Emerging ATO Tactic: Call Center Scams – Part 1

This blog post is part one of a two-part series that explains how fraudsters are targeting financial institution call centers to commit ATO fraud. The series also highlights some of the security processes many financial institutions have put in place to prevent fraud via the call center and what’s still missing.

Account takeover (ATO) fraud, where a fraudster takes over an account using an account holder’s online credential, is one of the online fraud types on the rise for financial institutions. Financial institutions are fighting traditional ATO fraud with technological tools such as two-factor authorization (2FA), multi-factor identification, and machine learning models.

These defensive measures have led to a change in tactics for fraudsters- many fraudsters are now setting their sights on financial institution call centers to commit ATO fraud.

An Increasingly Popular Target for Fraudsters

Customer call centers are an increasingly popular target for fraudsters. According to a Pindrop infographic (based on a report from Aite Group), 61% of fraud in the U.S. can be traced back to call centers, and contact center loss is expected to increase from $393M in 2015 to $775M in 2020.

The number of fraudsters targeting financial institution call centers is increasing for many reasons. One reason is that the rollout of EMV technology has severely hindered the ability for scammers to duplicate cards used at brick and mortar stores. The rising use of cards with EMV chips has caused fraudsters to look for new ways to steal credit card numbers and bank account balances. Another reason more fraudsters are targeting financial institution call centers is that call center security measures tend to be far weaker than the security measures for web and mobile financial applications.

One of the biggest reasons fraudsters are targeting call centers to commit ATO fraud is that the fraud is difficult to detect not only at the time of the call but also once the scammer has taken over the account.

ATO Fraud via Call Center is Difficult to Detect

One of the most common things a fraudster will do is ask a CSR to send a credit card to a different address right away. The scammer may tell the CSR that they are traveling and that they lost their credit card. Or the scammer could tell the CSR that their house burnt down, and they lost everything including their credit card– the CSR needs to send a new card to the hotel right away.

Another common thing for the fraudster to do is ask the CSR to add a secondary person to the account. Sometimes fraudsters will add a secondary person to numerous accounts to build up a credit history so that the accounts become legitimized and harder for the institutions to detect upcoming fraud.

ATO fraud, in general, is difficult to detect because fraudsters often take over many accounts but will then do nothing with those accounts for an extended period. And all that time the legitimate primary account holders have no idea scammers have commandeered their accounts. When a fraudster adds a secondary person to a bunch of sleeper accounts, they will often one day decide to bust out and use all the accounts at once. When the fraudster is done with all the accounts, they do not have to maintain any connection with them. The fraudster then disappears, and since most of the information is based on the primary account holder, it is difficult to identify and catch the fraudster.

A Multi-Layered Approach

In the next post of the series, we explain the approaches financial institutions are taking to try to prevent ATO fraud via the call center and some of their pitfalls.