Voice Phishing Increases Risk of Account Takeover Fraud
Disruption caused by the COVID-19 pandemic fueled a substantial increase in account takeover fraud. The frequency of account takeover fraud attacks increased more than 10 percent in one-third of financial institutions in 2020, compared with the "pre-pandemic period.”[1] Identity fraud losses increased by 42 percent[2] between 2019 and 2020.
Fraudsters had more opportunity to commit account takeover fraud because a greater number of consumers conducted business online. Sixty percent[3] of people report accessing more services online since the start of the pandemic.
To validate consumers’ identities for remote interactions, organizations frequently rely on one-time passcodes (OTP) sent via SMS (“text”) message or callback. Multi-factor authentication utilizing OTPs can prevent most bulk phishing and bot threats.[4] Nearly 70 percent[5] of consumers used OTP via SMS to validate their identities during a new account opening in 2020.
Unfortunately, this increased use of OTP may have helped to fuel the rise in identity fraud over the same timeframe. Fraudsters are succeeding at socially engineering consumers into divulging OTP over scam phone calls, a burgeoning identity fraud vector known as voice phishing[i] (“vishing”). Because vishing attacks target consumer credulity, rather than conventional fraud prevention measures, organizations face millions in losses due to fraud and customer attrition.
Traditional account takeover fraud defenses do not stop vishing
One of the more complex vishing schemes is the man-in-the-middle attack, in which a fraudster sets up two parallel conversations between a business and its customer. The business believes it is connecting with the customer, and the customer thinks they are talking to the business—but in reality, it is the fraudster interacting with both. The fraudster might initiate the scheme by requesting the issuance of an OTP via a session on the business’s website. In parallel, posing as the business, the fraudster calls the unwitting customer and, using social engineering, convinces the individual to read off the OTP sent by the business. The fraudster then uses this information to log in to the customer’s account and perform unauthorized transactions.
Organizations struggle to stop vishing for several reasons. Vishing looks “clean” within the telephone network. The consumer’s phone shows no sign of common phone takeover vectors, such as a SIM swap, unauthorized number reassignment, or call forwarding. Without those signals of a man-in-the-middle attack, organizations rely on legacy approaches to step-up authentication. When the fraudster enters the OTP provided by the customer, conventional fraud-prevention solutions and methodologies may not check for discrepancies between the fraudster’s device and behavior and the consumer’s offline and online signals. Vishing attacks have resulted in over $450 million[6] in loss since 2014.
Account takeover fraud preys on consumer credulity
Several trends increase the likelihood of a vishing attack succeeding against a consumer. Due to years of data breaches and over-sharing on social media, fraudsters can easily collect consumers’ personally identifying information (PII) prior to calling the customer. This makes vishing calls more credible. Three-quarters[7] of identity fraud scam victims report that scam callers used the victim’s personal information to build trust and extract additional data. The disruption and isolation caused by the COVID-19 pandemic appears to have aided fraudsters. Victims were almost three times[8] as likely to give up their personal information in 2020, compared with 2019. Phone calls figured into 31 percent[9] of consumer fraud reports to the Federal Trade Commission in 2020. However, the number of consumers who fall for phone fraud may be much higher. Only one in six[10] victims of phone fraud report their experiences to the Federal Trade Commission (FTC).
In addition to immediate financial loss, vishing inflicts long-term damage on organizations. Over two-thirds[11] of consumers hold organizations responsible for securing consumer information and accounts. Over 60 percent[12] of identity theft victims spend at least 11 hours dealing with the aftermath—30 percent of consumers spend over 100 hours—an experience that is bound to reflect poorly on the organization associated with the compromised account. Nearly 15 percent[13] of financial consumers close their accounts after an identity fraud incident, even if they are satisfied with the assistance provided by the related organization. If they are dissatisfied, as much as one half of consumers may take their business elsewhere.
The acceleration of digital adoption by consumers gives organizations a rare opportunity to acquire new customers and realize the benefits of digital interactions with a larger swath of current customers. However, vishing flips this opportunity into a liability. An account takeover incident—via vishing or other vectors—could drive consumers to competitors and inflame brand damage on social media. Organizations that do not mitigate vishing risk fraud loss, customer attrition, and reputational damage.
Enhance account takeover fraud defenses to combat vishing
For vishing to succeed, fraudsters need to reach consumers via an untraceable means of placing calls. Those means—for example, unallocated numbers or virtual call services—produce recognizable signals within the telephone network. If a phone number with those signals contacts a consumer’s phone, and the consumer requests an OTP in the same timeframe, then additional precautions may be warranted before granting access to the consumer’s online account. This capability requires insight into the telephony network and the interplay between consumers’ offline, online, and device-based signals.
Insights into consumer identity require constant investment and maintenance. Understanding the strength, tenure, and frequency of connections between consumers’ offline, online, and device-based signals falls outside the scope of most organizations’ operating models. The lack of investment creates a blind spot, which enables the most common types of account opening and account takeover fraud, including vishing. In order to reduce fraud exposure, and to provide consumers with the highest possible level of service, forward-thinking organizations are investing in identity resolution solutions that deliver a complete, accurate, and persistent understanding of consumer identity.
[i] Voice phishing may take different forms, involving not just OTP. In other instances of voice phishing, a consumer may receive a scary text message falsely claiming that a valuable account has been compromised and urging the consumer to call a phone number to resolve the matter. Generally, voice phishing involves a fraudster’s direct deception of a consumer and the fraud occurring over a phone call.
[1] Aite, Key Trends Driving Fraud Transformation in 2021 and Beyond
[2] Aite, U.S. Identity Theft: The Stark Reality
[3] OnFido, How Has COVID-19 Changed our Relationship with Digital Identity
[4] Google Security Blog, How Effective Is Basic Account Hygiene at Preventing Hijacking
[5] Javelin Strategy & Research, 2021 Identity Fraud Study
[6] FTC, Government Imposter Scams top the List of Reported Frauds
[7] First Orion, Scam Callers Now Leveraging Data Breaches In New “Enterprise Spoofing” Strategy
[8] First Orion, Infographic: 2020 Scam Call Report
[9] FTC, Consumer Sentinel Network Data Book 2020
[10] Aite, U.S. Identity Theft: The Stark Reality
[11] Javelin Strategy & Research, 2020 Identity Fraud Study
[12] Aite, U.S. Identity Theft: The Stark Reality
[13] Ibid.