Criminals looking to commit phone fraud now have it easier than ever with the emergence of highly organized services for fraudulent phone calls in various languages and caller ID spoofing, according to researchers at RSA's FraudAction Research Lab.
To complete a fraudulent transaction, such as changing a mailing address on a credit card or confirming a large online banking transaction, a criminal can simply place an order at what RSA calls
They can also customize spoofed phone numbers for the state where the victim lives, call during business hours in both the U.S. and Europe, and pose as the real account holder in accepting incoming calls, according to researchers at Bedford, Mass.-based RSA, the security division of EMC Corp.
"They really upped the ante," said Joram Borenstein, senior product marketing manager in RSA's identity and access assurance group. "They're now offering the ability to have different languages, different age ranges and different genders."
In the past, phone fraudsters might post a message online to find another fraudster who could speak the victim's language, according to RSA researchers. Such "confirmer services" have evolved into one-stop shops, some with their own websites, for criminals to order fraudulent phone calls to banks, shipping companies and merchants.
Phone fraud has been around for a long time, but in the last 18 months RSA has seen it become more customized, Borenstein said.
"Criminals have recognized to conduct high-value or high-risk financial transactions with financial institutions around the world; there often is a call center element involved," he said. "It might be confirming a large credit card purchase, changing a billing or mailing address or confirming a transaction in the online banking session for a large wire transfer," he said.
Phone call fraud is a growing percentage of banks' overall fraud problem, Borenstein said. Over the past two to four years, financial institutions have worked hard to lock down their online portals, but the call center was something of an afterthought in terms of security.
Banks are taking a number of steps to deal with the problem of phone fraud, including authenticating the caller using Automatic Number Identification (ANI) and conducting deeper analysis of transactions and comparing them to transactions in other channels at the bank, he said.
They're also employing knowledge-based authentication, which goes beyond common identifiers such as mother's maiden name, he said. The process typically involves a question and answer process to authenticate a user based on knowledge of personal data, such as previous addresses and cities of birth.