The often-overlooked call center is getting more attention, as banks realize that stronger security on online and mobile channels has driven cybercriminals to focus their energies on conning phone reps.
They're tricking these eager-to-please call center agents into coughing up customer information or letting them reset passwords on other people's accounts.
"Fraudsters will always use the weakest plank in the door," said Gary McAlum, chief security officer at USAA. "If you're using strong authentication security but someone can call into a call center and social-engineer through the call center representative to reset their account, then that's the weak point in the network. It has to be an end-to-end holistic approach."
This problem made news when Apple Pay came out in September 2014. There was an immediate rash of call center fraud, as cybercriminals realized they could set up accounts using stolen credit card data. The problem has steadily grown since then.
Last year, one in every 2,900 calls coming into large banks' call centers was fraudulent, according to Pindrop Security. This year, the number is closer to one in every 2,000 calls. Among regional banks, it's more like one in 700. Pindrop's software analyzes incoming calls for signs of fraud and scores them for risk. For instance, if a call is coming from Nigeria and the same caller number has called the contact center for different accounts, it will probably end up with a high risk score. (Pindrop was one of American Banker's Tech Companies to Watch in 2013 and it recently received $75 million from Google Capital. Its customers include eight of the top 15 U.S. banks.) The company will release this year's fraud report in April but gave American Banker a few numbers in advance.
The average fraud exposure caused by these hackers — that is, the average amount they could potentially steal after successfully logging in by gaming the call center — was $7.6 million per bank in a 2014-15 study. More recently, in a study that covered the 12 months through February, it was $11 million per bank, according to Pindrop.
So the attackers have been able to expand the pools of money that they can reach by over 45%.
"When we're working with customers, we're finding about 30% to 80% of all fraud has a phone component," said Vijay Balasubramaniyan, Pindrop's CEO and chief technology officer.
Bankers are generally tight-lipped about sharing what technology they're using to better secure their call centers.
"The more information you provide to the fraudsters, the better [equipped] they are to perpetrate their fraud," said Brett Beranek, director of product strategy for voice biometrics at Nuance Communications. His company's technology analyzes incoming calls for fraud, detecting mismatches between the caller and previous recordings tied to the same account. It can also spot people calling about multiple accounts and fraudsters whose voices are on a blacklist. "The more information is disseminated, the less effective fraud groups can be at stopping the fraudsters."
Canada's Tangerine Bank recently invested in secure chat software to allow call center agents to have encrypted, archived chat sessions with authenticated customers, according to the bank's chief information officer, Charaka Kithulegoda.
Patience and PII
One reason call centers are facing a rise in fraud attempts is the prevalence of personally identifiable information, McAlum observed.
Fraudsters painstakingly gather information about account holders on the Web and use it to manipulate customer service agents who are trained to be helpful, not to block crime. The fraudster might say, "I don't remember my own password, let me call you right back." Then he'll go out to social media sites and figure it out.
"One call center agent completely buckled and started reading out every single account transaction on [a customer's] account for the last month," Balasubramaniyan said. "Though [the fraudster] didn't manage to get a wire at that point, now that he had all his transactions, he called back in, and when the next call center agent said, 'How do I trust you?' he started rattling off these transactions. The call center agent said, 'OK, it must be you,' and let him through."
Balasubramaniyan's all-time favorite call was from a fraudster who, when asked, "What's your mother's maiden name?" replied, "My dad married thrice, so can I take three guesses?"
"It doesn't even make sense — so what, your dad married thrice?" Balasubramaniyan said.
The call center agent allowed him to take three guesses, the last of which was "Smith," which is one of the most popular names in the world and happened to be right. After that call, he wired $97,000 out of the bank.
Beranek said by closely monitoring what goes on in the call centers, banks can learn how fraudsters operate.
"Often a fraudster will call in several times and progressively increase the complexity of their calls," he said. "So for call No. 1, they would ask for a benign piece of information that would be very easy to socially engineer the contact center agent to provide. By call five or seven, they have amassed enough information that they could completely take over the account, go online and perform a wire transfer."