THE STATE OF PHONE FRAUD 2014-2015 A GLOBAL, CROSS ...info.pindropsecurity.com/rs/.../Pindrop-Phone-Fraud... · PHONE FRAUD REPORT Attackers’ Favorite Products Though the rate of

THE STATE OF PHONE FRAUD 2014-2015

A GLOBAL, CROSS-INDUSTRY THREAT

Executive Summary...................................................................

Introduction.................................................................................

A Global Threat..........................................................................

Fraud Rates Within And Across Borders

Phone Fraud in Developing Countries

Fraud Targets: Who Is At Risk?.................................................

Financial Institutions

Retail & E-Retail

Consumers

Cross-Industry Fraud

The Bottom Line: What Is At Risk?............................................

What is Fraud Exposure?

Fraud Exposure In Financial Institutions

Fraud Exposure In Retail

Consumer Fraud Losses

Conclusion.................................................................................

Methodology...............................................................................

About Pindrop Security...............................................................

About Pindrop Labs...................................................................

3

4

4

4

6

7

7

7

8

10

11

11

11

13

13

14

14

16

16

TABLE OF CONTENTS

PINDROPSECURITY.COM | 404.721.3767

WHITE PAPER

EXECUTIVE SUMMARY

Phone fraud is a multi-million dollar industry that crosses international and industry borders. Attackers target call centers, as well as consumers, in attempts to gain access to funds, steal merchandise, and phish for identities. Phone fraud is now so prevalent that the average enterprise call center is exposing more than $9 million each year to fraud. This does not include the damage that fraud and other security breaches can have on the reputation of an enterprise.

Pindrop Security reviewed phone fraud activity affecting financial institutions, retailers, and consumers between 2014-2015 to understand the frequency of attacks and the potential consequences of fraud. This report provides a unique view into the risk facing call centers and international consumers.

KEY FINDINGS:

Phone fraud crosses international borders, enterprises, and industries• Across financial and retail institutions, 1 in every 2,200 calls is fraud, an increase

of more than 30 percent since 2013.• Rates of phone fraud are similar across economically developed countries,

regardless of security regulations and legislation in place.• Phone channel assailants use multi-pronged attacks, targeting consumers,

retailers, and financial institutions simultaneously.

Phone fraud poses a significant fiscal risk to financial institutions• Credit card issuers face the highest rate of fraud calls, with 1 fraud call per every

900 calls.• On average, financial institutions risk exposing an average of $7-15 million to

phone fraud per institution.• When attackers are able to pass knowledge-based authentication (e.g., personal

security questions), financial institutions risk major monetary losses, as well as regulatory compliance and privacy issues.

Attackers are using robodialers to increase efficiency in targeting consumers• 1 in 6 phone numbers calling a consumer is a robocaller.• 2.5 percent of U.S. phones receive at least one robocall every week.• More than 86.2 million calls per month in the U.S. are phone scams.

3 PINDROPSECURITY.COM | 404.721.3767

PHONE FRAUD REPORT

Phone fraud is a multi-million dollar industry that crosses international and industry borders. Since 2013, the rate of phone fraud has increased over 30 percent, from 1 in 2,900 calls to 1 in 2,200 calls.

A GLOBAL THREATFraud Rates Within and Across Borders

Pindrop Security’s analysis shows that phone fraud rates are essentially the same in all major economically developed countries, especially the U.S. and U.K. Considering the U.K.’s strict privacy and security regulations, including the broader European Union’s Data Protection Directive, one might expect to see a reduced phone fraud rate. However, the similarity in the rates of U.S. versus U.K. phone fraud highlights the shortcomings in call center authentication technology, which is essentially the same across the world.

Phone channel attackers are not bound by geography. In fact, 64 percent of fraud calls originate in a country other than the country of the attack target. Attackers call across international borders at 10x the rate of legitimate callers. Spoofing technology allows attackers to hide their true automatic number identification (ANI) and appear as a local call on Caller ID. This contributes to the preponderance of international fraud calls.

INTRODUCTION


PHONE FRAUD REPORT

FIGURE 1: International vs. Domestic Fraud and Non-Fraud Calls


PHONE FRAUD REPORT

0% 20% 40% 60% 80% 100%

Fraud Calls Domestic International

Non-Fraud Calls Domestic Int.

Another factor in the increase in international fraud calls is Voice over IP (VoIP) calling. VoIP has minimized or eliminated the cost of phone calls, both domestic and international. There is evidence to suggest that VoIP service is easier to steal than other kinds of telephony services as well. Attackers take advantage of cheap, free, and stolen VoIP, using it at a much higher rate than the general public. They use VoIP lines for 53 percent of their calls, compared to 7.8 percent of the general public.

FIGURE 2: Device Type in Fraud vs. Non-Fraud Calls

0% 20% 40% 60% 80% 100%

Non-Fraud Calls Cell VoIPLandline

Fraud Calls Cell Landline VoIP

Fraud Device Type Trends

Attackers have been using VoIP as their preferred calling method for at least the past five years. Meanwhile, fraud calls originating on mobile devices have been rising steadily since 2011, surpassing landline fraud to become the second most popular fraud device type. This trend mimics the rising use of mobile phones over landlines for the general public.

Phone Fraud In Developing Countries

In comparison to economically developed countries, phone fraud statistics are much different in developing countries. The overall phone fraud rate is markedly lower in developing countries, and the phone fraud that does occur is more local in origin. There are several reasons that could contribute to this difference:

• Language – In countries with a less-common language, call centers experience more localized fraud. International attackers are most likely to attack English-speaking countries.

• Account Value – Accounts in developing countries generally have lower account balances than those in economically developed countries. Attackers tend to target high-value accounts to get the most return for their efforts.

• Information Availability – In economically developed countries, attackers can search social media and other Internet sites for information to socially engineer or impersonate account holders. In addition, the population of economically developed countries is more likely to use a credit card or e-payment method that can be easily stolen and sold on the black market. Countries with lower rates of Internet accessibility, or more cash payment systems experience less phone fraud.


PHONE FRAUD REPORT

FIGURE 3: Mobile Phone Use In Fraud and Non-Fraud Calls

Fraud Calls

Non-Fraud Calls

0%

20%

40%

10%

30%

50%

2011

2012

2013

2014

2015

Also contributing toward this trend is the use of cheap “burner phones.” These prepaid mobile phones are replaced frequently to avoid leaving a trail of evidence by the attacker.

FRAUD TARGETS: WHO IS AT RISK?

Financial Institutions

Banks, brokerages, and other financial institutions are perennially attractive targets for phone fraud. These entities offer the most direct route for attackers to profit because they deal with money directly. Yet, different types of financial institutions experience different rates of phone fraud. Banks report a fraud call rate of 1 in every 2,650 calls. Brokerages report slightly less, with only 1 in 3,000 calls being fraud. Card issuers, however, experience phone fraud at nearly 3x the rate of other financial institutions, reporting 1 fraud call for every 900 calls.


PHONE FRAUD REPORT

.02%

.10%

.08%

.06%

.04%

.12%

Banks Brokerages Credit Cards

FIGURE 4: Fraud Rates By Financial Institution Type

The higher rate of phone fraud for card issuers can be attributed to the fact that credit cards are one of the most common ways for the public to complete transactions, and thus card numbers are at greater risk for theft. Compared to credit card numbers, banking or brokerage account numbers are less widely distributed. The less an account number is distributed across channels, the less likely it is to be at risk for fraud.

Retail & E-Retail

Though not quite as high as card issuers, retailers and e-retailers experience phone fraud at higher rates than other industries. Retailers report 1 fraud call per 1,000 calls.

Retailers face a specific type of phone fraud, known as “chargeback” fraud. Chargebacks occur when an attacker places an order using a stolen credit card. When the cardholder sees the fraudulent charge, he or she disputes the charge with the credit card issuer

and receives a refund. By this time, the merchant has often shipped the product to the attacker, ultimately losing the cost of the merchandise as well as the associated shipping and administrative costs.

Retailers walk a fine line in screening for potential chargeback fraud. If they receive too many chargebacks, payment processors deem them high risk and charge increased transaction fees. However, retailers who refuse suspicious orders risk alienating legitimate customers.


PHONE FRAUD REPORT

Attackers’ Favorite Products

Though the rate of phone fraud for most retailers is 1 in 1,000 calls, that number changes drastically for certain product lines. Popular, expensive products that are easy to resell see much higher rates of phone fraud. Smartphones and Apple products are among the most popular retail goods targeted by attackers.

Consumers Attackers don’t limit themselves to targeting enterprise call centers. Another lucrative path is to target consumers directly. Consumer phone scams are a growing problem and have gotten more publicity as scams, such as those spoofing the IRS and Microsoft Technical Support, have received global press coverage. More than 36 million calls per month in the U.S. can be traced to one of the 25 most popular phone scams, but Pindrop has found that there are more than 86.2 million scam calls total each month.

Consumer phone scams rely on attackers casting a wide net and hoping to catch someone who is not informed of a current scam, or someone who is otherwise vulnerable (e.g., the elderly, recent immigrants, young college students, etc.). One of the most common ways attackers cast their wide net is to utilize cheap robocalling services. Some attackers use messages promising prizes, trips, free money, or other goods and services to entice consumers to call back and interact. Other fraud tactics include using threatening messages, telling consumers they are behind on taxes, have missed jury duty, or are in jeopardy of being deported.

Pindrop research shows that 1 in 6 phone numbers calling the average consumer is a robocaller. Furthermore, 2.5 percent of U.S. phones (8.1 million in total) receive at least 1 robocall per week.


PHONE FRAUD REPORT

FIGURE 5: Most Popular Phone Scams by Avg. Monthly Call Volume

2M

4M

1M

3M

5M

IRS S

cam

Tech

Support

Payday L

oans

Auto In

sura

nceVer

izon

6M

8M

7M

9M

Bank Sca

ms

Gift Card

s

Govern

men

t Gra

nts

Home S

ecurit

y Sys

tem

s

Politica

l Surv

ey

Auto W

arranty

Craigs

list S

cam

Canadian Pharmacie

s

Studen

t Loans

What Is Spoofing?

Spoofing is the practice of manipulating the phone network to hide a true caller ID or ANI. Attackers manipulate their Caller ID data to display the phone numbers of people or organizations they wish to impersonate. One of the most popular consumer phone scams involves spoofing a financial institution to phish for personal information. In the past six months, Pindrop has found over 330,000 complaints related to spoofing financial institutions.

Cross-Industry Fraud

Phone channel attackers rarely limit their targets to a single institution, industry, or consumer. Attackers use every piece of data they can find to put together sophisticated, multi-pronged phone channel attacks. Many attacks are not looking for money directly, but rather are phishing for information needed to successfully impersonate a consumer or institution.

For example, an attacker may call a consumer and impersonate a financial services company, claiming to be able to negotiate for lower rates on credit card debt. In the past six months, Pindrop has found over 330,000 complaints about this scam alone. This attacker doesn’t ask the consumer for money. Instead, he or she will ask for account numbers, passwords, social security numbers, etc. The attacker can then call the credit card issuer and pass the knowledge-based authentication (KBA) for the credit card account using the information gleaned from the consumer phone call, leading to a complete account takeover.

As another example, a retailer might experience a point-of-sale (PoS) system data breach, like those reported to have affected Home Depot and Target in 2014. Phone channel attackers are buying information from those breaches in online black markets and using it to perform phone fraud on banks and consumers.1


PHONE FRAUD REPORT

Phone Fraud & The IRS

In 2014-2015, reports of the IRS phone scam skyrocketed. Attackers impersonate IRS agents over the phone, telling taxpayers they are under investigation for tax fraud. They threaten victims with arrest if they don’t immediately pay. Federal authorities claim this is the largest IRS scam they’ve ever seen – swindling consumers out of more than $15 million in the past two years. The U.S. Treasury estimates the thieves have successfully victimized more than 3,000 people, with the average victim losing $5,000. Pindrop tracks IRS Scam complaints, and has found that the scam spiked in February of this year, just as tax season was beginning.

0

40,000

80,000

20,000

60,000

Dec-14

Jan-15Fe

b-15M

ar-15

Apr-15

FIGURE 6: IRS Scam Complaints By Month

Krebs on Security, “In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud,” September 2014.

1


PHONE FRAUD REPORT

FIGURE 7: Cross-Industry Fraud Example

THE BOTTOM LINE: WHAT IS AT RISK?

What is Fraud Exposure?

When attackers are able to get past initial authentication, the entire value of the account is “exposed.” It is exposed not only to simple theft, but also to non-monetary attacks like account takeovers and social engineering. In addition, these accounts are exposed to regulatory privacy breaches.

Fraud Exposure in Financial Institutions

Fraud exposure is different than actual fraud claims or fraud losses. An attacker who impersonates a financial institution’s customer over the phone and passes KBA processes may have access to an account worth $10,000 (the fraud exposure), but the attacker will often only try to move only a fraction of the money to avoid a potential auto-alert system or consumer realization. Attackers understand that higher-value transactions trigger enhanced authentication challenges. The amount of money that is reported stolen is known as the fraud claim. After a fraudulent transaction has been initiated, depending on the type, institutions may be able to reverse all or part of the transaction. Only the final net loss is considered the fraud loss.

CONSUMERRETAILER

FINANCIALINSTITUTION

Attacker impersonates bank to phish for account numbers

Retail data breach leads to account takeover attempts

Attackers use stolen consumer credit cards to place fraudulent retail orders


PHONE FRAUD REPORT

Few financial institutions are able to accurately measure losses to phone fraud because they simply do not tie fraud activity back to the phone channel. There are multiple levels of authentication and regulation involved in any transaction, and tracking losses as far back as the phone channel can be difficult. Furthermore, institutions that are already using Pindrop PhoneprintingTM solutions experience very little actual loss. Therefore, in this report, Pindrop measured and reported on fraud exposure.

FIGURE 8: Fraud Exposure

FRAUD EXPOSURE

FRAUD CLAIM

FRAUD LOSS

The total value of the account to which the attacker gains access

The amount of money the attacker moves out of an account

The amount of money a bank or financial institution is unable to recover following an attack

The amount of fraud exposure varies according to the type of financial institution. Attackers are highly attuned to the account values at an institution. Higher account values mean more lucrative targets. Brokerages, which often hold the highest account values, lead with $15 million fraud exposure per institution annually. Credit card issuers see the second largest fraud exposure at $11 million annually, and banks the lowest at $7.6 million.

FIGURE 9: Fraud Exposure By Financial Institution Type

5M

20M

15M

10M

Banks Brokerages Credit Cards


Fraud Exposure, Orders, and Losses in Retail

In the retail industry, it is slightly easier to measure the financial implications of phone fraud. In these scenarios, instead of gaining access to money in an account, attackers target material goods by placing phone orders. Here, the exposure risk is equal to the limit an attacker can place on the stolen credit card, or the amount of credit a store is willing to allow to a caller. On average, retail call centers expose $2.40 to fraud per incoming call. Few attackers attempt to “max out” their credit, as these orders would be extremely suspicious to call center representatives. Therefore, retailers report the equivalent of $0.65 in actual fraudulent orders per call.

One point that separates retailers from financial institutions is that retailers typically have a period of time between taking a fraudulent phone order and actually shipping the product. This gives them time to investigate and sometimes cancel suspicious orders. For this reason, retailers’ actual fraud loss per call is closer to $0.17.

PHONE FRAUD REPORT

FIGURE 10: Fraud Exposure Per Call in Retail Call Centers

$2.40

$0.65

$0.17

Fraud Exposure

Fraud Claim

Fraud Loss

Consumer Fraud Losses

Consumer fraud losses are nearly impossible to identify. This is because comparatively few consumers admit to losing money in a scam and many do not even realize that they have been scammed. When the average consumer takes a call from an attacker, their fraud exposure is only limited by the amount in their own bank accounts or credit. A 2014 survey found 17.6 million Americans lost $8.6 billion to phone fraud2. The average reported loss was $489.

BGR, “Phone scams cost Americans $8.6 billion last year - here’s how to protect yourself,” August 2014

2

PHONE FRAUD REPORT

CONCLUSION

Fraud in the phone channel poses a significant risk to financial institutions, retailers, and consumers globally. Criminals are launching sophisticated, cross-industry attacks and are highly attuned to the account value.

Over the next year, as the U.S. moves to chip-and-signature card protocols, card-present fraud will become more difficult. As such, Pindrop expects attackers to shift more attention to the phone channel, which is traditionally the least protected of the card-not-present (CNP) channels. Call centers should begin preparing now for the increasing rate of attacks.

As a first step in combating phone fraud, financial institutions and retailers should begin measuring fraud losses that can be connected to the phone channel. This helps businesses understand the true extent of their problem. In looking for solutions, Pindrop recommends that financial institutions and retailers implement fraud detection solutions that maximize their return on investment by selecting technology that is versatile and widely effective. The technology should be usable on every call, regardless of call quality, previous enrollment or lack of voice content. It should be highly accurate, regardless of obfuscation such as voice distortion, background noise, packet loss, or other common issues. Fraud detection technology should leverage multiple data sources, both other enterprises as well as third parties and law enforcement. This combination of requirements presents the best solution available.

METHODOLOGY

PhoneprintingTM

Pindrop Security’s patented Phoneprinting technology analyzes the audio content of a phone call. Phoneprinting measures 147 characteristics of the audio signal in order to form a unique fingerprint for the call. This information provides an unprecedented level of insight into the phone channel. For this report, Pindrop analyzed millions of calls globally, using Phoneprinting to dissect the details of attacker techniques and behavior.



PHONE FRAUD REPORT

PhoneypotTM

The Pindrop Phoneypot is a large-scale “telephony honeypot” that allows researchers to collect data from millions of calls to unlisted numbers. Pindrop uses the phoneypot to detect calling patterns for unwanted callers, such as robocallers, debt collectors, and telemarketers. This provides researchers with additional understanding of telephony abuse and attack patterns.

Topic Modeler

Pindrop collects phone scam complaint data using Topic Modeler, a proprietary online complaint collection tool. This tool aggregates data on suspicious numbers from hundreds of complaint sites, online communities, and Web forums in order to determine the types of scams affecting consumers, as well as the volume of those scams. Monitoring online complaints gives researchers access to a wealth of information: fraudulent phone numbers and ANIs, date and time of complaints, and the text content of the complaint itself.


PHONE FRAUD REPORT

ABOUT PINDROP SECURITY

Pindrop Security, headquartered in Atlanta, Ga., is a privately-held company that provides enterprise solutions to secure phone and voice communications. Pindrop solutions reduce fraud losses and authentication expense for some of the largest banks, brokerages and retailers in the world. Pindrop’s patented Phoneprinting technology can identify, locate and authenticate phone devices uniquely just from the call audio thereby detecting fraudulent calls as well as verifying legitimate callers. Named SC Magazine 2013 Rookie Security Company of the Year, a Gartner “Cool Vendor” in Enterprise Unified Communications and Network Services for 2012 and one of the 10 Most Innovative Companies at the 2012 RSA conference, Pindrop Security’s solutions restore enterprises’ confidence in the security of phone-based transactions.

ABOUT PINDROP LABS

Pindrop Labs is focused on threats and vulnerabilities in the audio and telecommunications realms. This area, traditionally neglected from a security perspective, is increasingly favored by attackers for reconnaissance, exploitation, account takeover, and other attacks. Pindrop Labs’ research falls into two main areas: phone fraud prevention and securing the increasingly ubiquitous voice interface. Phone fraud prevention includes security for call centers, telecommunications infrastructure, and phone-reliant systems, organizations, and consumers. Securing voice interfaces includes providing authentication, threat detection, and fraud prevention for voice-enabled infrastructure.

ContributorsMatt Garland, David Dewey, Raj Bandyopadhyay,Cesar Gonzalez-Flores, and Valerie Bradford

THE STATE OF PHONE FRAUD 2014-2015 A GLOBAL, CROSS ...info.pindropsecurity.com/rs/.../Pindrop-Phone-Fraud... · PHONE FRAUD REPORT Attackers’ Favorite Products Though the rate of

Documents