Ask your bank’s contact center representatives if they’ve received calls in which the caller knows some of the required authentication information but lacks others, leading (hopefully) to being disconnected.
The answer likely will be, “It happens all the time!”
The bogus callers are criminals trying to pry away sensitive or otherwise identifying information about legitimate customers’ accounts. Each call is intended to add another bit of the picture, which they’ll then use to take over those accounts and abscond with funds. Once they get the information they need, the criminals often will attack the account in some other channel, such as online or mobile.
“It’s not a new phenomenon,” says Shirley Inscoe, senior analyst at Aite Group, in and interview with ABA Banking Journal. “But I think the volume of these calls and the organization behind it is what’s really new.”
Inscoe interviewed people at 19 of the top 40 U.S. financial institutions, and three fourths of them said organized crime rings are the primary threat they’re seeing in their contact centers when it comes to fraud.
“People will call in over and over and over until they get just the information needed. They don’t mind at all calling in and only getting one tiny snippet of additional information. They’ll keep calling back, building up the information until they have enough to convince the [bank representative] that they are a legitimate customer,” she says.
Furthermore, she says: “They’re using the call center to enable fraud, sometimes through that channel, but more often through other delivery channels, such as online. The contact center in a sense has become a fraud enabler.”
Inscoe gives this example of how a pretexter would go about eliciting information:
“Let’s say the bank asks questions to help authenticate a customer. If they use the same questions each time, the fraudster will call in repetitively until they get the answers to those questions. What was your first pet’s name? The person says, Darn, was it Spot? No. Was it this? Was it that? Finally they say, I just don’t remember, and the contact center person may or may not tell them the answer. They shouldn’t, but in some cases where they are service-driven, they might. Then when they can’t answer the next question, the center person realizes something is wrong and the person hangs up.
“But because they gained that one bit of additional information, they call back next time with a different person and they are able to answer that question. Then they may try to get the answer to the second question, and it continues.
“These people are very sophisticated. They literally have databases of information about all of us. They may have our credit card number, PIN, name, address, Social Security number. They don’t need much additional information to take over our identity and pose as us.”
Inscoe says banks that she’s talked with are starting to back away from the knowledge-based questions method of authentication and looking into more technology-based solutions. These include voice recognition, behavioral analytics, and identification of information associated with particular communication devices.
Also, she says it’s not a good idea to put the onus of dealing with fraudulent callers directly on the front-line staff. Technologies that can identify questionable callers in near-real time ought to be employed that automatically and seamlessly transfer the call out of the contact center to a designated person trained in security.
Next week: Inscoe expands on mitigation techniques, examples of scenarios when contact centers are particularly vulnerable, and potential new avenues that criminals may exploit.