Clever Lazy Criminal Gangs Steal Millions Using IVR Systems

David Bradley

How IVR fraud works and how Invosys helps prevent it

Clever Lazy Criminal Gangs Steal Millions Using IVR Systems

Most people hate using interactive voice response (IVR) systems. But to fraudsters, they are a boon. If a fraudster can bypass an institutions initial security, IVR systems can reveal a treasure trove of personal data. Some payment institutions even use IVR systems to take credit card payments. 

General Kurt von Hammerstein once remarked that to be marked out for the highest office, an officer had to be both intelligent and lazy.  

That analysis deftly applies to IVR fraudsters. They recognise that the easiest attack vector into a company or an individual is through a company’s or institution’s IVR system. It takes very little human effort to hack.  

For fraudsters IVR systems are cheap, efficient and low-risk ways to access customer data.  

According to Barry Tuffs, Sales Director at Invosys, “Fraudsters are not teenage bedroom hackers. They are technically very smart international criminal gangs, operating from anywhere, using automated dialler software to call 100s of numbers a minute. IVR systems don’t need human intervention, just the ability to automatically provide and interact with DTMF tones. Fraudsters only have 10 numerical digits (0-9) from which to guess a victim’s personal account number or security code. That’s easier than hacking into a computer with letters and symbols.” 

Automated fraud is a growing problem. According to some estimates, the number of automated calls went from 30 .5 billion in 2017 to 41 billion in 2020. 95% of those were fraudulent spam calls.  

To understand how easy an IVR system is to access automatically, find a supplier in your smartphone’s contacts app, whose IVR options you know. In the telephone number field, following the company number, type # followed by the option number. Repeat for each option. When you dial, immediately you reach your intended extension. Automated diallers can do this on an industrial scale. 

An example of the way a IVR fraud works is this: a gang buys mobile numbers and corresponding names from the Dark Web cheaply. For each number, their dialler dials into every clearing bank’s IVR system. When the victim’s bank is reached, its IVR system is duped into accepting the call, because the gang’s dialler, whilst outside the country, spoofs the victim’s mobile number. Thereafter, an onslaught of automated calls by the dialler into the bank’s IVR system repeatedly attempts to guess, piece by piece, the victim’s account details, such as date of birth, account number and so forth. With only 0-9 numbers to create combinations, it’s only a matter of time before the dialler comes up with the correct guess for a piece of account information.  

Even with just a few pieces of data, the fraudster initiates a call between the victim and his bank, by sending the victim a text which looks like it’s from the bank. That message includes some of the victim’s stolen account information, to create trust. The victim is asked to click the bank’s legitimate customer service number within the message. Cleverly, a three-way call is then established between fraudster, bank and victim. The fraudster’s system secretly captures the DTMF tones of the victim’s log in details for future theft, then cuts off the victim’s leg of the call before the IVR disengages. The bank employee then naturally assumes she’s talking to the victim, who has just passed the bank’s security check. She has no qualms reading out balances, resetting PIN numbers and transferring the entire balance to the fraudster’s bank account.  

Bank staff are well trained to spot inconsistencies that can reveal fraudsters like these. If in doubt, the customer service representative hangs up and calls the customer to check if he’s trying to reach the bank. However, there’s a cost in staff time and call charges – not to mention fraud if the fraudster succeeds. If just 2% of calls are suspicious, that can be 100,000 call backs a year to check callers for a large bank or insurance company fielding 5m calls a year.  

Communication technology innovators such as Invosys have software that closely analyses call metadata, at network level, to identify the location from where a call is originated, despite its presentation number. 

Barry Tuffs comments “at Invosys, our Fraud Protection Service monitor calls into our clients and our software detects the true origination point of the call, in real time. For example, when a UK number is presented, if that call was originated elsewhere, we can either block it or divert the call to a bank’s specialist agent to ascertain whether the caller is genuine. Coupled with lots of additional features the platform helps dramatically reduce costs, frees up staff time and helps the fight against fraudsters”  

Well at least fraudsters can avoid the interminable press 1 for sales, 2 for support and reach a live agent fast.   

For more information about Invosys and its Fraud Protection Service, please visit 



Join over 30,000 Weekly News Subscribers