Are Your Fraud Alert Replies Being Spoofed?

As banks try to improve customer experience, reduce fraud and cut operational costs through interactive SMS, criminals have moved in to take advantage of the channel. The latest fraud scam involves ‘spoofing’ CLI (calling line identity) numbers to respond to SMS fraud alerts intended for customers.

“Spoofing” SMS or texts might seem like something teenagers would do, perhaps sending fake texts on Valentine’s Day appearing to be from someone else. Instead, what’s happening is more sinister.

If a credit/debit card transaction is deemed as suspicious, banks can alert customers through SMS, as well as through automated voice, mobile application push notifications and emails. If the transaction is genuine, the customer simply needs to respond to the SMS to confirm this, without actually having to speak to an operator in a call centre.

What the fraudsters are doing is making a fraudulent transaction using a compromised card and then successfully ‘spoofing’ a customer’s SMS response, confirming the transaction to be genuine when it isn’t. The fraudsters don’t know for certain that the customer got an SMS alert in the first place – but they might know the bank’s alert and customer notification strategy. They would have to have obtained the customer’s telephone number on the black market, possibly when they would have obtained the credit/debit card details. The fraudster then guesses the correct timescale in which to ‘spoof’ the response, before the genuine customer can reply.

FICO are fully aware of this emerging fraud threat and have a range of solutions available as part of our FICO Fraud Resolution Manager:

• Our SIM Swap solution detects whether the SIM card may have been ‘hijacked’ by a fraudster
• SMS carousels consist of a range of rotating numbers which prohibit the fraudster from ‘spoofing’ one known number
• A PIN/OTP (one-time password) request provides reassurance that the alert has reached the right person