Telephony fraud and risk mitigation: Understanding this ever-changing threat

January 18, 2023  |  Kazi Arif

Telephony fraud is a significant challenge. Companies of all sizes and industries are subjected to the malicious usage of voice and SMS with the intent of committing financial fraud, identity theft, denial-of-service, and a variety of other attacks. Businesses that fall victim to fraud can incur significant financial losses, irreparable damage to their reputation, and legal implications. Detection of and preventing fraud can be a complex and time-consuming process, requiring businesses to devote significant resources to protect themselves. Some common challenges that companies face when it comes to fraud include the following:

  • Swiftly adapting to constantly evolving fraud tactics: Fraudsters are always searching for innovative ways to carry out their schemes. Therefore, businesses must be hyper-aware in identifying and addressing potential threats.
  • Balancing the need for security with customer convenience: Businesses must balance protecting themselves against fraud and providing a seamless customer experience. This can be particularly challenging in the digital age, as customers expect fast, convenient service.
  • Investing in fraud prevention solutions and skilling up human resources: To stay ahead of fraudsters, organizations may need to invest in technology solutions, such as fraud detection software or security protocols, to help identify and prevent fraudulent activity. Such solutions are often expensive and may require hiring dedicated employees to manage and maintain these toolsets.
  • Mitigating the aftermath of a fraud incident: If a business or its customers fall victim to a fraud campaign, this organization must be prepared to not only address the immediate financial losses but also work to repair any damage to its reputation and restore customer trust. Such an endeavor is often a time-consuming and costly process.

Vishing

As mentioned above, telephony fraud can consist of voice fraud and SMS fraud sub-categories. Voice fraud, also known as vishing or voice phishing, involves criminals leveraging voice calls or voice messaging to social engineer potential victims into divulging sensitive information or making payments. In this type of attack vector, the malicious actor often attempts to mask their identity through spoofing, which involves alternating caller-ID information to make the communication appear legitimate.

The attacker may also utilize voice manipulation software or even voice impersonation to mask their identity and solicit a target into taking a specific action, such as revealing sensitive data or even transferring bank funds over to the attacker. In such unfortunate scenarios, Vishers may pretend to be an individual from a legitimate organization, such as a trusted individual, a company/business, or a government agency, and request personal information or login credentials.

vishing flow

Some of the voice fraud challenges that companies may face include the following:

  • Spoofed caller IDs: Criminals can use spoofed caller IDs to make it appear as if the call is coming from a legitimate source, such as a bank or government agency. This can make it difficult for companies to identify fraudulent calls and protect their customers from these scams.
  • Automated voice messages: Criminals can also use automated voice messages to deliver phishing scams. These messages may ask the recipient to call a specific number to update their account information or resolve an issue. Still, the call leads to a scammer trying to steal sensitive information.
  • Social engineering tactics: Criminals may use social engineering tactics, such as creating a sense of urgency or playing on the recipient's emotions, to convince them to divulge sensitive information or make a payment.

Smishing

Smishing is a phishing scam involving using text messages to perform various social engineering attempts to convince victims to reveal sensitive information or persuade them to make fraudulent transactions. Smishing scams often involve fake websites or phone numbers, and they may be disguised as legitimate texts from banks, government agencies, or other trusted organizations.

Smishing attacks can be challenging to detect because they often use familiar logos, language, and tone to make the message appear legitimate. Some common tactics used in smishing attacks include:

  • Asking for personal information: Smishers may ask for personal information, such as passwords or credit card numbers, under the pretense of verifying account information or completing a transaction.
  • Offering fake deals or prizes: Smishers may send texts offering fake deals or prizes to lure people into revealing sensitive information or making fraudulent transactions.
  • Scare tactics: Smishers may send texts threatening to cancel accounts or take legal action unless sensitive information is provided.

Overall, fraud attacks can have serious consequences. If your organization falls victim to a fraud campaign, there may be severe financial loss, damage to brand reputation, data breaches, and disruption to your everyday operations. The event in which a data breach occurs can lead to identity theft of your employees and customers and the leak of proprietary information owned by your company, which can cause long-term financial and legal implications. Therefore, we recommend that organizations take the following steps to protect themselves against telephony fraud:

  • Educate employees: Train employees to recognize the signs of voice and SMS fraud and to be cautious when giving out sensitive information or making financial transactions over the phone.
  • Implement two-factor authentication: Leverage two-factor authentication to verify the identity of employees and customers when they access sensitive information or make financial transactions.
  • Use anti-phishing software: Use anti-phishing software to protect against phishing scams, including smishing attacks.
  • Monitor your phone bills: Regularly review phone bills for unusual charges or suspicious activity, which may result from a malicious actor spoofing your telephone number.
  • Secure communication platforms: Use secure communication platforms, such as encrypted messaging apps, to protect against voice and SMS fraud.
  • Invest in fraud detection solutions to identify and act upon fraudulent calls
  • Monitor for suspicious activity: Organizations can use tools to monitor suspicious activity, such as unexpected changes in calling patterns or unusual requests for information.

By following these best practices, businesses can reduce the likelihood of a telephony fraud disaster.

If you are an individual who is looking to safeguard yourself from such attacks:

  • Be vigilant of the types of commonly used scams and how to recognize them.
  • Never give out personal information or make financial transactions over the phone unless you are sure you are dealing with a legitimate entity.
  • Use strong passwords and enable two-factor authentication whenever possible to protect against unauthorized access to your accounts.
  • If you receive a suspicious phone call, hang up and verify the call's legitimacy before providing any information. You can do this by looking up the phone number online or contacting the organization directly using a phone number you know is legitimate.
  • Be cautious of unsolicited phone calls, especially if the caller requests personal information or tries to rush you into making a decision.
  • Report any voice fraud to the authorities and relevant organizations, such as your bank or credit card company. This can help to prevent others from falling victim to similar scams.

Overall, it is imperative to have a multi-layered approach to combat telephony fraud. This should include an effective monitoring solution to identify anomalies in voice and SMS traffic patterns and the ability to detect and act upon suspicious activity quickly.

AT&T Cybersecurity Consulting offers a telephony fraud management program that will equip your organization with unique visibility into your voice and SMS traffic, allowing you to observe daily traffic flow across your network. As a result, your organization will be able to understand established baselines of "normal" traffic originating from your network.

AT&T Cybersecurity Consulting will actively monitor your network traffic to pinpoint deviations from your baseline traffic patterns to quickly identify malicious activity or robocall campaigns spoofing your organization's telephone numbers. If such an anomaly is detected, the AT&T Cybersecurity Consulting team will notify your team with a report containing the observed activity and then present your team with options for responding to the anomaly. Options for response will include but are not limited to blocking traffic from transiting over the AT&T network, as well as requesting a traceback to determine the originating source of the spoofed traffic.

For more information about our telephony fraud management service, please forward any inquiries to caas-voicefraud@list.att.com.

Share this with others

Get price Free trial