By Dr. Nikolay Gaubitch, Director of Research, Pindrop
When news of coronavirus broke to the world at the start of 2020, few could have predicted the scale and depth of disruption that was about to follow. As governments scrambled to mitigate the enormous strains placed on public health systems, economic and social activity ground to a halt as the virus swept its way through populations. Now we’re halfway through 2021 however, things are looking up. We have overcome the initial state of panic and adapted to new ways of working, vaccine rollouts are making daily activities in the UK accessible again, and business is running somewhat ‘as usual’.
Nevertheless, the ensuing upheaval carried over from 2020 has fundamentally altered the landscape from which companies, including banks and financial services firms, interact with their customers, with large numbers of people forced into accessing services remotely for the first time. For contact centres in particular, this led to enormous surges in call volumes and durations. As with any kind of disruption to ‘normal’ operations and the way things were usually done, nefarious actors have been looking at how they can capitalise on the turmoil to their own advantage by committing fraudulent activity. In particular, voice fraud is a key concern and one that has unfortunately gone under the radar for too long.
Historically the telephony channel has not been well protected from fraudulent activity. With the majority of business being carried out online, organisations have been investing into the digital channel and getting very good at securing it, therefore making it harder for fraudsters looking to earn quick cash. Within the financial services sector, specifically banks, we’ve seen an increased reliance on the interactive voice response (IVR) channel – an automated phone system technology that allows incoming callers to access information. We’re increasingly seeing fraudsters use the IVR as their preferred fraud attack vector, they start with committing fraud in the voice channel, and then moving to others, most frequently online.
Fraudster tactics are shifting! While they are not waiting on hold the attacks are significantly up.
Overall last year we saw an increase in fraud attacks with previously commissioned research conducted by Forrester on behalf of Pindrop, finding that 57% of fraud detection and prevention decision-makers across security and risk, fraud, and IT experienced increases in fraud attacks in the contact centre over the course of 2020.
Nevertheless, according to our Voice Intelligence & Security Report, which provides an in-depth analysis of fraud, data theft, and the impact to contact centres, in 2020 one in 1,074 calls made to contact centres were fraudulent, down from the one in 770 calls recorded for 2019. This apparent drop in fraudulent calls could suggest that the huge strains being placed on contact centres and resulting increased call durations are carrying an inadvertent security advantage – however, the reality is more complex, and worrying.
Our research also suggested that longer call durations and increased times spent in call queues have not only impacted the customers’ experience but also that of the fraudster, resulting in them shifting their tactics and looking towards methods that will get them the biggest return on investment.
In light of this, over the past year, we have observed fraudsters developing new methods which sees them favour fewer yet higher value targets. In addition, they’re also looking towards other avenues in the form of government-backed emergency finance packages designed to keep businesses afloat and support individuals whose incomes have been hit.
One example of such emergency packages was the US Paycheck Protection Program (PPP). A $349-billion package aimed at small businesses which was enacted in the spring of 2020 at the onset of the pandemic and extended into 2021 with another $500 billion being injected to support SMEs.
These PPP loans and other available unemployment benefits are available through fintech companies and banks, the idea being that these providers service their known customers. Due to being rolled out with such urgency, the scheme inadvertently created openings for fraudsters to exploit. This meant that following the introduction of the program, high volumes of scammers flocked to set up new accounts with web-based loan companies, through which around 75% of loans connected to fraud are issued.
In 2020, at least $36 billion was lost to fraud, representing 10% of the entire package of funds allocated to the programme by the US federal government. Likewise, in the UK, fraudsters have already taken more than £1.5 billion in Universal Credit payments through the course of the pandemic.
How do they do it?
This serious loss to fraud has in part been enabled by the ease at which scammers have been able to obtain directly off the dark web what we call lifetime data – critical information such as, birth dates, address history, and other knowledge all commonly used by contact centres to verify customer identities.
Infiltrating channels such as the IVR has become a common means for validating and extracting this data. A recent commissioned study conducted by Forrester Consulting on behalf of Pindrop, showed that more than three quarters of contact centres reported an uptick in fraudsters using IVR for account mining and reconnaissance activities. The customer data acquired from such activities within the IVR provides the fraudster with enough personal information to build up the profile of, and then pose as, a genuine account holder.
However, fraudsters are not only using the IVR channel to mine personal information, they’re also able to use the technology to check account balances, loan statuses and transaction history. What’s more, fraudsters who have collected vast amounts of customer information, may start identifying patterns which helps to piece the puzzle together. A common example of this is being able to work out the typical format of account numbers for particular banks. Having such information to hand reduces the preliminary research required to commit fraud as the step of identifying which bank to target with which credentials is removed.
Furthermore, once they have a good amount of personal information, enough to build up a profile, the method of some fraudsters involves utilising both the online and telephony channels. An example of this would be filling out online forms for loan applications then using the voice channel to follow up and check the status, and thus execute the fraud. This omni-channel approach equips fraudsters with more information and makes them seem more genuine.
While 2020 has undoubtedly been a challenging period for contact centres, there are many ways to fight back. We have seen this in action first-hand at Pindrop.
For example, last year we supported an American bank in its bid to fish out fraudulent calls and identify at risk accounts, contributing to an expected annual saving of $10 million.
Over a three-month period, we saw more than 600,000 calls being made into the bank’s prepaid card division, which revealed a much higher concentration of fraudulent activity occurring in comparison to its retail unit. Staggeringly, it was higher by a factor of 1,000. With approximately 2.5% of all calls flagged for review, two of three calls turned out to be fraudulent – an extremely high rate.
Our team not only helped the bank to detect the number of fraudulent calls it was receiving, but by tracking the sources of the attacks we were also able to identify an average of 10 additional at-risk accounts. A fraudster’s potential gain from one card could be as high as $24,700 per identity so being able to identify and block these accounts enabled the bank to prevent future claims being issued and ultimately resulted in large savings.
Deterring the fraudsters
Contact centres, in all industries, are striving for the best customer experience and satisfaction. Aiming to make operations as seamless with reduced customers waiting times – something fraudsters are acutely aware of and using to their advantage. As such, taking the pressure off contact centre agents is a top priority.
Anti-fraud systems designed for the telephony channel support contact centres by analysing audio, voice, behaviour, and metadata to create call risk scores and fraudster profiles, while authentication solutions help to passively authenticate real customers by creating unique multi-factor credentials based on factors such as the device, voice, and behaviour of the customer.
The majority of successful fraudsters will use a combination of online and telephone channels to gather data and ultimately carry out fraud.
Securing the telephony channel will not only reduce online fraud, but it also enables organisations to detect and prevent fraud earlier in the fraudster journey which results in lower fraud losses and improved customer experience.