The BBA is now integrated into UK Finance. Please go to www.ukfinance.org.uk for new content and updates from UK Finance.
Material published by BBA prior to 1st July 2017 is still available on this website.
From 1 July 2017, the finance and banking industry operating in the UK will be represented by a new trade association, UK Finance. It will represent around 300 firms in the UK providing credit, banking, markets and payment-related services. The new organisation will take on most of the activities previously carried out by the Asset Based Finance Association, the British Bankers’ Association, the Council of Mortgage Lenders, Financial Fraud Action UK, Payments UK and the UK Cards Association.x
Written by Matt Peachey, VP & GM EMEA, Pindrop
Recent research by the Financial Fraud Action UK (FFA UK) found that five million frauds occur every year across England and Wales, costing the UK around £24 billion. The extent of phone fraud alone has increased by 92 per cent in just 12 months.
While these figures are high, this is only part of the picture. Fraud, particularly on the phone channel is much higher, and growing fast. The reason for this is that this channel has traditionally been overlooked in terms of protection.
Most businesses have been focusing on improving their cyber defences as attacks on this channel grow more sophisticated. The frequency with which these attacks hit the headlines understandably causes businesses to rethink their defence strategy. What is becoming more commonplace however is that many have overlooked their most vulnerable line of defence – the phone.
Phone security to date has lacked the innovation, education and the sophistication needed to protect customers. As such fraudsters are taking advantage of this as they use cross channel tactics to commit these fraudulent crimes. Without the right authentication and fraud detection in place, organisations will continue to get duped, particularly as the boundaries between phone and online continue to blur.
Phone fraud is a growing problem for financial institutions due to its ease, low risk and low cost. It comes in many forms with attacks in the call centre, in automated account management systems, and outbound verification systems, costing organisations in terms of losses, time and expense and incident response.
For a fraudster, these paths present several advantages. Fraudsters are typically professional social engineers and experts at manipulating people. When speaking to a call centre representative, whose objective is to rightfully prioritise being helpful, a fraudster knows that identifying and handling suspicious calls is not a core competency for that representative.
Once on the phone, the fraudster may attempt a direct attack, stealing funds via a wire transfer. They may request a rush or replacement card and then max out the card with purchases. If they don’t have all the credentials or access they need, they may opt to take more innocuous steps in order to set up a future attack. A change to the address, phone number or email allows them to transfer the point of contact to an asset they “own”. They can claim to be a customer who will be traveling overseas resulting in lower fraud alerting levels at the bank.
Currently, the only clear defence against these fraudsters is the asking of a few personal questions (known as knowledge-based authentication or KBA).
Fraudsters can also steal from customers without talking to a representative. Automated systems or IVR (interactive voice response) systems allow access to a wide range of account activities that a fraudster can use to make substantial inroads to taking over an account.
A variety of technologies have been developed to address this problem. Analysing the caller’s voice, also known as voice biometrics, focuses on authenticating callers to positively identify bank customers. Many UK institutions are moving towards this form of authentication and while it is a useful way to verify customers, it cannot detect fraud.
Fraudsters have many techniques which help them bypass this layer of security. Distortive or synthesised noises can alter the sound of a voice, making it hard to verify and accurately define the user as fraudulent. To better combat fraud, organisations need to be able to identify new attackers before they can do damage. Identifying attackers in all parts of the phone infrastructure, from live calls to recorded calls, automated answering systems and outbound calling systems, is also necessary as is a solution that uses either a phone number or call audio to identify and quantify fraud risk.
Phoneprinting™ technology is becoming a popular way to detect fraud and authenticate customers as it identifies specific components about each call such as the location a call is coming from, the device, whether it’s a mobile or landline and whether the phone has been used to call the company before. Combined this can aid in detecting fraudulent activity before it becomes an issue.