Criminals are increasingly spoofing caller ID using VoIP apps including Skype or Google Voice to hide their identity and location, according to a report released today by Pindrop Labs.
Call center fraud is rising at an astronomical rate, as technical weakness becomes one of the three key contributors to its rapid rise, according to the 2017 Call Center Fraud Report released today by Pindrop Labs.
Based on a review of more than 500 million calls last year, Pindrop found fraud rates soared 113% over the previous year. That has resulted in a fraud rate of 1 in 937 calls in 2016, compared to 1 in 2,000 calls in the previous year. And this problem has morphed from being a responsibility of the call center operations to one of IT security.
“When we first started the company [Pindrop]…, it was a call center operations headache. As the attacks have increased, losses continue to increase, and the phone is being used as part of a multichannel attack, the CISO is becoming more and more involved,” says David Dewey, director of Pindrop Labs.
One of the catalysts for this growth comes from attackers’ enhanced skill in social engineering to coax information, or inadvertent nefarious action, out of call center employees, as well as the discovery of new spoofing and voice distortion technologies to give criminals more options when using the phone, according to the report.
Additionally, as digital methods for pilfering information becomes harder to crack, fraudsters are moving onto the path of least resistance rather than get smarter in figuring out workarounds for these digital challenges, Dewey says.
“Reaching a call center and speaking with an agent provides the fraudster with an upper hand. A call center agent’s job is to provide quality customer service and not stop fraud,” he added.
The report identifies three key areas where call centers are particularly weak, one of which is technical.
“Caller ID Spoofing coincided with the advent and popularity of VoIP in the mid-2000s. We are seeing more and more fraudsters discover how easy this is to do and we expect this to continue to grow. Heck, there’s even an Android app out there that will spoof calls for you,” Dewey says.
With the advent of VoIP, users have access to the caller ID field and can set it to whatever they want, Dewey noted. This allows fraudsters, some with minimal technical skills, to be able to spoof their calls. In the case of Skype or Google Voice, the same Caller ID is applied to tens or hundreds of thousands of subscribers with the recipient having no idea who they are speaking too, Dewey explained.
When it comes to fraudsters who are developing software to reset pins, access accounts, etc., most interactive voice recognition (IVR) systems are available to the public and most go unprotected and unmonitored.
Going forward, Dewey noted new techniques and technologies are being tested by attackers.
“We are starting to see attacks where fraudsters are calling victims to record their voices and then using those recorded voices to pass as the real person,” he said. “On top of that, we are seeing technology that allows fraudsters to generate speech based on a minimal recording and use that to make statements that the person never originally said. Getting the audio of the victims is no longer a problem because so much exists on all of us in our social channels like Facebook Live, on Youtube, etc.”
Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio