Global call center fraud has increased more than 45 percent in the last three years as attackers use social engineering to steal data and turn profits, according to a recent Pindrop study.
The "2016 Call Center Fraud Report," which defines call center fraud as any interaction between a criminal and a call center agent, noted that recent data breaches, the rollout of chip cards in the U.S. and increased security in other channels have all contributed to the boost in fraud, according to the report.
As a result, phone fraud losses have risen 14 percent since 2013, and in 2015 enterprises lost an average of 65 cents per fraudulent call.
“This means a call center that receives 40 million calls per year should expect to see somewhere between $17 million to $27 million in fraudulent transaction losses annually,” researchers said in the report.
To make matters worse, 72 percent of contact center executives expected the fraud loss trend will only continue upward, as already evidenced in the U.K. where the use of chip card technology has thwarted efforts gain information and produce phony payment cards. As a result, miscreants have switched gears, plying their social engineering skills at call centers, where fraud rates have consequently doubled.
Director of Pindrop Labs David Dewey told SCMagazine.com that a subset of fraudsters who - when they obtain stolen data - print phony payment cards using the stolen information but improvements in security have forced them to “pivot” their strategies.
“Chip-and-PIN makes it harder” for them to reproduce phony cards using the stolen data so the bad guys are crafting social engineering attacks that target call centers of banks, retailers, credit unions, and other firms in order to make malicious transactions, he said.
The report found that criminals might make up to five calls to a center, pretending to be the victim, before completing a fraudulent transaction. During the calls, the thief may attempt to identify accounts, trick agents into revealing more of the victim's information, change contact information and conduct other malicious deeds.
Call centers are easy targets because, Dewey said, most of the “call center agents are trained to provide a delightful experience” and not to spot suspicious behavior.
In addition, agents are also measured on the amount of time the calls take, which conflicts with taking the time needed to assess security risks.
Dewey said he has documented cases in which agents allowed criminals to guess birth dates, maiden names and other information that should have raised red flags.