Computer fraud may be a big problem for banks today, but the telephone is becoming a critical tool for fraudsters, bank executives say.
In addition to calling customers about suspicious transactions, banks use SMS (Short Message Service) to request that customers contact them. So, fraudsters have begun using a variety of techniques to try to trick the banks into thinking they're communicating with legitimate customers via the telephone. "Call-center authentication is, to me, the biggest pain point right now," said Stan Szwalbenest, remote channel risk director with JP Morgan Chase, speaking at the RSA conference in San Francisco this week.
Malware, phishing and cyberattacks may get talked about, but "we should never fool ourselves into thinking that's the only place [crime is happening]," he said. "The biggest risks I see are social engineering, and that's exactly how the crooks are getting in."
Social-engineering attacks occur when fraudsters trick bank customers or employees into divulging sensitive information, usually by pretending to be someone they are not.
Sometimes fraudsters will hack into a bank account and change the customer's contact phone number. Then, when a suspicious transaction posts to the account, the bank will call the fraudster instead of the customer.
In cybercrime forums there's even a job title for people who do this: confirmer. "There are companies that specialize in it," said David Shroyer, senior vice president for online security and enrollment with Bank of America. Fraudsters will sell the services of people who have the language skills to mimic legitimate customers, offering, for example, four males and six females who speak English, one with a Spanish accent. "They say, 'We can match the phone number where your real customer is calling from,' " he said.
In another scam, criminals activate automatic call-forwarding features to essentially take over their victim's telephone lines for a period of time.
"They're adapting to our adoption of different technology and different authentication methods," Shroyer said.
Large banks like JP Morgan have been working with telecommunication companies to be able to identify spoofed calls, and with a recent rash of so-called swatting attacks, where hackers call 911 from spoofed numbers to trick police into sending out emergency response teams, the U.S. Federal Communicaions Commission has recently taken a greater interest in call spoofing, Szwalbenest said.
Criminals are also using low-cost, corporate-grade telephone systems to run their automated call centers. They will call, e-mail and send SMSes to victims telling them to call phoney numbers in hopes that victims will think they're calling a real bank and provide account numbers and passwords.
This technique has lately been labeled "vishing." But in reality it has been used by con artists for decades, Szwalbenest said. "It's social engineering. That's all it is," he said. "It's been around for a long time." Consumers should be suspicious of "every call," he said.