Call Center Fraud Statistics
With internet security growing tighter than ever, many cybercriminals are being forced to expand their horizons. Between 2016 and 2017, call center fraud saw an increase of 113%, jumping from one in every 2000 calls in 2016 to 1 in 937 in 2017. Between 2013 and 2019, it has increased by 350%. Like almost all types of fraud, the ultimate goal is almost always financial gain. Therefore, it should be no surprise that banks, credit unions and other financial institutions are generally the biggest targets of this type of fraud. Here is an overview of call center fraud; what it is, how it is perpetuated and what can be done about it.
What is Call Center Fraud?
When people initially think of this type of fraud, they may think of the types of telephone fraud perpetrated on individuals. These include calls ostensibly from law enforcement or the IRS that seek to extort money from an individual in order to avoid further legal complications. While that is one type of telephone fraud, it is actually not the most prevalent. The most prevalent use of this type of fraud is directed towards larger financial institutions and has a number of different aims and goals. In some cases, it is simply to tie up outbound lines to create a disruption in communication that can be exploited, while in other cases it is to slowly create small, unnoticeable changes in account information that the fraudsters can then exploit. The exploitation of call centers is generally only one piece of a larger whole, which utilizes a number of different means and avenues to complete the fraud.
How Does Call Center Fraud Work?
There are a number of different ways that call centers can be used to perpetrate fraud. Here are a few of the most common ways that the fraud occurs, times when fraud is most likely to occur or ways in which call centers can be exploited for fraudulent activities.
- Records migration: Generally, when there is a migration of some sort, such as when one bank takes over another or even when the headquarters of a bank moves, it can disrupt the system for a few days while files and customer information are moved from one place to another. When call center employees for the financial institution do not have all of the customer data in front of them, they will often simply accept the information that is given them by the "customer". This allows cybercriminals to change addresses or other contact information in order to take over the account. In other cases, bank and financial institution employees may even give out information in an attempt to verify that the information they have and are looking at is correct.
- Human element: Digital financial transactions are secured and guarded by digital guardians that have no empathy or compassion. Call center operatives, however, are generally trained to keep customers happy. When a customer calls in frustration, the legitimate call center agent's primary goal is to resolve their issue to everyone's satisfaction as quickly as possible. Call center agents are generally rated based on the speed with which they resolve a customer's issue as well as how satisfied the customer was at the end. Unfortunately, this creates a vulnerability that fraudulent call center operatives can exploit. By showing frustration and gaining the empathy of the legitimate call center employee, they are capable of gaining access to a wide range of information and gaining the employee's help in engineering their end game. In many cases, they will ask for the employee's name and continue to contact them until the employee feels they have established a trusted relationship. At that point, it may be open season on that account.
- Lack of authentication: One reason that many cybercriminals are moving to call center operations is that internet security is becoming increasingly tight and getting better at authentication. Unfortunately, telephony authentication now lags far behind. Call center agents for financial institutions are still stuck authenticating customers via information that is incredibly easy to gain, such as addresses, phone numbers, date of birth or the last 4 digits of a social security number. VoIP systems make it easy to clone local phone numbers, rendering caller ID nearly useless. Some companies began to use biometrics to help authenticate callers by the sound of their voice, but there is also software available that can change the sound of a caller's voice, which severely negates the benefits of voice biometrics.
- IVR systems: AI powered Interactive Voice Response systems have made it easier than ever for customers to accomplish many of the same tasks over the phone that they might on the internet with less wait time. Unfortunately, IVR systems are even easier to exploit than customer service agents, since many IVR systems only require callers to enter the last 4 digits of their social security number, which is all too easy to obtain. With IVR systems, fraudulent callers can check balances, change contact information and even change a PIN code. This allows them to have a new debit card sent to a new address, after which they can call in and change the PIN code and drain the account dry. All without ever having to speak to a live person who may become suspicious.
How To Prevent Call Center Fraud
Multi-factor authentication is as useful for preventing phone fraud as it is internet fraud. Authenticating by sending a code to the customer's registered phone number or email address is one way, as is creating a unique PIN code that is required for any information to be given out over the phone. Phone authentication should also not be based on generic information that is readily available, such as email addresses, phone numbers, street addresses or the last four digits of a social security number. Instead, it should be information that is unique to the individual and their relationship with the institution, but that is also not available via the IVR system.
iovation is a leading provider of fraud detection and prevention solutions as well as advanced multifactor authentication software for online banking, e-commerce, insurance, gambling, online communities, and travel and ticketing organizations.
Ready for the next step?
Spot user behaviors and device information that’s suspicious, and stop those fraudsters in real time. We track billions of devices and our fraud analysts add evidence to make this intelligence even more effective.