Three security lessons from a year of crisis

Crime thrives in a crisis, and the coronavirus was the largest collective emergency that the world has faced for decades. While there are more heroes than villains in the coronavirus story — think of all the sacrifices doctors, nurses, and other essential workers have made and continue to make — there were also a few bad actors.

When Pindrop surveyed security and fraud professionals across vital sectors including banking and healthcare, we discovered hundreds of teams that had made heroic efforts to continue operating in the face of huge obstacles. We were also reminded of the many ways that fraud threatens businesses and individuals facing turmoil.

Spikes in call volume left contact center agents overextended while lockdown protocols forced reorganizations and remote work; well-intentioned and generally beneficial programs like PPP loans provided new avenues for fraud; and fraud attempts shifted to new venues, like banks’ prepaid card divisions.

More time on the line

In the early days of the pandemic, when lockdowns and restrictions across the United States were at their height, contact centers and customer service teams saw huge spikes in call volume. Banks’ phones rang off the hook with questions about account numbers and Paycheck Protection Plan loans, about unemployment payments and mortgage suspensions.

Business dealings that could once be conducted face-to-face with a teller in a branch office now moved onto the phone. Contact agents not deemed “essential” pivoted to working from home; new systems had to be devised, implemented, and tested almost overnight. The result? More calls, longer hold times, and longer agent conversations. Of course, not every fraudulent use of a contact center requires speaking with another human being: unscrupulous users can “mine” interactive voice response systems for personal data.

In some industries, the second quarter of 2020 saw an 800% increase in year-over-year call volume. Such elevated numbers weren’t sustainable, and there’s been some drop-off in call length and volume, but in the last quarter of 2020, call durations were still up 14% compared to pre-COVID levels, and typical waits were 11 minutes longer than they were before the pandemic. That’s bad enough for customer satisfaction, but the more ominous news is that 57% of surveyed fraud detection and fraud prevention decision makers determined that fraud attempts on contact centers were increasing through at least October of 2020.

Means and opportunity

It’s said that a crime requires means, motive, and opportunity. While a few fraudsters may have turned to deceit because of economic pressures, the coronavirus generally had little to do with fraudster’s motives. By contrast, the pandemic provided ample means and innumerable opportunities for illicit transactions.

Means: With contact agents overwhelmed and honest customers distressed, fraudsters developed new ploys (e.g., saying that they were attempting to access the bank account of a dear relative who’s now in the hospital and suffering from a severe infection).

Opportunity: In a bid to stave off economic catastrophe, the U.S. government rapidly deployed aid programs like the Paycheck Protection Program Loans. While these tools were and are a lifeline for thousands of businesses and millions of livelihoods, fraudsters took advantage of CARES Act and PPP provisions. Some fraudsters have faced charges already; more will certainly be caught.

When you’re evaluating your systems and procedures, think like a fraudster. Have you provided a means and opportunity gap that a motivated bad actor can exploit?

New venues for old crimes

Some of our findings were heartening. For example, contact center agents had proportionally fewer calls with social-engineering fraudsters than they did in 2019. Apparently long periods on hold will deter some ill-intentioned callers!

The fraudsters hadn’t changed their motive, but they realized their opportunity might be elsewhere. The billions of PPP dollars there for the taking were too tempting to pass up, and the government approved lean and innovative new fintech firms to administer loans. Some of these firms may have been too lean, as they proved lax in verifying applications’ truthfulness.

Three out of every four loan applications that the Department of Justice deemed fraudulent originated from a fintech company. While fintech firms are innovative, their proprietors must remember that today’s fraudsters are also dynamic and innovative. Proactive due diligence now may save money, embarrassment, and pain down the line.

Relief scams aren’t limited to the United States either; fraud has long been an international game. In the United Kingdom, criminals almost got away with a billion pounds’ worth of benefits. Elsewhere, honest people never received the help they’d been promised because fraudsters had already exploited their data and absconded with their funds. In Massachusetts, for example, thousands who were eligible for supplemental unemployment benefits found that scammers used earlier data breaches to file false claims.

Back across the pond, fraudsters have devised a way to make the U.S. government pay them twice: first file a request for someone else’s unemployment, to be delivered via a prepaid card. Then, once it’s arrived, claim it was lost and get another!

The experience of one bank handling these prepaid card scams shows how wary institutions have to be about changes in criminal behavior. Over three months in 2020, calls into the institution’s prepaid card division were more likely (by an astounding factor of 1,000!) to be fraudulent than calls into other divisions. Roughly 1 in 75 calls was marked as “high risk.” Two out of every three high risk calls proved to be a fraud attempt. Clearly, corona-era changes had sent fraudsters flocking to prepaid cards.

Looking ahead

A Washington state official spoke of the need to make “continuous improvements” to data security and reliability in light of the uncovered attacks. Hopefully, your organization won’t require a nine-figure wake-up call to rouse you from complacency. While shocks like the coronavirus may occur once in a hundred years, incremental changes to the world’s financial and economic systems are happening every day, and seemingly innocuous developments may prompt those ever-inventive fraudsters to design a new scheme.

The tools to reduce and mitigate fraud, for you and for your customers, are out there. Do your contact agents have up-to-date training? Have you updated security on your interactive voice response systems? And have you considered ways that new developments in the world or in your industry could compromise data integrity?

Good security is an ongoing process, not a one-and-done event, but the pandemic experience has already proven how agile enterprises can be. Stay vigilant, invest in experts and in the best tools, and make sure that everyone, from your customer service agents and your customers to your IT team and back office, knows what to look for. Fraudsters may have means and motive, but you can halt them in their tracks.