Telephone banking customers are being warned about a new low-tech, man-in-the-phone (MitP), fraud technique being employed by criminals.
Vendor Actimize says it has recently spotted the scam through its fraud surveillance at several large retail banks. It originally targeted British banks but is now spreading to the US and Canada.
In a typical MitP attack, a fraudster calls the victim claiming to work for their bank, warning that their account may have been breached or compromised. The criminal then puts the customer on hold and calls their bank, connecting the two while remaining on the line.
The bank then requests authentication information, such as social security number, passwords and other personal information. Once the personal information is provided, the fraudster quickly ends the conference line and informs the customer that the issue has been resolved.
Meanwhile, with the personal information gathered during the call, the fraudster can take over the customer's phone banking relationship and transfer money out of their accounts.
James Van Dyke, president, Javelin Strategy & Research, says: "As consumers shift more financial transactions to secure online arenas, fraudsters have become more creative in utilising traditional telephones. Access through mail and telephone transactions grew from three per cent of ID theft in 2006 to 40% in 2007 and fraudsters are getting creative and leveraging new techniques to commit fraud, so consumers need to be as diligent as ever in protecting their personal information."
At the banking end, Actimize says firms should combine cross channel behaviour profiling and anomaly detection technologies with better call center processes and training. Call center employees should be trained to listen more closely and ask who originated the call.
Says the vendor: "Attacks may be thwarted or losses minimised if bank employees ask simple (but random instead of static) security questions at various points in the phone conversation when confirming personal credentials."