Pindrop’s Voice Intelligence and Security Report 2021 provides detailed evidence of how fraudsters have shifted strategies during the COVID-19 pandemic.
Prior to 2020 call centers typically saw fraud rates of one out of every 770 calls, but in 2020 the ratio rose to one out of 1,074. Did that mean fraud was on the decline?
Hardly, as 57 per cent of respondents to Pindrop’s survey said fraud was still increasing as of October 2021, and had done so throughout 2020.
The explanation is nuanced, and begins with how call center activity has changed over the past two years. Some call centers saw the number of calls increase by more than 800 per cent. The average call also lasted 14 per cent longer than before the pandemic. Callers had to wait 11 minutes longer at the end of the year than at the beginning.
“As brick and mortar and in-person interactions became impractical, consumers found the needed access beyond traditional service options, including online, mobile, and other self-service outlets,” the report reads. “Both digital and contact center channels had to deal with contractions from all sides. The sheer volume of increasingly large groups of people now navigating online and mobile banking for the first time, lead to an increase in calls to customer support to help navigate and troubleshoot issues.”
A flood of calls, each lasting longer is plenty to contend with, but companies also had to adjust their workforces to remote positions. That brought technological and training issues just as staff had to contend with more complex calls about unemployment and loan programs. Productivity issues also arose as workers adjusted to new environments and their associated challenges. Call capacity dropped by 20% early last summer before being restored through process streamlining, hard work, and policy changes.
As this was occurring fraud attempts at the agent were beginning to recede to levels not seen since 2017. Those extended hold times and reduced agent capacity were deemed the most likely culprits.
That caused scammers to shift tactics and luckily for them quirks of the PPP were easily exploited. Banks and fintechs were servicing the loans, which had to get out there fast. The report posits that some criminals used synthetic identities that don’t create immediate attention, at least long enough to safely get the money. In 2020 the cost of unemployment fraud was at least $36 billion or 10 per cent of CARES Act unemployment benefit funding
“The sheer volume and urgency to speed assistance along to those in need around the country provided a window of opportunity for fraudsters,” the report states. “Prepaid card fraud isn’t new, but as unemployment grew, so did the scams surrounding them.”
Another factor at play is there is more consumer lifetime data such as SSNs, birthdates, and previous addresses on the web, so it is easier for fraudsters to verify real identities under normal means. Some pick up pre-loaded debit cards or move their ill-gotten gains through a series of bank transfers before sending the money offshore. Others report the cards as stolen and undertake a chargeback, allowing scammers to double their take.
The shifting nature of call center fraud is made clear in some statistics included in the report. Two-thirds of companies saw new fraud types in their customer contact centre while 57 per cent said they are seeing more fraud mining and reconnaissance. The same percentage has seen an increase in overall fraud attacks through their call centers, while 53 per cent are seeing an increasing impact on their bottom line.
On the other side, only 36 per cent strongly believe they have a good handle on the situation, while 34 per cent believe they have a strong ability to discover and stop fraud in real time with a high degree of confidence.
More technologies are being developed to help criminals improve their efficiency too. Account enumeration reconnaissance sees fraudsters using computer-generated dictionaries with thousands of user names, or tools such as KrbGuess, which attempts 700 guesses-per-second, to accurately identify an email domain. Also in development are similar tools that can input account numbers from spoofed numbers. That allows fraudsters to use algorithms to mine enough information to bypass a contact’s KBA to “update” an email address for an online password reset, or worse, move money out of the victim’s account, all with a few keystrokes to confirm account details.
The report concludes with some common examples of fraud. In passive attempts, the fraudster calls the consumer pretending to be a bank before transferring the call to an actual agent in a simple dial-out. As the consumer speaks with the agent, the scammer listens in and gets information that can later be used to pass authentication.
A more active strategy sees the fraudster call a consumer pretending to be a bank while asking questions about fictitious charges on their card. They may also pretend to be a retailer asking about a fictitious order. The call is then transferred to an actual agent at the consumer’s bank or credit card provider, followed by an introduction and provided context. The credit card company authenticates the consumer and checks the order details, and because the order does not exist the credit card company cancels it. All the while the fraudster actively listens in and obtains the authentication information they were looking for.
Also beware of OTP (one-time-password) break-ins, which take two people. One person calls the victim pretending to be a bank while another calls the bank at the exact same time. They convince the bank to send an OTP to the consumer’s phone which they relay to the other criminal, who uses it to commit fraud.