Work-from-home call centers have the attention of fraudsters

Between paycheck protection loans, economic stimulus payments and mounting job losses, consumers have questions for their financial institutions. At the same time, call center employees working for those institutions are having to quickly adjust to working from home — with all the distractions and security risks that entails.

“Fraudsters love to take advantage of times of disruption and confusion,” said Shirley Inscoe, a senior analyst at Aite Group.

Executives at the financial institutions Inscoe is in touch with are reporting higher volumes of customer calls, she said, and security vendors are reporting increases in the number of fraudulent calls they’re receiving.

Working from home changes everything 

Software security vendors are a financial institution’s first line of defense against fraud. These tools can be used to detect spoofed phone numbers, determine higher- and lower-risk callers, and use voice biometrics to identify both known callers and fraudulent voices. But using existing fraud prevention tools correctly — even from home — is key to fighting off attacks. In today’s work from home environment, that could require reconfigurations to match the rerouting of calls to agents’ homes.

Inscoe recommends call center employees working from home turn off their smart home devices, like Amazon Echo and Google Home. She also recommends call-center workers avoid using tools like baby monitors that could provide access to their home networks.

“We think of our homes as secure as we lock our doors, but in this age of smart homes all of these systems can be compromised,” Inscoe said. “That’s something in the rush to enable people that could easily be overlooked.”

Even before COVID-19 closed economies around the world, call center fraud had been on the rise. The security vendor Pindrop found call center fraud rose 45% between 2013 and 2016.

In 2019, one in every 700 calls to call centers were fraudulent, according to Pindrop. Customers also are increasingly being targeted by scammers posing as their financial institutions and contacting them via email and text.

“Your customer base is going to get spoof email and spoof text messages that will look and sound like your company,” said Brian St. John, Pindrop’s fraud operations manager. “The key is understanding your customers are being attacked this way.”

The consulting firm Gartner suspects call center fraud is actually higher and that some attempts to defraud customers aren’t being traced back to call centers. “Humans are often the weakest link in security and fraud prevention programs,” Gartner wrote. People can be manipulated by fraudsters posing as customers or trying to win them over with flirtation or flattery.

Inscoe also believes call centers are linked with more attempts to defraud consumers than banks may realize.

Financial institutions often lack the staff to dig deep enough into fraud to connect it with call centers. Sometimes, they misattribute fraud to other customer contact channels. “You have to recognize the problem in order to solve it,” Inscoe said. “In many cases they’re not recognizing the problem.”

Fraud prevention focuses on digital

Call centers tend to operate separately from other customer interaction channels like chat and websites. They often fall just outside of fraud prevention efforts that focus more on digital customer communication channels hackers are likely to target.

Omnichannel consumer relationships and employees operating in silos complicate fraud tracking efforts at a time when the account takeover fraud has gotten more sophisticated.

Years of data breaches, combined with the popularity of social media sites that incorporate key personal information like birth dates, high schools and colleges, have made it easier to fool knowledge-based identity verification systems.

Gartner estimates as many as 2 billion identities obtained through malware and data breaches are available through organized crime groups. That information includes mobile phone numbers, bank account details and other information can be used to answer knowledge-based security questions and spoof mobile numbers to trick unwitting call center operators.

With so much data having been leaked, previous street addresses, the make and models of past cars and other personal information is no longer so personal.

Even one-time passwords can’t provide an adequate buffer of security for consumers. By cloning a consumer’s phone number, fraud perpetrators can intercept one-time messages meant to go to the real customer’s phone.

Armed with information and technology, fraud perpetrators targeting call centers don’t need to outsmart algorithms. They just need to convince one person they’re a legitimate customer — the call center agent they’re targeting.

Should those call center agents be more frazzled than usual — maybe because they’re simultaneously trying to juggle housework and families — they become easier targets, especially as institutions loosen some security measures to serve customers during this time of crisis.

“You have to be aware that ‘Yes, you’re doing the right thing for your customers,’ but also realize bad guys are going to take advantage of that,” St. John said. “Especially in a time of chaos like now.”

Meena Thiruvengadam is a freelance writer based in New York.

Subscribe to the BAI Banking Strategies newsletter and podcast.