14th September 2021

How they do it: Committing fraud through the contact centre

By Grant White

In 2020, a study found that a total of 76% of banking fraud is committed through internet banking and 13.8% through mobile channels. The third most common type is fraud through the contact centre, at 10.2%.

When planning a fraud prevention strategy, banks typically focus on protecting digital banking channels. But what these numbers don’t show is the role their contact centres play in enabling fraud attacks across both these channels. So how does it work?

How the contact centre enables fraud: Step by step

Committing fraud through internet and mobile banking is more difficult than other channels, because organisations have invested heavily in technology like voice biometrics and two-factor authentication over the last few years.

To get around these barriers, fraudsters use the contact centre to gain important information about the customer, so they can more easily commit fraud elsewhere. Unfortunately for banks, contact centres can be an easy target because they often only require knowledge-based authentication (KBA) questions to be validated – and it’s much easier for fraudsters to get hold of this information. Here’s how:  

1. Harvesting

The first step is to gather information that will allow fraudsters to impersonate legitimate people or businesses.

Generally, this information is leaked via data breaches and purchased by the fraudster through the dark web. They might also choose to harvest information directly from the target, using phishing or mail intercept tactics.

2.     Reconnaissance

This step is where the contact centre becomes important – because fraudsters will use it as an opportunity to validate or confirm the information they’ve gathered. They’ll do this by interacting with either the IVR system or a contact centre agent.

Once through, they’ll perform low risk actions, generally checking information like passwords, emails or account balance. From there, they can check if the personal information they’ve harvested is correct and identify the best form of attack.

3.     Preparation

Having validated their target’s information, the fraudster will use this to pass security checks and make changes to their target’s account.

This could include changing account login or customer address details, requesting a new debit card or adding a new payee onto the target’s account.  

4.     Monetisation

At this point, the target can simply lift money out of the account with a simple bank transfer.

5.     Legitimisation

To go undetected, the fraudster will launder or clean up the proceeds of their illegal activities, generally by paying money into foreign bank accounts or by moving it into another clean account.

6.     Capitalisation

With the money successfully laundered, the fraudster can spend it as they choose.

With criminals exploiting all vulnerabilities at their disposal to commit all types of fraud, it’s vital for banks to effectively protect their contact centres. Whether the customer is just checking their balance or withdrawing funds – you need to be 100% sure they’re who they say they are.

But how do you do that? 

That’s the question we aim to answer in our new whitepaper: “Fraud prevention in bank contact centres.” If you want to find out more, download the guide today.