This form of telephone-based social engineering -- an emerging type of phone fraud -- is becoming a popular method for attackers to collect the information they need to steal identities and commit new account fraud, according to a report by the Aite Group, a research firm that focuses on the financial services industry.
According to "Look Who's Talking: Financial Institutions' Contact Centers Under Attack," 74 percent of financial institutions believe that organized attacks by criminal rings are responsible for the majority of this contact center fraud, often with account takeover as their goal.
"When I let the [financial] industry know I was working on this report, I actually had banks call me directly to tell me about their experiences," says Shirley Inscoe, a researcher at the Aite Group and author of the report. "So many financial institutions are dealing with this type of fraud, they really wanted to get the word out."
The prevalence of this type of social engineering on call centers has gone overlooked in the financial industry because many banks only count it as "fraud" when a call center representative violates policy, Inscoe says.
"But in many cases, these call center reps are just doing their jobs and no policies are broken," she says. "These attacks are so sophisticated that the caller often has just enough information to make the rep believe he is an actual customer. At that point, the rep has really no choice but to try help him."
"Until recently, the only way to fight this type of phone fraud was to ask the 'customer' a series of questions and authenticate him by his answers," notes Matt Anthony, vice president of marketing at Pindrop Security, which specializes in fighting this type of call center fraud. "If the caller has enough data, or even just asks the right questions, they can get a lot more information from the call center, even if they have to call several times."
Information gathering is a key part of almost any type of sophisticated attack, both in financial fraud and in breaching online systems, the report states. A person who has all of a victim's data -- including name, address, Social Security number, and the answers to security questions -- can open new accounts or commit other criminal acts in the victim's name.
"But in many cases, the financial institution doesn't have much visibility into the phone fraud that's occurring," Inscoe observes. "There's no easy way to spot it before it's too late."
Sophisticated attackers often spoof the North American Number Identification (NANI) system in order to mask their phone numbers or prevent the victim institution from seeing that they have called multiple times, Inscoe says. As a result, simple fraud detection systems that block known malicious caller IDs may not prevent more sophisticated scams.
"A lot of banks now are looking more at behavioral analytics tools that analyze caller behavior and flag the institution when a call looks to be an anomaly," she notes.
Pindrop, an emerging company that received new funding earlier this year, is attacking the problem with a new tool that analyzes each incoming call with a variety of filters, including location, caller ID, and even background noise.
"This type of social engineering isn't going away," Anthony says. "In the end, it isn't a choice between anti-fraud tools and authentication. These institutions are going to need both."
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.