After Capital One breach, fraudsters ready to prey on consumer fears

Register now

The ongoing availability of stolen account information used to perpetrate vishing and phishing was exacerbated by the Capital One data breach disclosed this week, affecting 100 million accounts, and is likely to increase fraud threats.

"The organized crime rings behind so much of our fraud are very good at building off of current events and using the resulting consumer confusion and uncertainty to their advantage," said Julie Conroy, research director with Aite Group’s fraud practice.

Phishing and vishing (using voice calls to take over accounts) have been on the rise for the last several years, hitting businesses particularly hard, and Conroy said there is a high likelihood the Capital One breach will increase the likelihood of scammers luring consumers into giving up their personal information.

But the complexity of phishing and vishing crimes makes them difficult to detect and prevent.

The U.S. this month sentenced three individuals for perpetuating a vishing scheme that resulted in $20 million in losses between 2011 and 2014 tallied last year. The fraudsters posed as bank representatives persuading consumers to provide their Social Security numbers and bank account information.

Operating from Romania, the fraudsters installed interactive voice response and bulk email software on U.S. servers and sent out thousands of voice and text messages to consumers purporting to be from bank representatives. Victims were prompted to enter their personal information and account details, and it took years for the FBI to isolate the perpetrators, who were extradited from Romania last year and will serve jail time, according to the U.S. Attorney’s Office of the Northern District of Georgia.

Banks have little recourse to vishing beyond educating customers about sticking to existing security protocols, Conroy said, but consumer groups are pushing for better safeguards.

In the U.K., where consumer vishing scams have been rampant for some time, the Payment Systems Regulator is enforcing a new “confirmation of payee” requirement beginning next year as an antidote to unauthorized push payments.

“In the U.S. market, consortium databases such as Early Warning could be used in the same way,” Conroy suggested, though she noted that Early Warning lacks full market coverage, so there would be holes fraudsters would be likely to exploit.

Transactional analytics also could help, Conroy said.

Behavioral analysis tools may provide some coverage by flagging unusual activity signaling vishing scams in progress, according to BioCatch.

BioCatch’s tools were developed to combat diverse types of fraud in online and mobile apps, but recently banks and card issuers joined the organizations tapping its technology to stop vishing, said Frances Zelazny, chief strategy and marketing officer at BioCatch, which is based in Israel with a U.S. office in Boston.

BioCatch’s software automatically flags unusual consumer online activity that often suggests a consumer is following a fraudster’s commands, Zelazny said.

“Consumers caught in vishing scams often act different when accessing their account, including hesitating or fiddling or making mistakes, and our software catches that,” Zelazny said.

The most painful vishing scams harness consumers’ own security concerns, she said.

“One of the newest scams we’ve heard about is where a consumer receives a bogus call to collect payment for a smaller amount, like a cell phone bill. Shortly afterward the victim gets a second call purporting to be from their bank notifying them the previous call was fraudulent. To rectify the situation, the second caller asks for the victim’s account details, and subsequently drains their account,” Zelazny explained.

For reprint and licensing requests for this article, click here.
Data breaches Cyber security Personally identifiable information