On the back of it’s 2016 UK call centre fraud report, we interview Pindrop’s Matt Peachey on the phone being the weakest link, agent culpability and fraudsters’ favourite tricks.
Recently, security solutions firm Pindrop Labs produced it’s 2016 UK call centre fraud report—which does exactly what it says on the tin.
The report is targeted at UK financial institutions and intended to alarm them about the weak spots in their set up; for obvious reasons, these are the organisations most vulnerable to nefarious types. Fraudsters follow the money, they’re not doing it for fun.
Headline stats include:
- 1 in 700 calls to a UK financial institution is fraudulent (1 in 1,700 in the US—half the UK rate),
- 72% of fraudulent calls are domestic, originating in the UK,
- mobile phones are the most popular device used to launch fraud attacks,
- and in calculating the average cost, UK financial institutions are losing £0.51 to fraud on every call (for a large call centre receiving 40 million calls per year, this adds up to an average of £20 million in losses every year).
We spoke to Matt Peachey (fittingly, over the telephone), General Manager, Pindrop EMEA, to get a handle on what’s at stake, what business should be doing (but aren’t in many cases) and popular tactics used by fraudsters.
Call centre fraud is…
Explains Peachey, “it’s a conversation that happens between an agent and someone who is essentially a criminal, representing themselves as somebody else,” where that somebody else—you or I—is none the wiser.
“They will often use information gained from other sources such as data breaches, picking up elements of info about people.”
“Fraudsters will call a contact centre to build up bigger picture of the person’s profile in order to—at some point—create a loss of some sort [e.g. steal money from a bank account]. This never happens on the first call—they will call and test info that they’ve got.”
“Typically agents aren’t trained as security experts, they’re trained to provide great customer service, so the fraudster will probe and test a given organisation’s processes to see what security steps they employ. If the fraudster get asked certain knowledge-based authentication questions, they may already have that info, or they may be able to socially engineer it from the [potential victim] themselves or one of the agents—it’s very clever the way they do it.”
I’m sorry call centres, you are the weakest link…
Peachey points out that many companies have invested heavily in digital security, but not much on phone security.
“Fraudsters use the fact that there is almost no security on the phone channel. It becomes essentially the back door or weakest link into an organisation. That’s why we’re seeing numbers of fraudulent calls skyrocket.”
Criminals hopping channels (but strongly targeting the call centre to break loose some nugget of useful information) creates a herculean challenge for organisations, of course. Unsurprisingly, a solutions company like Pindrop sees the answer lying in the right analysis of the right data—trouble is, according to Peachey, call centre data is poor.
“Today there is very little insight into what happens in the telephony channel, compared to the huge amount of insight into what happens with physical and online channels.
“When you start doing analysis of millions of phone calls and fraudulent calls [as has Pindrop], you can start to link those findings to what’s going on in the online world and build up more of a holistic picture.”
Cross-channel fraud: Levering an opening
Peachey gives a couple of different examples of fraudulent activity related to the call centre.
Fraud around ‘card not present’ or CNP—making a purchase over the phone where your four-digit PIN code isn’t required—is a big problem in the contact centre, precisely because it gets around the individualised number that banks implore people not to write down but to memorise.
“What we often find is that somewhere in the region of 30% to 90% of CNP fraud starts with a call into the contact centre,” with the phone channel constituting the beginning and end of the criminal’s journey in this case.
Peachey also talks about a particularly busy fraudster that had been targeting one of his clients. “This person had been hitting 15 or 16 high value accounts via the phone. The company wasn’t aware of [them as an individual, but were aware of the problem].
“The online team did a security analysis of these accounts and found traces of repeated online access through a browser cookie, in this case.
“After broadening the search to other online accounts and finding the same cookie, it turned out that that fraudster was bouncing around 70 or 80 accounts online on top of those targeted through the call centre.
“Essentially they were found through a phone call and shut down.”
Minimum viable security basics
What should high-risk organisations have in place as a minimum?
Peachey is frank: “There has to be more than what they have today. Most companies use knowledge-based authentication questions which are easy to spoof or find out; or information about the caller such as the ID of your phone.”
“We are great believers that you have to have multiple layers of security to build up this identity assessment—this picture.” For Peachey and Pindrop, those layers are:
- things are about you as an individual,
- things about your device and what you’re using to call from,
- behavioural information about how you interact,
- and metadata associated with the call.
“You’ve got to look at it all.”
Protecting the customer experience vs protecting the customer
We all know there’s fundamental trade off between security and convenience in the modern era of personal data; a friction found between “providing exceptional levels of customer service; and ensuring that you are providing the highest level of security and protection for clients’ information and money.”
“Most security in modern life—and there is a lot of it—affects our experience as a user. It creates an extra layer of complexity, another PIN code to remember etc.” Peachey empathises. “How many times have we all been exasperated in dealing with a contact centre because they’re broken up into lots of divisions, groups and teams. As you get passed around the organisation, you go through the same process over and over again validating who you are. It’s very, very frustrating.”
Running somewhat contrary to his wider warning about call centres not having enough layers of security, he insists that organisations “can’t reduce the experience that customers are having,” that making the customer experience more cumbersome or inconvenient is not an acceptable cost.
“Contact centres are all about the customer experience, their Net Promoter Scores improving, reducing brand risk.” They also have a responsibility to protect customer data and money, as well as making sure they comply with regulations.
Put simply, they’ve “got to do all of it”—no pressure then.
Presumably the goal of security companies like Pindrop is to let clients have their cake and eat it—with all the recent leaps and bounds in technology, one assumes leaders in this field have become pretty good at such ‘invisible security’, where callers remain blissfully unaware.
In terms of businesses that might be targeted, it’s very, very simple really: “Look at where there is money,” opines Peachey.
An interesting, perhaps surprising example is insurance: “With insurance, you think of claims fraud, not fraudulent callers, but the highest levels of fraud that we see in terms of rate is for mobile phone insurance.
“The way that market is geared—most of us have mobile insurance through our banks or another company. If you break your phone, within a couple of days you end up with shiny new one. If someone can impersonate you to get a new phone, it’s a very fencible device.”
A high value example involves the changes to pensions and life insurance, which allow you to surrender your policy and get money out as a lump sum, involving large amounts—a natural target for fraudsters.
Other vulnerable sectors include retailers dealing with high-value products (e.g. electronics), government departments that hold a lot of data about us as individuals (some of which also move money) and the different products and services relating to mobile phones. Peachey also lists off other types of financial institutions including brokerages, money transfer companies and payday loan companies.
How culpable are call centre agents?
Peachey is categorical: “I don’t think call agents should even have to think about security. That’s where technology should take over.
“The average call agent is probably young, they’re bouncing around between jobs, there’s something like 70% churn of staff at contact centres as people move up and out and into different roles. They’re not there to be security experts, they’re there to provide a great customer experience. All that security should be going on in the background.”
“If they’re talking to a customer that is a very high risk [and they’re made aware], their process will change to say something like ‘I’d like to call you back on your number on file’ or ‘I’m going to pass you to my colleague who is better equipped to handle this call’ when actually they’re being passed to a security expert or to a fraud analyst.”
Fraudster preferences, tricks and tactics
As mentioned above, “a fraudster calling into a contact centre will never create a ‘loss event’ on the first call. They spend time testing their information first, which exposes them.” If companies can detect them the very first time they call, that has massive ramifications about the costs, people and processes involved, says Peachey.
Several factors can indicate a potentially fraudulent call, including telephony device type and geographic origin. However, though the use of Caller ID spoofing, voice distortion and other tools, fraudsters can hide these risk-factors and make their calls appear legitimate.
“There are a whole bunch of apps fraudsters can load onto a smartphone to change their voice or insert noise into a call—basically obfuscate themselves.”
Indeed, the report notes that “mobile phones are the most popular device used in the UK to launch fraud attacks, being used up to 64% of the time, much higher than the percentage of legitimate callers that use mobiles—38%.
Relatively speaking, mobile calling is cheap and criminals believe ‘burner’ mobile phones are untraceable (not true, as it turns out).
Voice over IP (VoIP) phones are the second most popular choice as calls are often cheap or free, spoofing Caller ID is easy and they are typically routed through multiple carriers onto the public switched telephone network.
UK’s top fraudsters types
Like Batman villains, it turns out that fraudsters are a colourful bunch, with Pindrop ascribing nicknames to notorious examples:
- Buffalo Bill – targets old accounts (some unused for 15 years) and “shoots in the dark” for information.
- Postman Pat – sometimes uses female impersonation and collects telephone banking security numbers, which, in the UK, grant access to an account without any additional security questions.
- Phonebook – systematically works through names, using voice distortion to impersonate women. In one case, he called back 27 times in a row using the same surname with alternative first names, often armed with addresses and dates of birth.
- Mr OhYes – plays around with accounts, for instance transferring Yes! money between accounts, before draining funds. Possibly using fraudulent cards, he has made several successful transactions, the largest of which was £74,000.
- Handyman – extremely persistent and prolific, he never actually possessed the cards he was using and was identified by name and postcode. He had a characteristic way of saying “I don’t have the card handy”—hence the monicker.
Pindrop’s US operation published this infographic to accompany the report:
Matt Peachey is General Manager, Pindrop EMEA – www.pindrop.com