Latest Fraud Trends Hitting the Banking Sector
Banking contact centers are a prime target for fraud. According to a report from TransUnion, most account takeovers start in the call center, and the frequency as well as volume of attempts has risen dramatically in the past few years. Seon reports that one out of 5 adults in the U.S. has fallen prey to this type of fraud with an average loss of $12,000 per case.
What is enabling this increase in identity theft? Here’s a look at some of the latest tools and techniques fraudsters are using to attack the banking sector.
Phishing-as-a-Service
Not surprisingly, the financial industry is the top target for phishing attacks, accounting for more than 27% of the millions of attacks carried out annually. There is money to be made by nefarious tech entrepreneurs as well as identity thieves. In fact, enabling these attacks is a big business opportunity for savvy hackers.
Everyone likes the convenience of the “as a service” subscription model, and identity thieves are no exception. CU Today’s recent article on Phishing-as-a-Service highlights a new type of platform that is enabling bank fraud in Europe. For as little as $130/month, cybercriminals can have a much easier time bypassing multi-factor authentication and accessing customer accounts.
Building an entire mirror website and communication system that replicates the look/feel/functionality of a real financial institution is a lot of work. Now, fraudsters can get kits that are prebuilt to allow them to mimic over 50 financial institutions with little effort. Upon subscribing, they are armed with technology that evades detection, supports real-time authentication, and allows criminals to intercept account details and credit card data. These criminals can even provide live chat support to consumers, adding a layer of credibility and helping fraudsters use social engineering to collect even more information from victims.
SIM Swapping
CU Today writer, Ray Birch, shared another disturbing finding recently regarding SIM-swapping. Using this technique, fraudsters can transfer phone numbers to their own device and intercept OTPs (one-time passcodes) often used for identity verification. A stolen SIM is a great first step toward a stolen account, and this is a disturbing trend since OTPs are a security measure commonly used in setting up new financial accounts.
How big is the problem? According to Efani, there has been a 400% increase in SIM swapping in the past year. The average incident costs victims $10,000. SIM swapping was more difficult in the days of physical SIM cards. Today, a new phone will typically have an electronic SIM info stored on the device itself in digital form. That metadata can be readily accessed and cloned if, for example, an individual is convinced to click on a link in a text or email that contains malicious code.
The danger isn’t just that fraudsters can infiltrate an individual account. If they manage to gain access and control over a device a bank or credit union employee uses for work, cybercriminals could conceivably take over an entire network.
Think employees aren’t a target? Think again. Read our recent article about vishing (voice phishing) and how your financial institution’s internal helpdesk could be at risk as an entry point for network takeovers.
Deepfakes
Perhaps no trend has captured the public imagination (and attention) more than the potential of deepfake technology to commit identity fraud with previously unimaginable sophistication and ease. It’s no wonder that almost half of the safety, risk, and compliance professionals surveyed in a recent Gartner report on fraud in the genAI age consider identity fraud a top priority to address. In 2023, 20% reported that their organizations were targeted by fraud attempts that involved faked images or voices. With the easy availability of generative AI tools, this trend is likely to increase in 2024 and beyond in what Gartner calls a “digital arms race.”
Fraud related to deepfakes is an area of high risk, as most respondents in the Gartner survey reported that their current fraud prevention tech stack is not helping them proactively combat fraud. This does not mean they are complacent. Currently, 40% are exploring new technology to address emerging threats, and one out of three are reconfiguring identity verification tools.
In the call center, concerns have grown recently over the potential use of voice cloning to fool agents (and biometric security systems), enabling account takeovers. CU Today shared opinions from security experts about the use of multi-factor authentication and even multimodal biometrics that are harder to replicate in real-time using generative AI.
Gartner offered this additional advice in a report containing critical insights for combatting deepfakes: “Incorporate detection methodologies in a layered approach. Prioritize quality of individual feature detections, but ensure that several can be used concurrently or sequentially, and then correlate the results using probabilistic models. Incrementally add more detection mechanisms over time to ensure system robustness and the ability to detect newly emerging forgery techniques.”
As an example, the practice of using device-related characteristics plus a unique voiceprint and continually validating identity in the background of a live call has a better chance of detecting a voice clone vs. relying on a single spoken passphrase for verification.
Fighting Fraud While Remaining Friendly
One interesting takeaway is that those surveyed in the Gartner report mentioned preferring passive to active methods of fraud prevention. This preference highlights concerns over the impact that tightened security has on consumers when it places unwanted hurdles in the path of account holders. This means credit unions and banks are faced with a digital war on two fronts, combating identity theft while also fighting against added friction in the user experience.
Want to learn how Illuma is working to combat all forms of identity fraud in banking contact centers and staying ahead of deepfake threats? Contact our team today.