A new report out this week says fraudulent call center calls rose 45% between 2013 and 2015.
During that same period, losses from fraudulent call center transactions rose 14%, according to the data from call-center fraud detection technology company Pindrop.
The findings don’t come as a surprise to Chris Hadnagy, CEO of Social-Engineer LLC, a consulting and training company that specializes in social engineering. Voice phishing (vishing) is going to be the next biggest attack vector because of how easily accessible and affordable voice over Internet protocol (VoIP) lines and session initiation protocol (SIP) trunking are, Hadnagy says.
Call center fraud is particularly troublesome in countries experiencing economic strife, he says, and these fraudsters don't fear getting caught as much as other cyberattackers. It’s also no longer just a few groups that are committing call center fraud, he warns. The crime is being committed by nation-states, organized hacker groups, hacktivists, and your everyday, average crooks and thieves.
Organizations should expect to see an increase in call center fraud and multi-vectored attacks -- vishing in conjunction with phishing, Hadnagy says.
Domestic fraud calls (calls that originate within the country targeted in an attack) have also increased from 36% to 51% of all fraud call traffic, according to Pindrop's report.
Dr. David Dewey, director of research for Pindrop Labs, says that a likely reason for the spike in US call center fraud is the rollout of Europay, MasterCard, and Visa (EMV) chip-and-PIN technology in the financial industry. EMV takes a bite out of "card-present" crimes, which are committed in-person using counterfeit cards. Dewey says EMV has forced the criminals who favor card-present fraud to make a choice: move to a country without EMV chips, or simply stay at home and switch to card-not-present attacks.
As a forecast of what's to come, Dewey says look to the United Kingdom. The UK rolled out chip-and-PIN over a decade ago, and its domestic fraud call traffic rate has since reached 72%.
The report also shows that the average loss per fraudulent call has gone up to 65 cents per call.
“[Fraudsters] are becoming much, much more skilled at what they do. [They’re] getting good at refining the data and targeting high-value accounts,” Dewey says. He tells a story of a call center criminal who would only target large accounts: “He’s never once gone after an account that is less than a million dollars. He already knows the values of the account before he’s making the call,” says Dewey. This fraudster employs a level of reconnaissance and refinines its practices to achieve higher fraud exposure rates, he explains.
“It’s very, very common when we go talk to managers of call centers that the idea of fraud happening in their environment is something that they know about but is not their primary concern. Their number one priority is to give a delightful experience at the lowest cost possible,” says Dewey.
Social-Engineers' Hadnagy reiterates that the nature of call centers -- a place that employs individuals based on their ability to provide a premium customer experience in a short span of time -- is part of the reason they’re a prime target of fraudulent calls. “That very nature creates the vulnerability for the company. The attackers are utilizing it to get the information,” he says.
While vendors such as Pindrop offer call center fraud-protection technology, Hadnagy says education is the real solution here. “I would love businesses to know that there is no 100% technological fix for this. There’s no solution that automatically catches malicious content and then stops the call. Education is the only fix and consistent education about what vishing is.”