Skip to main content

Fraudsters Set Their Sights on Financial Firms

Photo of a woman speaking on a telephone in an office setting. She has glasses.

Solutions that help protect your business and customers from fraud

Imposter scams and call spoofing are exploding, and they often involve the phone channel. Advances in AI, deepfake technologies and large language models are making it even more tricky for consumers to tell the difference between real and fake phone calls. But call spoofing, data breaches, and imposter scams don’t just impact consumers, they also affect businesses — especially financial institutions.

Phone scams have grown more complex, convincing and costly, going from $196 million in losses in 2020 to a whopping $660 million (a 237% increase) in just two years.

Because consumers are particularly wary when it comes to discussing their finances, they often prefer to use the phone when communicating with banks, credit unions and other financial service institutions.

The more personal information scammers can get, the easier it is to build a believable scenario to defraud consumers through call spoofing. The number of data compromises reported in the first half (H1) of 2024 totaled 1,571, impacting an estimated 1.07 billion victims, including individuals impacted by multiple breaches. This was close to a 14% increase in compromises compared to the same period in 2023, a year which set the record for data events reported in a single year (3,203).

Consumers have few options to protect themselves, so the burden rests largely on financial institutions to implement technologies and solutions to address this rapidly growing issue.

Download the e:Book: Fraudsters Set Their Sights on Financial Firms for more details.

What’s call spoofing and why is it critical to perpetrating fraud?

Call spoofing occurs when a caller intentionally falsifies the phone number and caller ID information transmitted by phone. It’s often used in imposter scams to make calls to consumers look legitimate — commonly appearing as a financial institution or other trusted business partner — to steal money or personal information.

While bad actors are tapping into many channels to commit fraud, the phone is often seen as the tipping point for consumers who feel reassured enough by a human (or deepfake) voice to click on a text or email link or share a one-time passcode.

In fact, the Federal Trade Commission (FTC) noted consumers lost over $10 billion in fraud in 2023. Imposter scams — which grew 71% from 2021-2023 — were the number one way consumers were defrauded in 2023, and the phone channel accounted for the highest per-person losses.

The phone remains an incredibly popular communication channel

While well aware of the risks, consumers still want a personal experience for high-value, private exchanges of information — and that’s the phone channel. Enterprises agree, ranking the phone as one of their top strategic tools for improving the customer experience.

But today’s consumers are demanding more protection against unwanted calls and fraud, along with a way to trust phone calls again so they can safely answer those they do want — calls from financial institutions, schools, healthcare organizations and more. They want to know for sure when not to pick up.

As for businesses, they’re struggling to protect their brands and revenue from fraudulent activity.

Financial fraud continues to evolve rapidly

According to Security Magazine, financial institutions experienced a 53% year-over-year (YoY) increase in fraudulent activity in Q4 2022. But it’s the smaller banks and credit unions that are being hit the hardest. In fact, the same report showed fraud rates in credit unions increased by over 70% in 2022.

In addition, data breaches against financial services companies jumped by more than two-thirds (67%) year over year to be the most compromised industry in H1 2024, according to the Identity Theft Resource Center. Data breaches increase the likelihood of call spoofing because fraudsters get access to the personal information they need to convince consumers they’re legitimate.

Smaller banks and credit unions are especially at risk because they lack the data, operational resources, solutions and technologies that larger institutions have in place to prevent fraud. In addition, smaller financial institutions depend upon on a more personalized approach with customers and rely heavily on the phone channel for providing customer service.

Plus, bad actors often leverage call spoofing to masquerade as bank employees as part of a multichannel approach to commit fraud. Paired with convincing social engineering schemes designed to fool targets into thinking their bank accounts have been hacked, fraudsters trick their victims into providing sensitive account information or wiring money through bank payment apps like Zelle or Venmo.

Things are getting even more challenging with the introduction of new AI technology like voice deepfakes. These scams and other types of phone fraud not only erode consumer trust, they also harm a business’s reputation.

The rise in data breaches further fuels financial fraud risk

According to the TransUnion 2024 Q2 Consumer Pulse Report, identity theft (59%) was the top cyber threat consumers were most concerned may personally affect them. It’s not surprising given the levels of criminal activity targeting their personal information. Over a quarter (27%) of Americans reported they were notified their identities or online account information had been stolen as a part of a data breach in the past three months.

Our research also shows US data breaches increased 15% year over year in 2023 to a volume never seen before — driven by an increase in third-party breaches. In addition, the average breach risk severity (the ability of a breach to enable identity fraud) increased 11% YoY in 2023 — also the highest ever measured.

Data breaches give fraudsters another opening to target consumers when it comes to call spoofing and impersonating other people to try to get personal information to commit fraud.

How exactly do spoofed calls happen?

We’ve seen that businesses, particularly financial institutions, are reporting fraudsters often jumpstart scams by obtaining a consumer’s name, phone number and address through social engineering schemes like phishing attacks or a data breach. That data often ends up on the dark web.

25% of legitimate outbound calls are mistaken as spam (Source: TransUnion internal statistics)

Then, the bad actor spoofs the phone number of a financial institution and calls the customer pretending to be from that organization.

Due to the highly personal nature of a human voice on the phone, and the fact fraudsters have become very good at creating convincing stories, consumers frequently believe they’re speaking with an individual they can trust. The fraudster often follows up by sending their target a fake SMS link to seal the deal.

The limitations of call analytics

Although industry initiatives like STIR/SHAKEN call authentication have helped curtail call spoofing, it’s insufficient for some key use cases. In these instances, mobile operators can’t easily differentiate between legitimate and spoofed calls, allowing some fraudulent calls to get through. Furthermore, many legitimate calls from businesses are being blocked or mislabeled as spam, so customers don’t pick up.

Solutions that help curtail call spoofing

There are numerous measures financial institutions can take to reduce call spoofing, including the implementation of Transunion® TruContact™ Spoofed Call Protection (SCP). SCP empowers organizations to digitally ‘sign’ their own calls so they can distinguish between legitimate and spoofed calls and apply proper call treatment. This puts call authentication in the hands of the business — which is clearly vested in protecting itself and its customers from spoofed calls and the financial damage they can inflict.

When a financial institution signs its own calls using SCP, it’s ensuring full, end-to-end call authentication — and stopping spoofed calls before they even reach the consumer. 

SCP differs from other solutions in that it doesn’t label legitimate calls as ‘Fraudulent’— which often prompts users to block all future calls from that number (including legitimate calls from the business). Instead, it gives the mobile operator the intelligence it needs to confidently block spoofed calls. As a result, only legitimate calls get through to consumers.

Download the eBook and find out how TruContact Spoofed Call Protection (SCP) can help you protect your customers — and your brand — from call spoofing and fraud. 

Do you have questions? Our team is ready to help.