Asking people in different corners of financial services about the most important trends in fraud is like discussing an elephant with the eight blind men in the famous parable. They concentrate on the most immediate threats, but none has the full picture.
Put the conversations together, though, and what emerges is a picture of a resurgence in old-school fraud: phone scams, fast ones pulled on card-processing merchants and simple deceptions of online customers.
Pindrop Security, for instance, released a study Wednesday that shows a 30% rise in phone fraud among financial institutions since 2013. The company, which provides call-center-security software, analyzed calling patterns at financial institutions, credit card issuers and online retailers.
It found that one in every 2,200 calls made to financial institutions and retailers is fraudulent, as is one in every 900 calls to credit card companies. (Some of this activity made headlines during the rollout of Apple Pay, when about 6% of transactions were linked to fake enrollments.)
Overall, more than 86.2 million calls per month in the U.S. are phone scams.
According to Pindrop, call center fraud costs financial institutions $7 million to $15 million a year. The losses come from fake wire transfers and other deductions from accounts.
"Our intuition is the online channel is increasingly protected, secured by PCI and modern technology, while the phone channel remains effectively completely unguarded," said David Dewey, director of research at Pindrop. "The call center has stayed the same. Fraudsters can call in, work their way through the knowledge-based authentication questions, and completely impersonate the victim."
Part of the problem is that credit unions and banks are trying to provide a smoother customer experience in their call centers, which in many cases are the only point of human contact for mobile-first and online-only customers.
"Customers all tell us the same thing: the call center reps are trained to give the customer a delightful experience, they're not trained to be fraud analysts," Dewey said.
In one call center conversation Pindrop researchers listened to, someone called in pretending to be an extremely well-known U.S. movie star. The caller had a thick West African accent that did not sound like the celebrity's voice.
"No one should have been fooled by that," Dewey said. But they were.
Another caller said he was an advocate for disabled consumers within the financial institution who was sitting with a user who had already been validated, and asked to execute a transaction on the user's behalf. "It's amazing the ease with which the call center rep let the whole thing go through," he said.
In another instance, Dewey said he was able to enroll a coworker in Apple Pay by Googling the person's name the third search result provided all the information he needed to get through the authentication questions.
Other Lower-Tech Threats
In another trend that parallels the rise in phone fraud, criminals are changing their business models from a focus on software development to the use of cheap human labor. This is according to recent findings from researchers at Fox-IT, which says it tracks the 40 top criminal groups in the world on behalf of its 250 financial institution clients.
Until recently, criminals targeting banks and credit unions would invest heavily in buying or creating malware.
"That had a consequence in that it had a pretty hefty investment in time, effort and money to prepare an attack," said Eward Driehuis, product director at Fox-IT. "And if the attack was mitigated suddenly, then the criminal would be out of luck because he would lose that investment."
Now these criminals are conducting semi-automated, hybrid attacks, he said.
"They're only automating the first part of the attack, in which you deceive the user, for example, if the user visits a log-in page and the malware says, please hold on while we do some security checks," Driehuis said. "The malware then sends all those credentials to a criminal, who will then create a new manual session using those stolen credentials."
Though this type of scheme is harder to expand quickly, it requires less investment in time, effort and money (due to the availability of low-cost labor), so criminals can more easily target smaller banks and CUs.
The hybrid approach also allows for larger attacks on corporate accounts, Driehuis said. Where retail accounts and ATM withdrawals have limits, newer types of malware like GameoverZeus focus on commercial accounts from with they can steal $50,000 to even $1 million. The people involved in the attacks specialize in developing fake trust and bypassing security mechanisms to execute large wire transfers.