The continued prevalence of identity theft as a major obstacle for fintech companies should come as no surprise. Despite major advances in network security and personal identity protection, fraudsters continue to come up with sophisticated methods to lure unsuspecting victims into sharing their most personal information.
What may come as a surprise to fraud risk professionals is the variety of fraud methods and schemes that are currently being deployed by cunning fraudsters intent on deceiving even the most vigilant users. In this article, we'll examine several identity fraud strategies that are increasingly being employed virtually, but which you may not have previously encountered, making awareness of these techniques all the more crucial. This particular article will focus on understanding what a vishing scam looks like and how to prevent vishing scammers from collecting personal data from a potential victim. We’ll also explain the impact of fraud on the economy and what can be done to protect your customer’s sensitive data.
A fraudulent expense
Fraud continues to have a significant impact on the economy. According to a report by the Association of Certified Fraud Examiners (ACFE), organizations lose an estimated 5% of their revenue to fraud every year. This translates to trillions of dollars lost globally over the same period. Furthermore, fraud can have a detrimental impact on a company's reputation and lead to customers losing trust. It can even result in further monetary losses in the form of fines and legal fees.
It goes without saying that identity verification is an essential tool in the fight against fraud and cyber attacks. Financial institutions and fintech companies understand this, investing billions annually to stay in the vanguard of technological advancement. Regulatory requirements such as Know Your Customer (KYC) and Anti-Money Laundering (AML) are now ubiquitous within financial industries, while artificial intelligence is also being employed to add layers of robustness.
Yet, cyber criminals are always on the lookout for vulnerabilities in security measures that can be exploited for their next fraudulent scheme.
Understanding the many shapes of fraud
Understanding the fraud problem requires knowing the many shapes fraud comes in. To that end, we need to categorize the issue and define it so that we can learn how to identify it.
There are two different buckets in which fraud can be grouped: business fraud and personal fraud. Business fraud occurs when customers, employees, or even investors scam a business out of money or services. This could be through the submission of false expense claims or moving unauthorized funds between accounts. Personal fraud occurs when another person, group, or company tricks you into giving up money, services, or sensitive data and confidential information that can be used for identity theft.
Some of the most common methods used to trick users into providing their personal information are phishing, smishing, and vishing. While they sound similar, they differ in the medium used to get to the unsuspecting users.
Phishing and smishing attackers use email and SMS respectively and have become easier to defend against over time as users have learned to recognize them. Vishing attacks, on the other hand, is more subtle.
What are vishing attacks?
Vishing is a type of phishing attack that takes place over the phone. Vishing scammers call potential victims, pretending to be a legitimate company to solicit personal information from a victim.
Perhaps you get a call about renewing a subscription or warranty from an attacker. If you answer this call and get connected to an alleged agent, you may be asked to provide information such as your name, address, driver's license number, social security number, or credit card information. The vishing scammers will use sophisticated and targeted conversational techniques to move the phone call along, gathering personal and financial information and often times driving urgency.
Vishing scammers may also ask a simple question that you will likely answer with a “yes”. They can then use this recording to authorize charges or access your financial institutions by pretending to be you.
Vishing has proven to be a difficult scam to protect against attackers, especially with older people. Vishers often use combinations of techniques to throw off their victims, such as fraudulent phone numbers, voice-altering software, text messages, and social engineering. Because of the personal nature of phone calls, it can be difficult for victims of vishing scams to ascertain legitimacy and they wind up being tricked into divulging sensitive and confidential information.
Other methods of fraud being used by bad actors
Pharming: This is a type of cyber-attack that redirects website traffic to a fake website. The goal of a pharming cyber-attack is to steal personal and financial information or to install malware on a victim's computer. Pharming can be difficult to detect because the victim is redirected to a website that looks identical to the legitimate website.
Whaling: Whaling is similar to a phishing scam, but is targeted at high-profile individuals such as CEOs, CFOs, or other executives. In a whaling attack, fraudsters impersonate a senior executive and use social engineering techniques to trick employees into transferring money or sensitive data like bank account information.
Ghost student: This enrollment fraud costs colleges and universities millions each year. Ghost students are primarily fraudulent bots created by cyber criminals to scam educational institutions through the application process. If they are successful in being enrolled they can steal government aid and defraud the schools by collecting student loans or through other collegiate services.
CEO fraud: This is a type of whaling attack that specifically targets CEOs. In a CEO fraud attack, fraudsters impersonate the CEO and instruct employees to transfer money to a fraudulent account. CEO fraud attacks are becoming more common and can be very difficult to detect.
SIM swap: SIM swap attacks occur when a fraudster convinces a mobile phone provider to transfer a victim's phone number to a new SIM card. Once the fraudster has control of the victim's phone number, they can access sensitive information such as bank and email accounts.
Data diddling: This type of fraud involves changing data before it is entered into a computer system. This type of fraud is difficult to detect because it is often carried out by insiders who have access to the computer system.
Pig butchering: Pig butchering is a type of fraud that involves breaking down a large transaction into smaller transactions to avoid detection. For example, a fraudster may steal $10,000 from a bank account by making 100 transfers of $100 value each.
Salami slicing: This is another type of fraud attack that is commonly used in the financial sector. It involves taking small amounts of money from a large number of accounts and then pooling the money to create a significant sum. The fraudster can then transfer the money to another account or withdraw the entire amount in one go. This attack can be challenging to detect as the amounts are small and spread across many accounts.
Learn more about ghost students
What measures can be taken to combat these attacks?
Prevention is always better than trying to find a cure. The best way to combat fraud attacks is to prevent them from happening in the first place by implementing a secure and tested identity verification solution, like the Mitek Verified Identity Platform (MiVIP).
An effective identity verification solution should have the following features:
- Real-time verification: Real-time verification ensures that the customer is who they claim to be, reducing the risk of identity theft.
- Multimodal authentication: Multimodal authentication adds several layers of security, often times including biometrics, making it harder for fraudsters to gain access to sensitive information.
- Document verification: Document verification is a critical component of identity verification as it ensures that the documents submitted by the customer are genuine.
- Watchlist screening: Watchlist screening checks the customer's details against global watchlists, including politically exposed persons (PEPs) and known terrorists.
- Ongoing monitoring: Ongoing monitoring helps detect any suspicious cyber-criminal activity on the customer's account and alerts the company to any potential fraud attacks.
Fraudsters are always looking for new ways to scam individuals and businesses. It is essential to stay informed and educated about the various fraud attacks out there. Mitek’s resource library includes a plethora of useful information that will help you increase your identity security knowledge.
Remember, implementing a secure and tested identity verification solution can go a long way in preventing these attacks and protecting your customers and your business. So, stay vigilant, stay informed, and stay secure.
Check out this new eBook on how identity and fraud are evolving