Caller identity fraud: risk to business

To give your life savings away, press one…

I am sure each one of us will either have directly experienced a fraud attack or know somebody close who has been a target. Attacks of this nature can range from a single unrecognised transaction on a credit card or a dubious claim on an insurance policy, right through to a full-on emptying of a bank account. Thankfully, in many instances, it is the provider who ultimately incurs the loss, but not without significant disruption for the victim. In every case, the victim will be left scratching their head, wondering where they exposed their details to the criminals or which of their past transactions was used to harbour the information.

While these criminal occurrences appear to be a one-time ‘hit-and-run’ event, it is often far more than a straightforward data breach that enables highly organised gangs to commit the fraudulent act. The mining and piecing together of the victim’s data can take many months and thousands of attempts to gather the information necessary to carry out the attack successfully.

Data mining

Data mining, or data farming, typically begins with a snippet of information that becomes available either in the public domain or for a fee on the ‘Dark Web’. This information may have been released from a previous mass data breach or from details gained via an unscrupulous third party. But wherever the details came from, they are unlikely to be sufficient to commit fraud. It is not a difficult task to use the various social media channels to discover somebody’s date of birth, pet’s name, mother’s maiden name, children’s names and birthdays — all among many other details people tend to incorporate into passwords or set as answers to their security questions.

However, we have all had texts, emails and voice messages alerting us to activity on an account or with an agency we have no association with.

The fraudsters send out these alerts across various mediums, sometimes with a scatter-gun approach, hoping that the random recipient opens the message and clicks the link that takes them through to a web page or data capture form purporting to be associated with an organisation they have a relationship with. Here, the sole aim is to obtain as much personal information as possible by the victim disclosing it in full.

Yet, it is likely that the alert message was not completely random. A contact number or email address may have been leaked along with the client reference (account number or customer code). These messages requesting a call to action can be far more targeted. Messages from several similar organisations are sent over a period to target the victims using different methods. If a potential victim responds to one message and not others, the fraudsters can creep closer to knowing where to focus their efforts.

Criminal gangs often use their target organisation’s interactive voice response (IVR) or telephony menu as their tool of choice.

The self-service systems allow the fraudsters to go about their data mining totally unnoticed. Multiple attempts can be made to enter a valid customer ID number or account code without the victim ever becoming suspicious. Of course, some systems can look out for recurring calls from the same number, but the crime syndicates are becoming ever more technically advanced.

Undoubtedly, the move to IP-based telephony has lowered costs, increased resilience and enabled an almost endless list of possibilities, but not without added concerns. Traditionally, enabling a caller to speak to somebody at their desired destination was only possible because of a continuous connection on the copper network between the two specific endpoints. As more modern technology effectively uses the internet to transmit phone calls, there is far more going on than the simple passing of sounds from end to end. Before the call connects, certain criteria need to be met to satisfy both the networks and the end devices. The criteria are verified within the data element of the call, like a kind of digital footprint.

Readily available technology now exists to manipulate the ingrained data, altering the very core of the call. As a direct result, fraudsters can present a different telephone number with every call they make, even if it originates from the same device. They can even go as far as presenting a genuine customer telephone number, which may be all the proof the organisation needs to pass the first line of security and gain access to basic client information or the next set of virtual locks. Changing the presentation number of a call in this way, when done for genuine reasons, is known as ‘CLI Flexing’. Instances of presenting different numbers with deceitful motivations are known as ‘spoofing’ — and it happens alarmingly frequently.

An increasing problem

During the pandemic, many businesses had to change the way they operate, with many departments working from home or even closing with employees on furlough. Potentially, this shift to remote working drives more incoming enquiries into businesses’ automated systems. Many companies will choose to retain their new practices to reduce the size of their workforce and lower ongoing costs. Unfortunately, higher call traffic and automation has given the criminal groups even more cover to go about their business. If call volumes have increased anyway, organisations will be oblivious as to whether the increase is from genuine callers or thanks to calls of a less desirable nature.

Have you heard of the infinite monkey theory? This hypothesis says that if you give enough monkeys a typewriter each, one will (eventually) inadvertently write the full workings of William Shakespeare. Many others will come close, perhaps with just a single spelling mistake. It is a similar challenge with fraudsters. If they make enough attempts to an unmonitored IVR system, they will eventually get a correct combination. The fraudsters do, however, have a head start, as they only have ten digits at their fingertips rather than twenty-six letters (plus punctuation). By removing any combinations that are known to be invalid, the target becomes easier to locate.

Automated diallers will be doing the vast majority of the ‘monkey work’ and will be programmed to identify the different IVR responses for recognised numbers. This work determines with which institute or business the initial pieces of information are associated. It is not uncommon for an automated system to give out an account balance or order status update based on the caller’s number being recognised, along with a valid account code or client ID entered on the keypad. All this information helps to piece together the jigsaw of where and when to focus the efforts of the fraudsters. The last thing the fraudsters want at this stage is to be put through to an actual agent. They are happy camping out in the IVR, untangling the data.

It could be months later when the actual fraud causes a loss to take place, but there are scenarios where the fraudsters can act much quicker.

Have you ever had one of those calls with the digitised voice, asking you to ‘press one’ to be connected to your bank? I always hang up but do often wonder what would happen if I did press the relevant button. My guess is that I would be asked to enter a security number using the phone’s keypad and somebody, or something, would record the tones and decipher my code. However, there is a chance I would be connected to the genuine organisation and its automated menu system, albeit not directly. There is a reasonable chance I would not notice anything amiss.

The reality is that I may have just been connected to a three-way call, where the fraudster is already on a call within my provider’s IVR. Once connected, the fraudster sits silently listening to me key in my security codes and answer my ID checks. Then, just as I am being connected to the right department, the fraudsters disconnect my leg of the call, leaving them to speak to the agent and do whatever they like, such as change my PIN, reset my online password or transfer a large amount of funds. The criminals will call me back (do not forget — they can present any number they choose to), apologise for the call dropping and tell me there is nothing to worry about, before wishing me a good day.

Although this type of crime is more prevalent within the financial sector, there are many other industries where fraudulent phone calls will be occurring. But how many and how often is incredibly hard to say.

Two factors combine to impede quantifying IVR fraud. Firstly, there is the fact that any attack on the IVR usually precedes the actual fraudulent transaction, which could have been the result of hundreds of mining attempts. So, any data analysis is retrospective and potentially ambiguous.

Secondly, any organisation affected by IVR fraud will be extremely reluctant to publicise facts and figures. The Telecommunications UK Fraud Forum (TUFF) suggests that affected businesses should share best practices and highlight their own weaknesses to other similar businesses. TUFF also recognises that admitting to these shortcomings could be the worst kind of publicity, so many businesses will keep their findings to themselves.

As an ever-increasing number of companies strive to minimise their costs and working remotely becomes the new norm, the IVR and connected automated services will only continue to grow. It is, therefore, imperative that businesses and their customers have the utmost faith in the technology they are accessing or providing.

Why should my business care?

Whilst this type of activity is most prevalent in the financial sector, any business operating a telephone system could be a target. The opportunities for thieves to prosper from presenting themselves are endless.

On the 25th of May 2018, the EU’s GDPR regulations came into play, making organisations take much more accountability for how they handle any customer’s personal information. Personal data is described as follows:

• Name
• Home address
• Email address
• Bank details
• Medical information
• A computer’s IP address

So, if your business holds any of that information about a customer and it is distributed over the phone, whether automatically or by an employee, you would be breaking the law if it is given to an imposter.

The laws state that any data breach must be disclosed by the affected organisation within 72 hours of being made aware of the contravention. Of course, there is the ability to plead ignorance as you could be unaware for an undefined period, or even indefinitely. But consumers are far less likely to do business with an organisation that is non-compliant.

Any business found to be in breach of the rules faces potential penalties of 4% of their turnover or €20 million.

This kind of fraudulent activity has serious implications for individuals and organisations alike. It is big business for criminal gangs. How big? Nobody really knows.

Thankfully, whilst fraudsters may be creative and bold, they are also often lazy. They will always go for the easiest of wins. Which is why the scam emails we all receive usually contain spelling errors or grammatical mistakes that are obvious to most people. They do not want everyone to respond and waste their own time taking a target down a route that they will eventually realise is not what it seems. They want the more easily led. It is for this reason — fraudsters choosing the path of least resistance — that organisations operating phone systems need to be aware of this type of activity and look for ways to combat it.

To find out how to tackle these issues through Invosys, book a demo here.