16th March 2022

Layered defences are critical to fraud prevention in telephone contact centres

By Grant White

In the UK, levels of fraud are of such concern that UK Finance considers fraud to be a threat to national security1. Types of fraud such as Authorised Push Payment (APP) fraud are especially pernicious and are continuing to grow. Figures released by UK Finance for the first half of 2021 show that losses attributable to APP fraud amounted to £355.3 million, an increase of 71 per cent compared to the same period in 20202.

We know that telephone contact centres are fertile hunting grounds for fraudsters looking for information and data to help them commit future APP fraud. Preventing these attempts at reconnaissance before they happen can be a critical part of a firm’s defence against APP and other types of fraud, saving customers from significant harm and suffering. 

In this blog we explore why it is necessary to have a layered approach to defending your contact centre from attack and why the first line of defence is especially critical.

Threats from social engineering

Imagine this scenario. You are working in a banking call centre and have had a busy day fielding difficult and demanding callers. You pick up a call from what seems to be a very distressed customer who is trying to withdraw cash from an ATM to urgently get a taxi to visit a sick relative but they claim to have forgotten their PIN. You naturally feel empathy for their dilemma and perhaps ignore the usual security protocols due to their obvious distress and agree to issue them a new PIN. You close the call, feeling that you have helped someone in their hour of need. Unfortunately, the reality is that you have unwittingly fallen prey to the social engineering of a sophisticated scammer who can then go on to use that PIN to steal money from legitimate customers. 

Social engineering involves the use of deception, persuasion, emotional manipulation, and other psychological tactics to gain information or access through the use of a human interface (such as telephone or face to face) and is one of the key methods that fraudsters use to prepare for and / or execute fraud attacks on telephone contact centres.

Contact centre staff are particularly vulnerable to this threat because it is their job to help customers in a polite and friendly manner. These agents are specifically trained to satisfy customer needs, but also have access to large quantities of customer data, making them the perfect target for fraudsters to manipulate into giving away security information, for example.

Machine-on-machine attacks

In another common scenario, a fraudster has obtained a customer’s name, account number and telephone number from the dark web. Using sophisticated algorithms and robo-diallers, this fraudster uses machine-to-machine manipulation of the Interactive Voice Recognition (IVR) system to determine PINs and other security information such as dates of birth or post codes which can be used for account takeover fraud via another channel, such as internet banking. In this instance, the IVR has been attacked to mine data to set up a future fraud attack.

IVRs are also at risk of other account reconnaissance activities such as balance checking, checking transaction history or the status of payment transfers. Fraudsters go on to use the information harvested to inform their social engineering attacks.

A castle without a moat

In both these instances, there was no way of preventing the fraudster from entering the call centre’s infrastructure in the first place, or of identifying that the call may be suspicious. This is the equivalent of building a medieval castle without the customary moat, drawbridge and outer walls, relying instead on the inner walls to protect the occupants from attack.

Of course, there are measures that are put in place to prevent IVR abuse and social engineering. In the case of the former, customer’s telephone numbers are associated with their bank accounts and used by the IVR as an automated way of checking customer identity. However, this can be circumvented through call masking or so-called “spoofing” so it is not a sufficiently robust defence in and of itself. 

Training call centre agents to help them avoid becoming victims of social engineering is another must-have defence, but with the best will in the world, humans are fallible and scammers will use every trick in the books to persuade agents to bypass security protocols.

Whilst authentication methods such as voice biometrics and knowledge-based authentication can also help to reduce fraud risk once scammers have entered the call centre’s telephone network, identifying them before they even breach the walls is likely to be a much more effective strategy.

Filling the moat and pulling up the drawbridge

A concept of a layered defence (also known as ‘defence in depth’ in military strategy) was a core principle used by medieval castle builders to keep enemies at bay. The idea is that multiple defensive measures are likely to be more successful at thwarting an attack than just one. Modern day threats are very different to the marauding armies of yore but these defensive principles are still applicable.

In the world of telephone contact centres, understanding suspicious caller activity from the outset –  whilst still in the telephone network – is the 21st century equivalent of the medieval moat and drawbridge. Smartnumbers Protect can do just this. By using the metadata associated with call signalling, Smartnumbers can detect the features of a call that indicate there is something awry, assigning a dynamic risk score and allowing calls with different risk profiles to be handled differently. 

In the first of our earlier scenarios, Smartnumbers Protect would have enabled earlier intervention in the call’s journey, indicating to the customer service representative that they were at a higher risk of being subject to social engineering, or even routing the call directly to a specialist team for handling. 

In the case of the IVR attack, Smartnumbers Protect easily detects robo-diallers, stopping them accessing the IVR in the first place. It will also flag telephone numbers being used for reconnaissance as high risk as well as alerting on-line fraud detection systems about the accounts that are being targeted.

As was the case with ancient castles, multiple defensive measures have a proven, cumulative impact. By preventing fraudsters from gaining access to the IVR, there is a high possibility that subsequent social engineering attacks will also be countered.

Implementing Smartnumbers Protect as your first line of defence gives you early visibility of the attack, boosting the effectiveness of your existing fraud prevention measures. Until  fraudsters tire of attacking your call centre ‘castle’ altogether, the walls of layered protection you have, enhanced by Smartnumbers Protect, will be very much more difficult to penetrate.

1 https://www.ukfinance.org.uk/policy-and-guidance/reports-publications/2021-half-year-fraud-report
2 ibid