Fraudsters use a call center for data mining and account takeovers for example, by changing an account password or customer address and this becomes a launching point for cross-channel attacks.
The caller told the bank’s customer service representative (CSR) that his daughter is going to school in another country, and he wants to send her money via electronic funds transfer to pay her tuition. He needs to send the money to the overseas bank account as soon as possible. He’d tried to do this online but couldn’t complete the transaction and he needs help from a knowledgeable service agent. The CSR asked him a series of security questions to authenticate his identity. He provided the right account number, address and answers to the various security questions.
Wanting to help this long-time customer, the CSR set up the funds transfer transaction and scheduled it for the next business day. The caller thanked her for being so helpful. What the CSR didn’t know is that she unwittingly just helped a fraudster steal thousands of Indian rupees from a real customer’s account.
This story is far from unique. Call center fraud is a large and growing problem. The research and advisory firm Aite Group claims that 61% of all fraud cases can be traced back to a call center. Fraudsters use a call center for data mining and account takeovers – for example, by changing an account password or customer address – and this becomes a launching point for cross-channel attacks. Aite predicts that call center related fraud losses will double by 2020. That prediction might prove true given that in 2017, 40% of businesses saw their call center fraud levels increase.
Nilesh Dherange, CTO for Gurucul says, "Several factors are causing the increase. The transition to EMV (chip) cards drove a six-fold increase in call center fraud attempts the year EMV was implemented. In addition, the vast amount of account numbers and other personal data that has been stolen through data breaches make it easier for criminals to pass through the knowledge-based authentication process that most call centers use. Then they use social engineering to dupe the helpful CSRs."
A cat and mouse game makes fraudulent behavior harder to spot.
A criminal might make several calls to "prime the pump" for his eventual fraud attack. For example, he might call one time to reset an account password and call again days later to provide a new mailing address. Those activities, in and of themselves, don’t typically raise a red flag for risk, especially when a different CSR handles each call. However, viewed holistically with other transactions, these actions could paint a pattern of high-risk behavior. A CSR would not see this pattern due to his limited view of a single call ticket, so technology must be used to root it out.
Another common trick that fraudsters use is to spoof the phone number shown through Caller ID using software readily available on the Internet. The fraudster can appear to be calling from the victim’s geographic region or actual phone number. This makes data such as the phone number and the call location origin poor sources of caller authentication.
Fraud analytics can identify risky calls and transactions
In any call center, the CSR is focused on taking care of customers’ needs and providing a good customer experience. The CSR is not focused on screening for fraud—and this is as it should be. Instead, technology can be used to find the signals of fraudulent behavior and bring them to light for assessment and, if necessary, mitigation. This is what a modern fraud management engine can do with incredible accuracy so that the employees of the call center can focus on providing superior service.
Enterprise fraud management platforms have been around for years, but many legacy platforms lack the capabilities to make critical data associations and identify anomalous behaviors of user accounts. However, recent advancements in a range of technologies from Big Data to machine learning have come together to help build a new kind of advanced fraud analytics platform.
This type of solution uses machine learning, a form of artificial intelligence, to analyze millions of datapoints from a variety of siloed, cross-channel sources, such as a ticketing system, the phone system, a source of transactions such as a core banking system (CBS), and even public databases. By ingesting and linking vast amounts of data from these disparate systems, the fraud analytics engine can identify anomalous behavior quickly—often in real time, which provides the opportunity to deploy a mitigation that prevents a financial loss.
Consider the caller who says he wanted to send money to his daughter. Data from the ticketing system could show that someone changed the password on this account just days earlier. Data from the CBS could show that the foreign account that the money was to go to was just recently added. Data from the phone system could show that the time of day of the call was inconsistent with previous calls associated with this account. And, data from public records could show that the real account holder has no children.
"Individually, these pieces of data might be curious but not necessarily suspicious. Aggregated and associated with each other, they raise a red flag of risk. A modern fraud analytics engine produces a risk score that, if sufficiently high, alerts management. Mitigation actions can be automated; for example, to cancel the scheduled payment transfer before it can happen," said Dherange.
Financial institutions are highly regulated, with a fiduciary responsibility to protect their depositors’ and investors’ interests and assets. An advanced fraud analytics platform is a necessity to accurately detect fraud in real time and to have the opportunity to disrupt the scheme and prevent the loss.