Financial institutions have done much to combat the scourge of voice scams in recent years. Educational campaigns have been mostly successful in convincing consumers to never share their bank-provided one-time passwords (OTPs).
But scammers are nothing if not innovative and resourceful. As retail-banking customers have wizened up to scammers impersonating banks, businesses, and government agencies requesting their OTPs, these criminals have done more than shift strategies. In India, they’ve invented a brand-new scam type.
The call-merging scam:
According to National Payments Corporation India (NPCI), Indian scammers have started manipulating their victims into merging their original call with a call from the victim’s bank’s Interactive Voice Response (IVR) to steal the victim’s one-time passwords (OTP), allowing these bad actors to log in and make unauthorized transactions.
Here’s how one of these so-called call-merging scams might go down:
1. The scammer calls the victim, claiming to have obtained their number from a mutual friend.
2. The fraudster asks the victim to merge the call with another number, supposedly belonging to the caller’s friend.
3. If the victim agrees and the calls merge, the second call is actually a legitimate bank OTP verification call.
4. Scammers time the merge perfectly, so the victim unknowingly reveals their OTP.
5. With the OTP, scammers can then complete financial transactions and drain the victim's account.
This scam is particularly dangerous because it bypasses traditional security measures by manipulating the victim into resulting in unauthorized transactions. Unfortunately for victims, banks often recognize these transactions as authorized because someone entered a legitimate OTP, giving the impression the victim either did the entering themselves or gave it away intentionally.
NPCI has warned users to be vigilant and never merge calls with unknown numbers
India for now, the region – and the world – to follow
While the call-merging scam has gained significant attention in India, evidence of its occurrence in other countries remains limited. Cases have been reported in Indian cities like Ludhiana and Noida, with victims losing amounts ranging from $10,000 to $114,000.
Although similar tactics involving voice phishing and OTP theft have been observed globally, the specific call-merging method as defined by NPCI has not been conclusively documented outside India based on available sources. The underlying principles, however, align with global cybercrime patterns, suggesting potential adaptability to other regions.
Fighting back
To protect against call-merging and similar call-based scams (investment scams, impersonation scams, etc.), financial institutions must look to behavior- and device-based solutions to detect whether customer banking sessions appear inconsistent with the historical behavioral patterns of the account holder: Is the specific device in question previously unknown to both the user and financial institution and not consistent with the associated accountholder's previous tech usage? Is the user interacting with their touchscreen as they normally do? Is their mouse and keystroke movement consistent? Are any of their registered mobile devices currently on active calls?
This intelligence allows banks to decide in real time whether any anomalies detected in a banking session warrant the holding or declining of a transaction.
Google recently announced it will move to a QR-based authentication method later this year. Banks should also be looking into replacing the use of SMS-based OTPs. It’s been more than a year now since the Reserve Bank of India (RBI) recommended all Indian financial institutions move away from SMS-based OTPs in favor of principle-based frameworks for authentication of transactions. As of this writing, we have yet to hear what this framework might look like (or how it might serve the visually impaired) – only that these new methods could potentially replace the need for both SMS and voice-based OTPs, rendering this new call-merging scam obsolete everywhere voice-based OTPs cease to exist.