As advances in cyber-security are making it harder to break into banking websites, many sophisticated criminals are returning to an outdated technology exploit: telephone fraud.
Researchers at Pindrop Security in Atlanta have discovered a resurgence in bogus calls to large U.S. banks, telecommunications companies and state benefits providers seeking to steal money and information. The company, which makes anti-fraud software for call centers, examined the metadata and recordings of 105 million calls. Pindrop, which shared its findings with Bloomberg.com, said one out of every 2,900 calls was fraudulent.
More than half of all the fraudulent calls were international. Nigeria was "far and away" the highest risk of all countries, according to Pindrop Chief Executive Officer Vijay Balasubramaniyan. Other hot spots were in Eastern Europe, particularly in Romania and Russia; Latin America, primarily in Mexico and Columbia; and Southeast Asia, where Filipinos are well-versed in the art of call-center manipulation.
The amount of fraud committed over the phone is skyrocketing in some countries. At one financial institution in Latin America, just 2 percent of fraud attempts were by phone last year. So far this year, it's close to 70 percent, according to Balasubramaniyan.
Within the calls logs were some fascinating trends, which Pindrop plans to present its findings on Aug. 7 at the Black Hat hacking conference. Like anything, stealing money by phone takes practice and determination. Some of their tactics would be laughable if they weren't so effective. Here are five techniques commonly employed by criminals who are gaming the system.
Vocal Range: Easy-to-use voice-distortion programs are a favorite of advanced phone fraudsters, according to Pindrop's CEO. Even when they make the caller sound ridiculous, they are highly effective. That's because call-center operators are trained to focus more on whether callers answer security-challenge questions correctly, rather than how they sound. A little audible deception is often enough, but some criminals take the technology too far. Men sometimes make themselves sound like Alvin the Chipmunk when trying to break into women's accounts, and some women use Darth Vader filters for male subjects, Balasubramaniyan said. One fraudster even pretended to be two people: a medical aide and a person suffering from throat cancer who used a voice box.
Persistence: This is the hallmark of advanced phone fraudster-ism. Hackers will ring call centers multiple times seeking to extract a small piece of information each time about target accounts. One was so brazen that when the operator asked for his mother's maiden name, the caller said his dad had married twice, so he needed three guesses. He then went through the list of popular maiden names, and Smith was the one that unlocked the account. That opened the door for a $97,000 wire transfer into the criminal's bank account.
Hacking Ability: Phone criminals are also increasingly bypassing humans altogether. Their software dials into companies' automated customer-support lines and tries to figure out PIN codes and Social Security numbers by entering different combinations over and over. They sometimes have multiple computers doing the same thing at once against the same account. There are downsides to this approach. Some call centers have implemented tools that measure the time intervals between each number being entered and blocks attempts that don't seem to be human — much like websites do to block data-mining attempts. And technology can often be thwarted by simply picking up the phone. One fraudster who was overseeing an automated operation against multiple banks once got a live operator, got confused about which bank she was calling and had to abandon the effort, according to Balasubramaniyan.
Manipulative: Criminals will often come off as extremely angry (or overly affectionate) to get what they want. Some will flirt with operators, complimenting them on their voices. Others unleash fury on unsuspecting operators. One fraudster the research team nicknamed "the mad Russian" would scream at call-center agents and in one case, intimidated an agent into reading off every transaction in the target account. He later used the information in a future call to validate the mark's identity and break into the account, according to Balasubramaniyan.
Diligence: The most money the research team identified as stolen was $700,000 that one criminal had wired out of a home-equity line of credit and into his account, according to Balasubramaniyan. The caller appeared to be an advanced attacker and had done extensive research on a wealthy target. He took pains to sound annoyed when an operator asked him for his address years ago before he got married, and on the call, he can be heard flipping through pages to find the right answer, Balasubramaniyan said.
None of these tactics are unbeatable, Pindrop's CEO said. Hackers begin leaving clues months in advance of an attack. For example, companies with automated systems typically find a lot of quick calls that aren't completed, which should flag those accounts, he said.
An even simpler solution involves injecting a bit of pop culture into the work day: Call center agents should be on alert for anyone who sounds like a villain from "Star Wars" or a Saturday morning cartoon character.