The expert view: Fraudsters targeting call centre workers in social engineering attacks

"People from other parts of the business often don't believe us when we tell them what fraudsters will do. They just don't imagine that anyone would ever do such things," said an attendee at a recent Business Reporter breakfast briefing on preventing call centre fraud in the banking sector.

Mandip Shergill of Genesys, sponsors of the event, asked attendees - mostly senior executives at major international banks - what kind of threats they were seeing and how prepared they were to deal with them. The picture that emerged from the discussion, held under Chatham House rules, was bleak. Threats have been proliferating and many prevention methods are broken or insecure.

The most prominent attack mentioned at the briefing was the social engineering of call centre staff. Some attackers pretended to be forgetful or stressed to trick the call handler into helping them answer a security question. Others took the opposite tack and were aggressive, intimidating call centre staff and threatening to complain about the service they have received.

"It's very hard for call centre workers to deal with," said one attendee. "Do they treat a caller like a customer or a potential fraudster? We want them to treat callers as customers but the fraudsters exploit that."

Sometimes caller ID can tell the agent that a caller is not where they claim to be and technology exists that can alert an agent when a call comes from a suspect device, but pretty much every defensive method can be worked around or broken by a fraudster who is determined enough.

"Most of the data we use for verifying identity is compromised now, too," said an attendee. Fraudsters have become quite adept at gathering crucial information, including answers to common security questions such as mother's maiden name, from other sources - utilities companies are often less security conscious than banks, for example.

Furthermore, attendees were disappointed in how easy it was for fraudsters to acquire genuine forms of identification. Driving licenses, for example, are relatively easy to obtain for someone who is determined enough.

Asked whether loss prevention or brand protection was a bigger motivation to deal with fraud, most attendees said that customer protection was actually the main driver. “It’s a very frightening experience for the customer,” one said.

While attendees said that they were doing the best they can, all agreed that there were limits to what can be done. The most organised fraudsters have entire call centres, filled with people paid to call banks and attempt to defraud them. The call centre employees were told that it’s a victimless crime and it seems that police and governments often feel that way too.

Some felt that very little progress will be made unless customers lobby the government for change. “Until people are losing their own money, I don’t think things will change. Perhaps they would lobby the government if their money was being lost,” a delegate said.

Law enforcement agencies often don’t want to deal with fraud perpetrated against banks and frequently the fraudsters are in a jurisdiction where they cannot be reached by law enforcement in
any case. “The police are a few steps behind us in tackling the latest threats. We see these things before they do,” said an attendee.

Increased layers of security checks were only a temporary solution – fraudsters can find a way round them all eventually – but that was what most banks are relying on for the moment. “I don’t think customers mind the friction of security checks,” a delegate said. “It reassures them that we take their security seriously.”

One option that appealed to attendees is a data privacy exemption exclusively for the prevention of fraud. Presently, it’s very hard to thoroughly check a caller’s credentials because data protection laws strictly control where data can be stored and how it can be used. With the introduction of GDPR (the General Data Protection Regulation) next year, those controls will become tighter still.

However, most attendees felt that real change could only be achieved with a new, stronger identification standard. The best option for this would be a government-mandated system, though most attendees recognised that there has typically been reluctance in Britain to have a national identity card or something similar.

Nevertheless, one attendee pointed out that such a system is in place in the Nordic countries and they were among the world leaders in tackling fraud. If governments are unwilling to step in, then perhaps banks should create their own ID system, one attendee suggested. Though, of course, obtaining one would require people to verify their identity, which might well mean them presenting other forms of ID that are not secure.

The problem is a difficult one and not something that anyone felt confident could be solved in the short term.

Shares