Virtualized Calls a Top Threat for ATO Attacks
Companies may be investing more in their cybersecurity defenses, but fraudsters are evolving in their tactics. As such, they’ve discovered that by targeting call centers, they can easily obtain personally identifying information (PII), which is likely one reason the report found that call center professionals are increasingly the target of fraudsters employing social engineering in an attempt to takeover (ATO) customer accounts.
In fact, 51% of respondents that work in the financial services industry identified the phone channel as the top threat for ATOs. At 32%, spoofed calls lagged behind criminal activity reportedly coming through virtualized calls, which 40% of respondents said they saw more of this year.
“Virtualization (e.g., web-based calling services (Skype), Google Project Fi (routed through T-Mobile or U.S. Cellular), or a business PBX) is the biggest threat vector to call centers today. The calls are authentic, unique and legitimate. Their signaling data and call certificates are correct and will pass by technology designed to detect spoofing attempts,” the report said.
“Virtualization frees criminals from the need to imitate specific callers’ numbers. They just have to reach an agent from a number that is legitimate but unrelated to a customer’s record.”
An overwhelming majority (72%) of call center representatives believe that if calls were authenticated before answered, the number of ATO attacks could be diminished without impacting the customer’s experience.
“Our data also suggest that they are eager for change. 46% of call center leaders were ‘very’ or ‘somewhat’ dissatisfied with their current caller authentication method(s), a 50% increase since 2018.”
When comparing survey results year-over-year, the number of companies planning to implement multifactor authentication has doubled. “As more breached personal information enables more account takeover through the phone channel in the year ahead, we expect more call center leaders to advocate for a completely new multi-factor authentication strategy.”
Source: Information Security Magazine