Fighting fraud is often compared to a game of whack-a-mole: Improve security in one area, and criminals will find a new way to breach a company’s defenses in another area. In recent years, for example, the introduction of security chips has greatly reduced the fraudulent use of physical credit cards, but criminals have not responded by throwing up their hands and going home.
Instead, they’re increasingly turning their attention to account takeovers.
Fraudsters sometimes gain access to victims’ bank and e-commerce accounts by cracking weak passwords or using stolen credentials, but more and more attacks are targeting what is emerging as the weak link in many organizations’ security systems: the phone channel.
In a recent study, 51% of the financial services companies we surveyed identified the call center as the vector of choice for account takeover attacks. Jim Hickman, assistant vice president of Financial Crimes Operations at USAA, and Tom Poole, senior vice president for digital payments and identity at Capital One, have also pinpointed the call center as the location where most fraud starts. At the Money 20/20 USA conference in 2018, they agreed that while account takeovers tend to show up in the online channel, the job usually begins by socially engineering call center agents.
Social Engineering And The Rise Of Account Takeovers
Call centers often use knowledge-based authentication -- asking callers to prove their identity by supplying personal information such as their account number and mother’s maiden name -- to grant access to customer accounts. This process is highly vulnerable to social engineering, which is shorthand for when a scammer manipulates an agent into inappropriately granting access to an account, particularly now that vast troves of consumer data are available for sale on the dark web.
As the VP of technology for a company that works with financial institutions and other enterprises needing to authenticate callers to protect account access, I know this scenario all too well. Armed with personal information purchased on the dark web or gleaned from social media, a criminal can phone an organization’s call center (perhaps using a spoofed number or a virtual call service to disguise the call’s origins) and, posing as a customer, correctly respond to the agent’s identity interrogation to convince him or her to reset the account’s online password or change the associated email address.
Treating Everyone As A Suspect
Because these systems are not foolproof, and they merely flag risks rather than positively confirm a legitimate caller’s identity, organizations end up treating every caller as a suspect while doing little to actually catch fraudsters.
This process asks agents to subject every caller to time-consuming (and often annoying) identity interrogation while spreading the organization’s fraud-detection resources across all incoming calls, even though the vast majority of callers are actual customers. There is a better approach.
When detectives begin investigating a crime, one of their first steps is to confirm alibis and rule out suspects who don’t match the forensic evidence at the scene. If they can rapidly eliminate 80% of the potential suspects, they can concentrate all their resources on the remaining 20%. This same principle applies to separating good and bad actors before they can commit a crime.
If an organization can immediately confirm the majority of callers as legitimate, the call center’s fraud-detection staff and tools can be directed toward assessing the significantly smaller subset of non-authenticated calls, thus dramatically improving fraud-fighting return on investment. Agents receiving non-authenticated calls will be more alert to potential social engineering attempts, and the use of tools to assess inbound call data or caller voices can be much more focused.
But how can call centers confidently focus their fraud-fighting efforts if knowledge-based authentication is ineffective?
The first thing organizations need to do is fight fraud where it starts, not where it ends. They should build systems to accurately track fraud events back to the source. This will very often be the call center and will require an ability to record and replay activity on an account to determine the moment of account takeover.
A second approach is to augment the training of agents. A strong line of defense is an informed call center staff. Employees should be able to recognize the signs of a social engineering attempt, being wary of behaviors like a strong sense of urgency, pressure to make a quick decision or seeking empathy. Agents should be empowered to react to attempts, regularly retrained and apprised of the latest fraudster techniques.
And finally, companies should look into implementing stronger authentication methods. Organizations can choose from a growing range of multifactor authentication solutions using technologies that can verify customers’ identities and route them into a trusted caller flow. For example, an inherence factor (a voiceprint) can be combined with a physical ownership factor (the customer’s smartphone) to create a solution that automatically and accurately authenticates callers before they reach an agent.