Today, we carry devices with us wherever we go, making us highly vulnerable to imposter scams, call spoofing, and data breaches. With the rise of artificial intelligence, threat actors can now commit fraud by mimicking a person’s voice over the phone. This troubling trend is affecting both consumers and businesses, with financial institutions being especially at risk.
In an increasingly common imposter scam known as the “grandparent scam,” the threat actor calls someone, posing as a family member. They claim to be in some kind of trouble, such as a car accident or an arrest, and request money to help get them out of the predicament. The criminal is able to mimic the voice of the person they’re impersonating by closing it with AI. Today’s technology is so advanced that only a short audio clip is needed.
According to 2024 Federal Trade Commission data, consumers reported that imposter scams were the leading method of fraud in 2023, with the highest losses per person coming from phone scams. Scammers have stolen over $10 million from U.S. consumers this year, reaching an all-time high, according to the FTC.
A separate report on cyberattack trends found that financial services is the most impersonated industry by criminals. Case in point, a Hong Kong finance worker was duped out of more than $25 million after falling prey to a deepfake video call scam earlier this year, in which the attendees looked and sounded just like his coworkers.
Call Spoofing: An Essential Tool for Threat Actors
Call spoofing is the deliberate falsification of a caller’s phone number and caller ID information. Criminals commonly use this tactic so that calls to their victims seem real. A common banking phone scam involves calling a bank customer and pretending to be a bank employee—ironically, in the fraud department. The incoming number the customer sees looks like a legitimate number from their bank.
The caller then tells the customer there has been fraudulent activity on their account and asks for their personal banking details. Through social engineering schemes, threat actors convince targets that their accounts have been hacked, which leads to the customer providing sensitive account information or, in some cases, wiring the caller money via apps such as Zelle and Venmo.
Data Breaches Are Fueling Financial Fraud
More than 1,500 data breaches affected over one billion people in the first half of 2024, including those impacted by multiple incidents. This represents a 14% increase in the number of breaches reported in 2023, which was a record-setting year. Financial service-related data breaches increased by 67% year-over-year, making financial services the most compromised industry in H1 2024, according to the Identity Theft Resource Center. This rise in data breaches creates a higher risk of financial fraud and call spoofing—a vicious cycle that leaves consumers and businesses vulnerable.
Armed with the victim’s name, address and other personal details obtained from data breaches, the dark web and phishing attacks, criminals can make an even more convincing case over the phone. Fraudsters use their persuasive stories during these vishing attacks, coupled with the highly personal nature of voice calls, to create a false sense of trust. They often seal the deal by sending the target a fake text link, known as “smishing.” These text and phone scams are so common, that one in three Americans has received one.
Just this month, more than a third (35%) of Americans said they were notified that details about their identities or online accounts had been stolen in a data breach—up from 28% last year according to the TransUnion 2024 Q4 Consumer Pulse Report.
One might assume that the larger the bank, the greater the temptation for fraudsters, but smaller banks and credit unions are seeing the most fraud. According to a recent report, 79% of credit unions and community banks saw more than $500,000 in direct fraud losses in 2023—higher than any other segment surveyed. Smaller banks and credit unions lack the fraud prevention resources, data and technologies used by larger banks, and they provide more personalized, phone-heavy customer service, leaving them more susceptible to fraud.
Technology Can Help Combat Call Spoofing
Though customers are increasingly aware of call spoofing and other phone-related scams, they enjoy the personal touch that only the phone can bring. Nonetheless, they’re demanding that more be done to protect them against phone fraud and unwanted calls. Customers want to feel safe to answer the phone when they receive a wanted call from their financial institution, school or physician’s office.
Industry-developed protocols such STIR/SHAKEN call authentication, which digitally validates a caller’s identity, have helped to combat call spoofing. However, STIR/SHAKEN is not always sufficient to ensure that mobile operators can differentiate between legitimate and spoofed calls. Due to the limitations of legacy networks and inconsistent implementations, they often lack the information they require to distinguish legitimate calls from robocalls calls, causing legitimate calls to be mistagged as spam. That makes it impossible for consumers to know when to answer the phone.
Other measures are available to help financial institutions reduce call spoofing, such as technology that allows them to digitally “sign” their own calls. This option stops spoofed calls from reaching the customer by providing mobile operators with the intelligence they need to block spoofed calls with confidence through complete end-to-end call authentication.
Because this method ensures mobile operators receive the authentication information they need, it greatly reduces the number of legitimate calls that are mistagged as fraudulent. That means fewer customers would block calls from those numbers—including calls from the business.
Empowering enterprises to take the reins on call authentication this way is a sound business strategy; after all, no one has a larger stake in protecting their customers and their business than the financial institutions themselves.
