This channel is often regional banks’ cybersecurity blind spot

In recent years, customers of at least one California financial institution received numerous fraud calls spoofing the bank’s actual phone number, asking for debit card numbers, PINs, and other sensitive data. It’s not a singular event. Banking leaders there and elsewhere emphasize regularly to customers that the bank would never initiate such requests via phone. Still, customers were unprepared for the barrage of unwanted impersonation robocalls.

While larger financial services firms have prioritized securing their communication channels from robocall fraud, regional and smaller banks have historically faced budget challenges allowing them to keep pace and do the same. This creates a vulnerability gap bad actors can exploit, enabling scammers to launch impersonation attacks where they pose both as bank employees targeting their customers (outbound) or as customers targeting the bank (inbound).

As fraud attempts become more frequent, phishing and spoofing attacks aren’t just an IT issue -they’re a business risk that directly impacts the customer experience and brand reputation. Regional banks’ IT and security leaders must recognize voice fraud as a serious attack vector, one that demands the same level of protection as other core cybersecurity threats.

Evolving fraud tactics exploiting the voice channel

Without proper voice channel authentication measures, smaller and regional banks are unwittingly leaving attack surfaces for bad actors open for fraud. The stakes are high, as recent survey data finds that the voice channel remains core to bank customer engagement: 64% of consumers prefer to engage with their financial services provider via a phone call over any other method (text messaging, apps, website).

As threat actors evolve their strategies, three emerging scam tactics have grown: impersonation scams, multi-modal attacks, and inbound threats to regional banks’ customer service lines.

Call Spoofing and Impersonation Scams: Call spoofing occurs when bad actors hijack financial services firms’ telephone numbers to impersonate the business and target bank customers. By “spoofing” the phone number or name of a trusted bank in the Caller ID display, victims may answer and divulge personal information. These scams are highly successful: consumers lost $2.95 billion to these impersonation scams in 2024 alone, according to the FTC.

Multi-modal attacks: Fraudsters rarely rely on a single point of entry. Recently, bad actors have launched coordinated, multi-modal attacks where scammers first initiate contact via SMS before following up with a phone call. These attacks add an extra layer of realism while also inducing further confusion and panic amongst the bad actors’ targets. For financial firms, multi-modal attacks exploit gaps in communication channels, making it harder to detect fraud in real time.

Inbound communication threats: Scammers aren’t solely targeting bank customers. They are increasingly exploiting vulnerabilities embedded within financial institutions’ customer support lines, posing as legitimate customers to take over accounts, extract customer information and steal funds from the enterprise. With generative AI at their fingertips, bad actors can create more realistic impersonation scams, making it difficult for their targets to discern a legitimate call from a fraudulent synthetic one. Regional banks must be sure to secure outbound and inbound communications from fraudsters.

AI deepfakes pose unique challenges for regional banks 

Seventy-two percent of consumers refuse to answer calls from unknown numbers. The hesitation to answer the phone undermines banks’ ability to meet customers’ preferences and inhibits the financial services firms’ ability to engage customers on time-sensitive issues such as fraud alerts, transaction verification or account support.

Without confidence in a caller’s identity, secure and productive customer engagement becomes nearly impossible. AI is tossing a lit match on this five-alarm fire.

Tech industry leaders recently drew attention to the looming AI fraud crisis, which served as a wake-up call to banks and other financial services businesses that are increasingly using or considering digital voice ID to authenticate customers. It’s an approach that could pave the way for fraudulent bank account transfers and significant losses.

Bank customers are aware of the AI threat: 63% of consumers have received or know someone who has received an AI-generated deep-fake robocall. Financial institutions seeking to protect customers – and their own brand – from AI fraudsters must extend beyond popular but vulnerable voice ID authentication to three-layered call authentication strategy that includes voice firewalls, telephone number reputation scoring and the detection of synthetic and cloned voices using AI voice biometrics.

Securing the voice channel: A strategic investment 

While securing voice communications may not typically be at the top of smaller and regional banks’ security checklists, robocall bad actors have forced their hand.

For banks looking to strengthen the voice channel, there are several key components that smaller and regional financial firms should look for in solutions to secure voice communications.

Don’t overlook the voice channel as an attack surface: While security leaders for smaller and regional financial firms have made investments to secure traditional channels prone to cyber-attacks, the voice channel has often been overlooked. As bank security leaders put together holistic cybersecurity plans, securing the voice channel is imperative.

Provide greater transparency of who’s calling: By including more call information on verified calls from the enterprise – the institution’s name and logo – directly on the recipient’s phone screen, customers are more likely to answer and engage with the call and the legitimate financial institution.

Incorporate real-time fraud detection and calling blocking in your defenses: There’s zero room for error when it comes to threat calls reaching customers. Eliminating the risk of brand impersonation and call spoofing through automated call blocking is critical.

Don’t forget to protect against inbound risks: Identifying solutions that have a dual-pronged approach that can not only harden outbound communications but also secure and eliminate inbound threats to a bank’s customer service line is crucial.

As scammers’ attacks grow more sophisticated, they are having greater success in hijacking financial services firms’ voice channels. For smaller and regional banks, the fallout from these fraud attacks is too significant to ignore. By taking proactive steps to address emerging fraud threats, smaller and regional banks can restore trust in the voice channel and foster stronger relationships with their customer base.

Maurie Munro is Vice President of Enterprise Sales at TNS.