Who’s Really On the Line? Protect Your Customers from Voice Phishing Scams

Feb. 1, 2019 | by BioCatch

Voice phishing, also known as vishing, has been around for years. But cybercriminals have taken phone-based scams to a new level of sophistication — and it’s paying off.

By impersonating trusted officials, like customer service representatives at a bank, social engineers con unsuspecting victims out of millions of dollars every year. Vishing is surprisingly easy to fall for, catching even the most careful individuals off-guard. Well-crafted schemes carry all the signs of legitimacy, right down to the correct phone number of a victim’s personal bank.

In a time when customers are already uneasy about their security online, vishing scams are only further eroding their trust. At BioCatch, we’re on a mission to restore confidence in online offerings, which is why we are excited to announce that it’s now possible to stop vishing scams in real-time with behavioral biometrics, a fraud detection technology that’s even smarter than the most convincing social engineer.

Voice Phishing Scams Around the Globe

Voice phishing attacks are increasing in frequency. Just this January, the Australian Taxation Office issued a warning after an elaborate vishing scheme resulted in $1 million stolen from Australian citizens in less than three months. And in the United States, the Federal Trade Commission has reported that 77% of its fraud complaints involve contacts by telephone, of which vishing is a subset.

Nowhere is the problem more acute than in the United Kingdom, where voice phishing is the fastest-growing form of authorized push payment (APP) fraud. In the first half of 2018 alone, vishing scams resulted in £36.6 million in customer losses. In one example, a London woman lost £10,000 of her savings to scammers after taking a call from an unknown number claiming to be her personal bank. In the same time frame, nearly 4,000 UK banking customers suffered the same fate, losing an average of more than £9,000 each to vishing scams.

The problem is only set to worsen, as social engineers continue to refine their tactics.

Anatomy of a Voice Phishing Attack

Most people know not to take calls from unknown phone numbers or to respond to suspicious-sounding automated voice mail messages. But what happens when a phone scam appears to originate from a trusted source, like a bank, government official, or a well-known brand with whom you have an account?

Already this year, a vishing scam targeting Apple users shows just how crafty social engineers have become. In the scheme, iPhone users received an automated call saying Apple has experienced a data breach, and they need to call back immediately. The fraudsters spoofed Apple’s genuine phone number and displayed correct information about the company in the call log, including the Apple logo, address, and website.

In cases like these, it’s all too easy for even alert individuals to fall victim. Voice phishing scams incorporate urgency and accurate information on both individuals and organizations to convince people to ignore warning bells and take actions they normally never would. 

Screen Shot 2019-02-01 at 11.13.11 AM

A vishing attack typically unfolds like this:

  1. Fraudsters purchase information on victims from the dark web and gather accurate information about the companies they will impersonate from around the web.

  2. Fraudsters call their victims pretending to a legitimate representative of an organization, most often a bank or government agency.

  3. The fraudster then convinces the victim that there is an urgent need to transfer funds —  maybe there’s been a data breach or unusual transactions on the victim’s account.

  4. The victim then logs into their bank account.

  5. Under the guidance of the fraudster, the user initiates a transfer, following instructions to enter details like payee, payment amount, and more.

  6. The victim completes a fully authorized transfer.

Detecting Voice Phishing — Protect Customers & Provide a Better User Experience

Vishing is so hard to detect because it involves a person defrauding him or herself while under the influence of a con artist. Typical indicators used to detect fraud don’t apply. In a vishing scam, a transaction or payment takes place within an authenticated session, with the correct location, correct device, and no malware or bot activity to be found.

The one factor that does stand out during a vishing attack is changes to user behavior. Though subtle, behavioral anomalies are the key to detecting voice phishing in progress. Behavioral biometrics, a technology solution based on machine learning, analyzes thousands of behavioral parameters in real-time to sort legitimate transactions from fraudulent ones. Typical signs of a vishing attack include longer hesitations, altered typing patterns, and even a change in the way that a victim holds their mobile phone.

For behavioral biometrics, all these signs are a dead give away that a customer is under the influence of a fraudster. The technology works in the background so no friction is added to the user journey, even while users gain the advantage of the strongest security solution against vishing.

In most cases, once a vishing scam succeeds, there is no way to trace and restore a victim’s funds. The only way to prevent vishing is to catch a scam while it’s underway. By flagging vishing in real-time, behavioral biometrics prevent significant losses and provided much-needed protection for both clients and a company’s assets.

Want to learn more? Download our white paper on using behavioral biometrics to combat voice phishing scams.

Topics: Social Engineering