UK Finance’s recent fraud report found that a staggering £1.7 billion was stolen from consumers in 2023 through both authorised and unauthorised payments – and in many cases this fraudulent activity will have touched the contact centre at some stage of the process.
In order to fight back and prevent further losses, it’s essential to first understand how and why fraudsters target the contact centre.
Fraudsters employ three key tactics when using telephone banking services to execute their scams. These are:
- Abuse of Interactive Voice Recognition (IVR) systems
- Social engineering of customer service representatives
- Spoofing of telephone numbers associated with bank accounts
Abuse of IVR systems
Fraudsters abuse the automated nature of IVR systems to validate stolen personal data or harvest additional information to help execute a future attack. For example, bots or robo-diallers may be employed to navigate menus or initiate brute force attacks that attempt to hack into accounts.
These organised attacks enable fraudsters to gain enough information to take over
the victim’s accounts or to trick an account holder into initiating an authorised push payment (APP). Indeed, Smartnumbers research shows that on average, a fraudster makes 26 calls in the weeks before executing the final attack.
Social engineering
Fraudsters also use social engineering tactics to trick customers and contact centre agents into revealing account security details. Social engineering is defined by the Metropolitan Police as ‘the clever manipulation of the natural human tendency to trust’. Customer Service Representatives (CSR) within contact centres are especially vulnerable to psychological manipulation because a key part of their job role is to offer the best possible service to the callers on the end of the line and this can make refusing fraudsters’ requests particularly difficult.
Typically, scammers will contact several CSRs to identify those who are easier to manipulate and, once identified, they will spin a tale of woe. These stories usually involve a stressful situation such as a bereavement or an emergency trip that they claim is needed to care for a sick relative. They are designed to play on the CSR’s empathy and trick them into giving away existing security information or changing passwords or PINs.
Call spoofing /calling line identification (CLI) masking
All inbound calls have Calling Line Identification (CLI) data associated with them. This data includes the originating phone number and enables phone systems to identify incoming callers by name and number. Fraudsters will often falsify or ‘spoof’ originating phone numbers so that they can bypass any types of customer authentication checks which are associated with a caller’s CLI and impersonate the account holder.
For further information on the tactics fraudsters use and the security measures that can be deployed to protect contact centres and their customers, read the full report here.
