With technology tightening defenses against account fraud, scammers increasingly turn to what they view as the weakest link: the human being at a call center.
Fraudsters have become adept at using stolen account information to impersonate customers, convincing call center employees to grant them access by resetting PINs or passwords. Analysts predict U.S. banks will lose more than $750 million this year through account takeover fraud via call centers, fueled by the massive data breaches that expose the personal information used as the basis of a social engineering attack.
Financial services technology providers are battling
The first tool instantly analyzes an inbound caller’s account history, using a range of data points to validate the phone number, its location and association with other fraud vectors to determine whether the call is legitimate or dubious enough to investigate.
If Fiserv’s system flags the call as suspicious, customer service agents can come on the line to perform live account authentication, and if necessary they may send a five-digit code via text or email that’s valid only during the phone call.
The tools are proving to be highly effective so far, according to Patrick Davie, vice president of product strategy for card services at Fiserv.
“In many cases, the fraudster simply hangs up when a live agent comes on the line, and we’ve seen a sharp reduction of account takeover fraud,” Davie said.
During a five-month pilot, Fiserv saw a decrease of $2 million collectively from financial institutions that rely on its call centers for credit and debit card issuing, he said.
One hitch is that stepped-up authentication introduces friction that could potentially frustrate legitimate customers. But Davie said affected customers seem sanguine about the process so far.
"Many people are grateful we're checking to make sure they are who they say they are," he said.
The anatomy of account-takeovers is key to determining which tools financial institutions should consider, analysts say.
Fraudsters typically dial the call center, armed with enough information—available on the dark web from data breaches—to fool operators into believing they’re speaking to the actual customer.
The fraudster asks the agent to reset the account PIN or change the physical address, claiming that a card was lost or stolen or the account holder moved.
Next the fraudster uses the new PIN to drain a debit card account via an ATM, max out a credit card with cash advances or make a big-ticket purchase online. By changing the address, a scammer can also intercept a replacement card sent by mail.
One of the most vexing aspects of account-takeover fraud is the fact that the funds don’t vanish immediately, making it more difficult to connect the crime’s cause and effect, according to Davie.
“The fraudster makes the call to take over the account, but the fraud doesn’t manifest itself until days or weeks later, usually at the point of sale,” he said.
Fraudsters recently tricked call-center agents to help them steal funds from the federal government's Direct Express program by targeting prepaid card accounts Comerica issues for federal benefit recipients. Comerica said fraudsters used data acquired from prior breaches to
The problem is that many financial institution call centers are still relying on static knowledge-based authentication — asking challenge questions based on "secret" questions consumers previously supplied — which is easily compromised, said Al Pascual, a senior analyst with Javelin Strategy & Analysis.
“Financial institutions should assess risk based on the customer’s profile, their historical behavior and finally data from authentication controls that are in place. That means layering a series of solutions and analyzing data across channels, some of which can be controlled for by the use of inconspicuous controls like voice-printing and biometrics,” Pascual said.
Solutions should be balanced to control for experience, call time and costs, he noted.
Future technology may soon add ways to stop fraudsters from working the phones.
Fiserv is working on a voice biometrics tool that can identify fraudsters’ voices, Davie said.
“Once we know the fraudster by voice, we can go back and find the call center’s recording of it, feed that voice into the system and in the future it will recognize the tone,” Davie said.
That feature may be available from Fiserv as early as this year, he said.
