Call centres told how to combat the Man-in-the-Phone

BANK call centres are being targeted in a new type of fraud, called Man-in-the-Phone.

In a typical attack, the fraudster poses as a call centre agent to tell the victim that their account may be at risk and that they should hold to verify a few account details.

He calls the real bank and connects the victim with his own phone muted.  He listens as the victim tells the real bank their authentication details then quickly closes the conference line and tells the victim that the issue has been resolved.  Now the fraudster has enough information to transfer money from the victim’s account.

The scam was publicised as a warning by Actimize, part of Nice Systems.  It recommends that banks combine behaviour profiling and anomaly detection with better call centre processes and training. Call centre agents should be trained to listen more closely and ask who originated the call. Attacks may be thwarted or losses minimised if agents ask simple (but random instead of static) security questions at various points in the conversation when confirming personal credentials. Fraudsters are less likely to trick customers into sharing answers to several security questions.

And it advises account holders to only call the number on their card or statement.

James Van Dyke, president and founder of Javelin Strategy and Research, said: “As consumers shift more financial transactions to secure online arenas, fraudsters have become more creative in utilising traditional telephones.”

Man-in-the-Phone is a new slant on Man-in-the-Browser in which criminals use trojans to infect internet browsers to modify transactions or insert additional transactions.