Global call centre fraud has increased more than 45 percent in the past three years as attackers use social engineering to steal data and turn profits, according to a recent Pindrop study.
The "2016 Call Centre Fraud Report," which defines call centre fraud as any interaction between a criminal and a call centre agent, noted that recent data breaches, the rollout of chip cards in the US and increased security in other channels have all contributed to the boost in fraud, according to the report.
As a result, phone fraud losses have risen 14 percent since 2013, and in 2015 enterprises lost an average of 65 cents (£0.40) per fraudulent call.
“This means a call centre that receives 40 million calls per year should expect to see somewhere between $17 million (£12m) to $27 million (£19m) in fraudulent transaction losses annually,” researchers said in the report.
To make matters worse, 72 percent of contact centre executives expected the fraud loss trend will only continue upward, as already evidenced in the UK where the use of chip card technology has thwarted efforts to produce phoney payment cards.
As a result, criminals have switched gears, plying their social engineering skills at call centres, where fraud rates have consequently doubled.
Director of Pindrop Labs, David Dewey, told SCMagazine.com that a subset of fraudsters - when they obtain stolen data - print phoney payment cards using the stolen information, but improvements in security have forced them to “pivot” their strategies.
“Chip-and-PIN makes it harder” for them to reproduce phoney cards using the stolen data, so the bad guys are crafting social engineering attacks that target call centres of banks, retailers, credit unions and other firms to make malicious transactions, he said.
The report found that criminals might make up to five calls to a centre, pretending to be the victim, before completing a fraudulent transaction. During the calls, the thief may attempt to identify accounts, trick agents into revealing more of the victim's information, change contact information and conduct other malicious deeds.
Call centres are easy targets because, Dewey said, most of the “call centre agents are trained to provide a delightful experience” and not to spot suspicious behaviour.
In addition, agents are also measured on the amount of time the calls take, which conflicts with taking the time needed to assess security risks.
Dewey said he has documented cases in which agents allowed criminals to guess birth dates, maiden names and other information that should have raised red flags.