Asking people in different corners of banking about the most important trends in fraud is like discussing an elephant with the eight blind men in the famous parable. They concentrate on the most immediate threats, but none has the full picture.
Put the conversations together, though, and what emerges is a picture of a resurgence in old-school fraud: phone scams, fast ones pulled on card-processing merchants and simple deceptions of online customers.
Pindrop Security, for instance, released a study Wednesday that shows a 30% rise in phone fraud among financial institutions since 2013. The company, which provides call-center-security software, analyzed calling patterns at financial institutions, credit card issuers and online retailers.
It found that one in every 2,200 calls made to financial institutions and retailers is fraudulent, as is one in every 900 calls to credit card companies. (Some of this activity made headlines during the rollout of Apple Pay, when about 6% of transactions were linked to fake enrollments.) Overall, more than 86.2 million calls per month in the U.S. are phone scams.
According to Pindrop, call center fraud costs financial institutions $7 million to $15 million a year. The losses come from fake wire transfers and other deductions from accounts.
"Our intuition is the online channel is increasingly protected, secured by PCI and modern technology, while the phone channel remains effectively completely unguarded," saidDavid Dewey, director of research at Pindrop. "The call center has stayed the same. Fraudsters can call in, work their way through the knowledge-based authentication questions, and completely impersonate the victim."
Part of the problem is that banks are trying to provide a smoother customer experience in their call centers, which in many cases are the only point of human contact for mobile-first and online-only customers.
"Customers all tell us the same thing: the call center reps are trained to give the customer a delightful experience, they're not trained to be fraud analysts," Dewey said.
In one call center conversation Pindrop researchers listened to, someone called in pretending to be an extremely well-known U.S. movie star. The caller had a thick West African accent that did not sound like the celebrity's voice.
"No one should have been fooled by that," Dewey said. But they were.
Another caller said he was an advocate for disabled consumers within the bank who was sitting with a user who had already been validated, and asked to execute a transaction on the user's behalf. "It's amazing the ease with which the call center rep let the whole thing go through," he said.
In another instance, Dewey said he was able to enroll a coworker in Apple Pay by Googling the person's name the third search result provided all the information he needed to get through the bank's authentication questions.
In another twist on this theme, some banks that cater to high-net-worth clients are reporting an increase in "trusted-adviser fraud." This is where criminals pose as clients and direct an accountant or some other trusted adviser to transfer funds from the client's account.
"These cases are a bit of a one-two punch as the financial institution is more likely to be on the hook for a financial loss and the loss of a relationship," said Al Pascual, director of fraud and security at Javelin Strategy & Research.
Will EMV Fraud Be Worse?
At Bank of the West in San Francisco, Fraud Prevention Officer David Pollino is concerned about phone fraud and has been for some time. But it is not one of his top three concerns and in his view, banks are getting better at call center security.
"We do see that as controls mature, fraud tends to shift from channel to channel," Pollino said. "And some contact centers take millions of calls per month whenever you have a sample set that large, you're going to have outliers and anomalies."
Pollino is more worried about card fraud as the U.S. migrates to the EMV chip card standard.
"We see that in all the countries that have implemented EMV, [fraud] goes to card-not-present fraud," he said, referring to transactions where no physical card is presented, such as in website purchases.
He's also concerned about small and midsize merchants that are not upgrading their terminals to accept chip cards.
The big merchants that have been the targets of so much fraud lately will be EMV-ready in October 2015, Pollino said. So fraudsters will shift to merchants that have not implemented EMV.
"You'll have the same amount of fraud now over a smaller number of merchants," he said.
Pollino views some merchants as naïve about how much fraud really takes place. Some measure fraud in terms of chargebacks.
"Chargebacks are not a good proxy for whether or not you're a high-fraud merchant," Pollino said. "Financial institutions will not charge back fraud if they don't see any hope of recovering from the chargeback. A very small portion of overall fraud is charged back."
The only real way for a merchant to know its fraud rate is to ask its acquirer, he said.
Other Lower-Tech Threats
In another trend that parallels the rise in phone fraud, criminals are changing their business models from a focus on software development to the use of cheap human labor. This is according to recent findings from researchers at Fox-IT, which says it tracks the 40 top criminal groups in the world on behalf of its 250 financial institution clients.
Until recently, criminals targeting banks would invest heavily in buying or creating malware.
"That had a consequence in that it had a pretty hefty investment in time, effort and money to prepare an attack," said Eward Driehuis, product director at Fox-IT. "And if the attack was mitigated suddenly, then the criminal would be out of luck because he would lose that investment."
Now more bank-oriented criminals are conducting semi-automated, hybrid attacks, he said.
"They're only automating the first part of the attack, in which you deceive the user, for example, if the user visits a log-in page and the malware says, please hold on while we do some security checks," Driehuis said. "The malware then sends all those credentials to a criminal, who will then create a new manual session using those stolen credentials."
Although this type of scheme is harder to expand quickly, it requires less investment in time, effort and money (due to the availability of low-cost labor), so criminals can more easily target smaller banks, which are more numerous.
The hybrid approach also allows for larger attacks on corporate accounts, Driehuis said. Where retail accounts and ATM withdrawals have limits, newer types of malware like Dyre focus on commercial accounts from with they can steal $50,000 to even $1 million. The people involved in the attacks specialize in developing fake trust and bypassing banks' security mechanisms to execute large wire transfers.