Threat of the Week: Call Centers Under Attack
The bad news: customer service call centers at financial institutions are largely unprotected, said Shirley Inscoe, a fraud expert with Boston-based Aite Group.
The worse news: as big banks toughen their defenses against call center fraud, criminals are shifting their focus to smaller institutions – that means you – and they are finding the pickings are easy and sweet, said Inscoe.
Behind the scenes, many financial institutions have been scrambling to beef up their computer defenses as global hackers have mounted relentless campaigns against U.S.-based institutions – but those same institutions may have taken their eyes off their old-fashioned call centers.
Criminals have not forgotten them and, increasingly, they look like the weakest link. “Fraudsters are shifting attacks into call centers,” said Mark Lazar, CEO of Victrio, a call center security company in Menlo Park, Calif.
“We are seeing many more attacks on call centers by highly organized criminal gangs,” said Inscoe.
These criminals are good at their work. They are polished, persistent, smart. If they hit a suspicious call center worker, they hang up and redial. Often a crook will call many times, netting one piece of information on this call, another on that call, until, eventually, they have pieced together all the information they need to empty the target account.
In many cases, the institution won’t even know it is suffering call center-spawned crime, said Inscoe. Executives will bemoan what they say is a rash of computer crimes – where criminals logged into customer accounts using the customers’ credentials – but they do not understand it was their own call centers that provided the criminals with the information they needed to log in, said Inscoe.
Don’t blame the call center workers. They are in a classic double bind. They are told to be helpful – but how are they supposed to mesh that invocation to helpfulness with the reality that wily criminals who are good at what is called social engineering are adept at exploiting that helpfulness for criminal gain?
“Most call centers,” added Inscoe, “aren’t very well defended.”
But, she noted, some are. Some of the very biggest banks have been deploying slick anti-fraud technology. Victrio, for instance, has a database of known fraudster voiceprints. Say a caller is on the line asking for a replacement debit card to be sent out and, oh, he is traveling so would you send it to a hotel in downtown Phoenix?
With a smart system – one that takes a lot of decision-making out of employees’ hands – that high-risk event would justify running this caller’s voice against the database, a search that happens in real time, said Lazar.
The database, he explained, is compiled from known fraud cases and there also is technology in the system designed to thwart criminal attempts to disguise a voice.
If the system finds a match in the database, it turns the case over to the financial institution’s fraud team – no need for the customer contact agent to get involved. “This process is automated,” said Lazar.
Sound good? Inscoe said that tools like that – she endorsed no particular company’s solution in a call with Credit Union Times – are now starting to show up at big banks and, yes, that may be bad news for you because criminals will flee the better-defended institutions in search of easier pickings.
What a smaller institution can do, said Dan Draz, a Naperville, Ill., fraud expert, is train employees and train them some more. “Raise their awareness about attacks,” said Draz.
Draz added: “A red flags policy is critical and all employees should be trained as to what constitutes a red flag for further follow up.”
Every institution will have its own policies but cases in point of red flags that warrant extra caution might be address changes, replacement debit cards requested for new addresses, and just about all password resets.
Nobody is saying don’t be helpful to the member – just proceed with caution knowing that certain requests are often associated with criminal intent.
The other thing to remember: amid all the focus on high tech, “the phone remains one of the biggest tools of criminals,” said Draz. And employees need never to forget that.