While customers are increasingly choosing digital channels to consume banking services, the phone remains a prominent method to resolve critical or complex queries. The contact centre interactive voice response (IVR) system is the front door for customers using the phone and enables them to complete self-service transactions at their convenience, but fraudsters can target the IVR to harvest information to scam customers.

As part of an organised attack, the fraudster will probe the IVR to acquire or validate data that will enable them to cash out the victim's account or gather additional information to enable authorised push payment (APP) fraud.

The scale of IVR fraud is often hidden so we examined the calls through the smartnumbers platform - by analysing more than a billion calls that passed through the platform, we identified the make-up of organised fraud attacks:

• On average, a fraudster makes 26 calls in the weeks before executing the final attack.
• Two thirds of fraudulent calls are from withheld numbers. In almost all cases, the fraudster simply withholds their number and continues the attack to get around a bank's phone number blacklists.
• A fraudster executing an IVR attack can be detected by a high volume of calls with short duration and a short time-to-next call. A typical fraudster probing the IVR makes on average 20 calls in an hour from withheld numbers. In extreme cases, a single fraudster makes more than 300 calls in a short period of time.
•  Ten per cent of IVR attacks are from fraudsters that have already been blacklisted by another bank.   

There has always been a balance between protecting the contact centre while maintaining customer experience. While there is a plethora of anti-fraud technology that strengthens contact centre security and streamlines authentication, there are vulnerabilities in the IVR that fraudsters are exploiting.

Fraudsters use IVR as a tool to validate or gather data

Fraudsters prepare their attack by gathering data about victims using several means, such as social media research or acquiring data harvested through data breaches and the dark web. They then probe the IVR to validate the acquired data, complete missing information, or check the account balance to identify the best time to attack.

Understanding the scale of IVR attacks

While IVR systems provide capabilities to measure the volume and flow of calls through the IVR, it is not possible to distinguish if the caller checking their balance is a genuine customer or not. Fraudsters mask their identity by spoofing their phone number to appear to be a genuine customer or simply withhold their number which makes detection difficult using existing technology.

Flaws in current fraud defences

Typical contact centre fraud defences rely on analysing the audio of the call to identify the person either as a fraudster or a genuine caller. Therefore, to prevent an attack, the call needs to be answered by an agent or have voice prompts in the IVR. Banks have to make a difficult balancing judgement - on the one hand, stopping fraudsters from completing risky transactions in the IVR; on the other hand, minimising the frustration of genuine customers caused by false flags.

From our work helping banks deal with this issue we have seen an increase in the use of new technological solutions to help strike this balance. By using technology to flag repeat calls from a withheld or spoofed number, banks can then identify high-risk callers for special treatment without the majority of lower-risk callers being impacted by the additional scrutiny and delay.

Related Event:

Economic Crime Congress, 12 February

Tickets now on sale for UK Finance Economic Crime Congress. Key streams include: Fraud Prevention, Anti-Money Laundering, Financial Sanctions, and Bribery and Corruption. An unparalleled event for FS and security sector delegates to debate and network.  Learn more