneprinting to identify fraud risk factors.
Call center fraud will continue to rise. Prepare now by implementing multi-layered solutions that quickly and accurately detect fraud.
Attackers conduct pre-fraud activities to prepare for cross-channel attacks.
Criminals use the IVR to test stolen data and mine for accounts. They socially engineer live agents to augment their stolen data and build a profile of their targets.
Prevent attacks by monitoring IVR and live agent calls for pre-fraud.
Few call centers today have visibility into IVR activity. Look for solutions that offer comprehensive protection across the entire call center infrastructure, including both IVR and live agent.
|
Fraudsters are finding new types of institutions to target.
The credit union and insurance industries are lucrative targets, with higher than average fraud exposures. Traditional financial institutions like banks, brokerages, and credit card issuers remain at high risk.
All industries should look for vulnerabilities in their call centers.
Call centers should understand their expected fraud exposure and average loss. Learn whether your organization should expect fewer but more costly attacks, very frequent but less expensive attacks, or some other variation.
The UK offers the US a glimpse of the future growth of call center fraud
The UK has had chip card technology for many years. This has resulted in a doubling of fraud rates and more attacks originating domestically.
Implement solutions now to monitor and detect phone fraud.
As physical card security in the US increases, US call centers should expect to see a spike in call center fraud. Now is the time to implement solutions.
|
INTRODUCTION
WHY THE CALL CENTER IS THE WEAKEST LINK
Stronger online and mobile security, recent data breaches, and the rollout of chip cards in the US means cybercriminals are changing tactics, exploiting the weakest link in the organization: the call center. Pindrop Labs researchers reviewed over 10 million phone calls to enterprise call centers between 2011-2016. In this report, enterprises will gain a deeper understanding of the growing threat of call center fraud, as well as the level of attacker sophistication.
Call centers have many vulnerabilities that make them an attractive target for fraud:
|
The Human Element Is Unreliable
Call centers that rely on live agents to look for suspicious callers are at high risk for social engineering attacks. They also risk customer experience, by forcing agents to enforce policy before helping the customer
|
Caller ID Can’t Be Trusted
Call metadata like Caller ID numbers, Automatic Number Identification (ANI), or Calling Line Identification (CLI ), is completely unreliable today. Fraudsters have cheap and easy solutions to spoof this information.
|
|
The IVR Is A Blind Spot
Most companies do not have sufficient insights into customer IVR activity. Pindrop researchers analyzing IVR calls found repeated PIN resets, account mining, extremely long calls, and other suspicious activity that indicates IVR fraud at a rate close to that seen in live agent fraud.
|
KBA Doesn’t Work
According to Gartner’s Avivah Litan, “Failure rate on KBI is on average 10 percent to 15 percent and sometimes it can go as high as 30 percent.” [1] At the same time, many criminals can pass KBA authentication. The abundance of customer information available on the black market mean fraudsters can easily find the correct answers.
|
WHAT IS CALL CENTER FRAUD?
For the purposes of this report, call center fraud represents any interaction between a criminal and a call center agent. Though many of these calls involve attempting to complete a fraudulent transaction, the majority of fraudulent calls do not. Pindrop research suggests that a criminal makes up to five calls before completing the fraudulent transaction. Think of these calls as “pre-fraud.” Examples of pre-fraud calls include:
CROSS-CHANNEL FRAUD AND THE CALL CENTER
Fraud in the call center has wide ranging effects on an organization. Online, mobile, and physical channels have many layers of strong authentication and security. Meanwhile, most call centers rely on ineffective security measures like Caller ID, live agents, and KBA. Criminals use the call center as a back door to the organization. Here, they complete pre-fraud, which allows them to move across channels to pass further authentication and complete attacks. Pre-fraud phone calls set the fraudster up for later cross-channel attacks. Aite Group research suggests 61% of all fraud activity can be traced back to the contact center, with several financial institutions reporting rates as high as 90%.
[2]
A GROWING PROBLEM
FRAUD CALL RATES HAVE GROWN 45% SINCE 2013
The number of fraudulent calls received by the average enterprise call center continues to grow dramatically. In 2013, call centers saw an average of 1 fraud call in every 2,900 calls received. This year, fraud rates are at 1 in 2,000 calls. This rate represents a 45 percent increase since 2013. There are three main factors contributing to this increase:
|
Recent Data Breaches
In recent years there has been an influx of data breach information being sold on the black market. Before a criminal purchases this information, they must test the data. They attempt to learn which card numbers are valid. They must also augment the data, finding additional personal information that allows them to pass authentication. The easiest channel for conducting these pre-fraud activities is in the call center, especially in the IVR.
|
US Chip Card Rollout
The continued rollout of chip cards in the US has made it more difficult for fraudsters to commit card-present attacks, using counterfeit cards at the point of sale. This has caused criminals to change tactics and look for ways to commit fraud that do not require a physical card. As Aite Group writes, “Over US$4 billion in counterfeit card fraud has to find a new home... Contact centers are the weak link that will be increasingly exploited.” [3]
|
Increased Security in Other Channels
Chip cards are just one example of security innovations that are causing fraudsters to move to the phone channel. Other innovations in online security tools, mobile security, and more are forcing fraudsters to look for new attack techniques. Pre-fraud data gathering in the call center allows fraudsters to defeat these new technologies in other channels.
|
PHONE FRAUD LOSSES HAVE RISEN 14% SINCE 2013
In 2015, enterprises lost an average of $0.65 to fraud per call. This means a call center that receives 40 million calls per year should expect to see somewhere between $17 million to $27 million in fraudulent transaction losses annually. Phone fraud losses have grown 14 percent since 2013, when the average loss was $0.57 per call. According to a recent survey by the Aite Group, 72% of contact center executives expect this fraud loss trend to continue on an upward trajectory, almost doubling in the next five years.4
Increased fraud losses are a result of more sophisticated attackers with a greater amount of data at their fingertips. Today’s fraudsters are able to identify and target higher value accounts to efficiently maximize their earnings.
Note, Pindrop only measures losses from fraudulent transactions that take place through the call center. However, many more fraudulent transactions that take place in the online, mobile, or physical channels can be traced back to phone channel pre-fraud.
These pre-fraud calls also account for the different growth of fraud call rates (45%) and phone fraud losses (14%). The number of pre-fraud calls that do not request transactions has grown significantly.
THE HIDDEN COST OF FRAUD
Call center fraud carries further consequences than just the cost of fraudulent transactions. These factors are far more difficult to put a number to. They include:
|
Customer Experience
Call centers that are unable to quickly sort fraudulent from legitimate callers must spend time establishing identity before they are able to offer any assistance. This creates a frustrating customer experience.
|
Regulatory Risk
Many industries issue strict standards for protecting customer data, health, and financial records. Call centers that mistakenly allow a fraudster access to a customer’s private information risk fines and other damages.
|
|
Brand Reputation
Call center fraud attacks can include identity theft and data breaches. News of these attacks has a severe effect on a brand’s reputation, especially in the hyper-competitive insurance industry.
|
Operations Cost
The longer it takes to verify a caller’s identity, the longer the call handle time will be. Long call handle times translate into higher operations costs for the call center.
|
KNOW YOUR FRAUDSTER
Several factors, including calling device type and geographic call origin can indicate a potentially fraudulent call. However, though the use of Caller ID spoofing, voice distortion, and other tools, fraudsters can hide these risk-factors and make their calls appear legitimate. Call centers then must not only be aware of the risk factors that indicate fraud, but must also find solutions to quickly and accurately assess these factors in incoming calls, allowing them to overcome fraud technology and separate fraudsters from legitimate callers.
FRAUDSTER WEAPONS OF CHOICE
|
Voice Over IP Phones
Voice over IP (VoIP) phones are the fraudster’s first choice of devices when it comes to making fraud calls. In the past year, 16 percent of legitimate callers used a VoIP device, yet 42 percent of fraud callers did so. This number has remained relatively steady over the past five years.
In the US, VoIP calls are cheap or free, making them popular choices for fraudsters. VoIP calls are also difficult to identify. This is because it is very easy to spoof a Caller ID number with VoIP. Adding to this confusion, VoIP calls are typically routed through multiple carriers onto the PSTN network, making them hard to trace and prosecute.
|
Mobile Phones
Mobile devices are increasingly being chosen to launch fraud attacks, displacing landlines as the second most popular calling device for fraudsters. In 2011, only 5 percent of fraud calls were made using a mobile device. Today, that number is 35 percent.
This rise in popularity can be attributed to several factors. In many parts of the world mobile is more cost effective than even VoIP. Fraud-enabling apps like Caller ID spoofing and voice distortion are widely available. Finally, many criminals believe “burner” mobile phones are untraceable (this belief is not true.)
|
FRAUD WITHIN AND ACROSS BORDERS
|
International Fraud
Phone channel attackers are not bound by geography. Up to 49 percent of fraud calls originate in a country other than the country of the attack target. Attackers call across international borders at 12x the rate of legitimate callers. Spoofing technology allows international fraudsters manipulate ANI codes (or CLI codes in the UK) to appear as local callers on Caller ID, making them difficult to detect.
The reasons behind this trend are twofold. First, much of this activity comes from international organized crime rings, many of which are based out of Eastern Europe and Africa. Second, international call centers are subject to fewer regulations and are more difficult to prosecute.
|
Domestic Fraud
This year, for the first time, domestic fraud was slightly more prevalent than international fraud in the call center. Fraud calls originating within the country targeted for attack have grown from 36 percent to 51 percent of fraud call traffic.
In the US, this growth is likely associated with the chip card rollout. Card-present fraudsters, who were located within the country in order to use their counterfeit cards at the point-of-sale are being faced with the choice between moving to a non-chip card country (to continue doing card-present fraud) or staying in their own country and switching to attacks that do not require a physical card, including domestic call center fraud. Thus, the absolute number of international fraud attacks has not necessarily decreased. Rather, domestic fraud has increased relative to international fraud.
|
INDUSTRY VARIATIONS
FINANCIAL INSTITUTIONS
Phone fraud rates at banks, brokerages, credit card issuers, and credit unions are perennially high. These entities offer a clear route to a profit because they deal with financial transaction accounts. Yet, different types of financial institutions experience different rates of phone fraud.
Retail banks report a fraud call rate of 1 in every 1,400 calls. Credit unions and brokerages show slightly less risk at 1 in 2,000 calls and 1 in 2,700 calls respectively. Credit union and brokerage industries see lower fraud rates because these account numbers are used less frequently than credit card or bank accounts, and consequently fewer are stolen and sold on the black market. In addition, it may be more complicated for a fraudster to monetize a brokerage account than a bank account.
Credit card issuers experience phone fraud at nearly double the rate of other financial institutions, reporting 1 fraud call for every 800 calls to the call center. This is because credit cards are widely used and widely stolen. Credit cards are relatively easy to monetize with Card-Not-Present (CNP) style attacks.
Fraud exposure among financial institutions is very similar between banks ($11M), brokerages ($10M), and credit card issuers ($11M). Credit unions, however, expose nearly three times the amount of other financial institutions, at $29 million annually. This may be traced back to the fact that credit union members often use their financial institution as a one-stop shop, holding multiple accounts at the same credit union. According to research from RAND, “On average, bank customers use 5.4 services with their primary financial institution, while credit union members use 7.1 services.”
[4] Fraudsters who are able to pass credit union authentication in the call center generally can gain access to a larger selection of accounts and funds than in a typical bank.
|
WHAT IS FRAUD EXPOSURE?
Fraud exposure is the monetary value of an account that a fraudster has gained access to. Fraud exposure is different than fraud loss. An attacker who impersonates a financial institution’s customer over the phone and passes KBA processes may have access to an account worth $10,000 (the fraud exposure), but the attacker will often only try to move a fraction of that money. Attackers understand that higher-value transactions trigger enhanced authentication and want to avoid a potential auto-alert system or consumer realization.
|
INSURANCE
Fraudsters are increasingly finding ways to monetize attacks against some types of insurance companies. These schemes are often more sophisticated than the typical attacks against a financial institution. In this section, we will highlight two very different types of insurance and the types of attacks they face.
Life Insurance
Life Insurance call centers experience a relatively small volume of fraud calls. At 1 fraud call for every 12,000 calls, life insurance organizations had the lowest fraud rate of any industry Pindrop surveyed.
However, fraudsters are still at work in these call centers. The damage that these fraudsters do can be significant. Life insurance call centers actually have the highest annual fraud exposure of any industry in this study, at $31 million per year per institution.
Fraudsters targeting life insurance call centers have found two ways to monetize an account. The most damaging attack is a fraudulent policy surrender request. When a legitimate customer surrenders a life insurance policy, the company pays the policyholder the cash value of the policy, minus any surrender charges.
Fraudsters impersonating legitimate policyholders have been able to access very large cash payouts using fraudulent policy surrenders. This attack requires an impressive level of sophistication on the part of the fraudster.
The more common scheme in life insurance call centers aims for a lower, but still lucrative payout. Fraudsters call a life insurance company impersonating a customer taking out a loan against a life insurance policy. These loans are rarely suspicious, and because many consumers do not monitor their life insurance policies closely, loans against policies can go undetected for many years.
Device Insurance
Device insurance call centers are seeing fraud at the rate of 1 in every 300 calls, the highest fraud rate among industries Pindrop investigated. Device insurance companies offer replacement phones and other devices if a consumer’s device gets lost, stolen, or damaged. As mobile devices have become more popular and more expensive over the years, this type of insurance has grown. Subsequently, fraudsters have found ways to take advantage of this flow of desirable goods.
Criminals commit fraud in device insurance call centers by filing false claims. Fraudsters impersonate legitimate customers, asking for replacement phones, but redirect the shipment of the device away from the address on file. They may request that the new device be sent to a “work address” or the place they are vacationing. Once the fraudster has the new phone, he or she will then sell the device on the black market.
|
What is Social Engineering?
Social engineering is any act that influences a person to take an action that may not be in their best interest. The call center offers perhaps the best route for a social engineer to work. Unlike online interactions, voice communication allows fraudsters to use emotion and personal connection to manipulate agents. Aite Group’s recent survey shows 22% of financial institution executives believe social engineering is a critical issue. [5] |
Call Center Fraud in Other Industries
|
Money Transfer
Money transfer call centers are unique in that in addition to taking incoming calls from customers, many make outgoing calls to verify high-risk online transactions. Though the typical fraud rate for money transfer call centers is 1 in 360, the rate for this small subset of outgoing verification calls is as high as 1 in 94.
|
Retail
Retail call centers are popular targets for card-not-present fraud. Criminals place orders using stolen credit card credentials. These fraud calls not only cost the retailer the price of the stolen merchandise, but also raise operations costs and increase chargeback fees.
|
|
Travel
Travel industry call centers have a particularly difficult time identifying fraudsters. This is because fraudsters often look like high-value business passengers, buying tickets for expensive routes or rooms at the last moment.
|
Public Sector
Public sector call centers must be vigilant in securing confidential information. Recent hacks at the IRS and the Department of Homeland Security have been traced to security issues in the call center.
|
PHONE FRAUD IN THE UK
COMPARING US & UK FINANCIAL INSTITUTIONS
Fraud attacks vary across the globe. This year, Pindrop examined the differences between financial institution call center fraud in the United States and in the United Kingdom. This comparison is interesting because both countries speak English and have similar types of financial institutions. The major difference at play between the two countries is the fact that the UK has had chip card technology (there more commonly known as EMV or chip and PIN) since 2004. The UK offers the US a preview of how to expect fraud to evolve in the coming years.
UK call centers see more than double the fraud calls when compared to the US. Financial institutions in the US have a fraud rate of 1 in 1700 calls. In the UK, fraud rates are as high as 1 in 700 calls. This is likely because the UK has had chip cards much longer than the US, and the fraudsters have effectively transitioned to fraud attacks that do not rely on physical cards, such as those in the call center. According to the Aite Group, these fraud attacks grew 79% in the UK in the years following the chip card rollout (2005 to 2008).
[6] See US Chip Card Rollout on Page 3 for more information.
UK fraud calls are mostly domestic. In the UK, 72 percent of fraud calls to financial institutions originate from within the UK. This compares to only 48 percent of US financial institution fraud calls originating within the US. Again, this trend can be linked to the UK’s extended use of chip technology. Years ago, when the UK implemented chip cards, fraudsters who used card-present tactics switched to non-physical attacks like call center fraud, rather than relocate out of the country.8 (See Domestic Fraud on Page 6 for further information on how this works.) The UK is not unique in this shift. After France implemented EMV cards, it saw domestic card-not-present fraud attacks increase by more than 360 percent between 2004 and 2009.9
Most UK fraud comes from mobile devices. Mobile phones are heavily used for fraud in the UK. UK financial institutions see 64 percent of fraud calls coming from mobile devices, while US financial institutions only see 37 percent from mobile. In the UK it is easier for mobile phones to be programmed to show a restricted caller ID. In fact, 70 percent of fraud calls in the UK use a restricted caller ID, rather than spoofing a phone number.
METHODOLOGY
How PhonePrinting Works
For this report, Pindrop analyzed millions of calls globally, using Phoneprinting to dissect the details of attacker techniques and behavior. Pindrop’s patented Phoneprinting technology analyzes the audio content of a phone call. Phoneprinting measures 147 characteristics of the audio signal in order to form a unique fingerprint for the call. This information provides an unprecedented level of insight into the phone channel.
Phoneprinting determines a caller’s true location and device type. The Phoneprint is highly resilient –detecting voice distortion, Caller ID Spoofing, gateway hijacking and other obfuscation techniques. In addition, Phoneprinting helps to identify multiple callers associated with the same phoneprint, which allows enterprises to track fraud rings. Phoneprinting is the only technology that can see through these attacker tactics.
About Pindrop
Pindrop is the leader in voice fraud prevention and authentication. Pindrop provides enterprise solutions to reduce fraud losses and authentication expense for some of the largest call centers in the world. Pindrop’s patented Phoneprinting™ technology can quickly and accurately identify, locate and authenticate phone devices uniquely just from the call audio, on the first call and every call. Pindrop has been selected by the world’s largest banks, insurers, brokerages and retailers, detecting over 80 percent of fraud. Pindrop’s solutions allow customers to reduce call time and improve their customers’ experience even while reducing fraud losses. Pindrop was founded in 2011 and is venture backed by Andreessen Horowitz, Citi Ventures, Felicis Ventures, Google Capital, GV and IVP. In total, Pindrop has raised $122 million.
ABOUT PINDROP LABS
Pindrop Labs is a group of scientists focused on researching threats and vulnerabilities in the audio and telecommunications channels. This area, traditionally neglected from a security perspective, is increasingly favored by attackers for pre-fraud, exploitation, account takeover, and other attacks. Pindrop Labs’ research falls into two main areas: phone fraud prevention and securing the increasingly ubiquitous voice interface. Phone fraud prevention includes security for call centers, telecommunications infrastructure, and phone-reliant systems, organizations, and consumers. Securing voice interfaces includes providing authentication, threat detection, and fraud prevention for voice-enabled infrastructure.
CONTRIBUTORS
Matt Garland, Vice President of Research
Matt Garland has over 15 years of experience with contact center technology and is an expert in call recording systems. Prior to joining Pindrop, Matt was Vice President of Architecture at Nexidia.
Dr. David Dewey, Director of Research
David Dewey leads the Pindrop Labs team. David began his career at Internet Security Systems, where he worked as a vulnerability researcher and manager of the X-Force Advanced Research Team.
Dr. Kailash Patil, Research Manager, Americas
Kailash Patil is a leader on the Pindrop Labs team, researching in the areas of forensic signal processing, feature extraction, speech processing, pattern recognition, and machine learning.
Dr. Nikolay Gaubitch, Research Manager, EMEA
Nick Gaubitch leads Pindrop Lab’s EMEA team. Nick’s research centers around contact center phone fraud, ad-hoc microphone arrays for speech enhancement, and law enforcement audio research.
Valerie Bradford, Product Marketing Manager
Valerie Bradford has eight years of experience in the information security industry.
[1] Bank Info Security “Gartner’s Litan on Fixing Authentication” 2013.
[2] Aite Group, “Contact Centers: The Fraud Enablement Channel,” 2016.
[3] Aite Group, “Contact Centers: The Fraud Enablement Channel,” 2016.
[4] RAND, “Consumer Use of Banks and Credit Unions,” 2009.
[5] Aite Group, “Contact Centers: The Fraud Enablement Channel,” 2016.
[6] Aite Group, “EMV: Lessons Learned and the U.S. Outlook,” 2014.