Blog article
See all stories »

Phishing at a new level with a fake bank contact centre

I normally focus the blog on Europe, but this story from Australia shows a very alarming new level of fraud. In this case fraudsters have targeted Commonwealth Bank of Australia customers with a fake IVR and call centre.

The story ( fully available at here ) is very worrying. It shows that fraudsters are graduating from e-mail phishing to a far more advanced form of fraud. While the e-mail is still the basic trigger for the fraud, a sophisticated use of VoIP (Voice over IP) and IVR systems is a new development. While most consumers are now knowledgeable enough of the risks of fraud to avoid clicking on e-mail links, phone numbers are much more trusted. This fraud relies on customers trusting local dial codes and the familiarity with entering information into the touchtone IVR system. APCmag describes the fraud as:

"An email sent out on 26th May included a phone number in Brisbane to call to unsuspend blocked Maestro cards, but as of today, the number is disconnected. However, another email received this morning has an 08 area code number that is still in operation. According to ACMA, the number is a GoTalk VoIP number, which anyone could have registered over the web using stolen credit card details. (We've tried contacting GoTalk to notify them of this problem but were not able to immediately reach our regular media contacts.)

We called it, and were alarmed that the computer on the other end recognised the fact that we were keying in bogus numbers — an indication that at a bare minimum, it is doing algorithmic validation of the numbers being entered, and in a worst case scenario is operating a live payment gateway system to immediately siphon funds from accounts."

At the moment, most consumers would see a local phone number and trust that to mean that their call was really going there. Few would understand the potential of Voice over IP to route the call anywhere in the world. Fewer consumers still would understand that an IVR system that answered a phone call and asked for identity verification and card details might not be what it seems.

Like most frauds, this is a clever exploitation of some basic technology, but an exploitation in a brand new way. It may be a one off, but I suspect it may represent a new development as the fight against e-mail based phishing becomes more successful. To date, security in call centre has been focused on internal threats and social engineering attacks (see my posts like "Security, Call Centres and Fraud" and "Call centre worker gaoled for data theft"), but no-one has yet impersonated a contact centre on this scale before.

In my view, it looks as if the ease with which IP protocol allowed websites to be impersonate will become a danger for voice.


Comments: (1)

A Finextra member
A Finextra member 05 June, 2009, 09:44Be the first to give this comment the thumbs up 0 likes

It shows that banks have failed to put the appropriate infrastructure in place with which to engage with their customers. Poor practices by bank call centers with regard to customer identity have compounded the opportunities for fraudsters. The fault sits squarely with the banks, Commbank in this case, but it is happenng to all the Australian financial institutions. Having trained their unsuspecting customers into revealing their personal details to mystery staff at the end of the telephone line with no authentication either way it comes as no surprise at all to see it coming back to bite them It isn't 1950 anymore...

Now hiring