Contact centers are only effective if they deliver a satisfying customer experience, which is why organizations continually invest in technologies that can improve operations. Increasingly, this involves creating an “omnichannel” platform that allows customers to make contact by phone, web, email, text and other communication channels.
When it comes right down it, however, most customers will judge their experience based on their interaction with an anonymous human. Voice remains the most popular channel for customer interaction, which is why contact center agents are trained to be professional, courteous and helpful.
Unfortunately, these very qualities are increasingly making agents the target of contact center fraud attempts.
There has been a sharp rise in cases of contact center fraud in which attackers use social engineering to steal data and turn profits, according to recent studies. In its 2017 Call Center Fraud Report, Pindrop finds a 113 percent year-over-year increase in call center fraud, and a separate study by Aite Group forecasts that losses from a type of financial identity theft called “account takeover fraud” will double over the next three years.
Many analysts believe the increase is at least partly the result of the conversion of point-of-sale payment systems to EMV chip readers, which are more difficult to compromise. As a result, cybercriminals and fraudsters may have shifted their focus to card-not-present (CNP) transactions, such as those that take place over the phone in call centers
From a technical perspective, fraudsters use caller ID spoofing in conjunction with applications such as Skype or Google Voice to hide their identity and location. Caller ID spoofing isn’t illegal if there’s no intent to defraud, so there are a number of spoofing providers that allow a user to falsify the number sent to caller ID displays. Naturally, crooks are not shy about using this technique for criminal purposes.
Once they connect with a contact center agent, fraudsters rely on social engineering tricks to get account information — a practice known as “vishing” or “voice phishing.” They prey on the fact that agents are often dealing with high call volumes and are under pressure to resolve issues quickly while maintaining a pleasant and helpful attitude.
For years, contact centers have practiced “knowledge-based authentication” (KBA) to confirm customer identities by asking the customer to answer a security question. This method is becoming increasingly unreliable, however. The bad guys have gotten pretty good at scouring social media platforms to come up with the likely answers to the usual KBA questions such as “your mother’s maiden name,” “your pet’s name,” or “the street where you grew up.”
Organizations should keep an eye out for two protocols designed to limit spoofing. STIR (Secure Telephony Identity Revisited) and SHAKEN (Secure Handling of Asserted information-using toKENs) have been designed under the auspices of the FCC, and some carriers are expected to begin using them by midyear. These protocols will allow subscribers to verify incoming calls based on a digital signature that belongs only to the legitimate owner of a number.
Additionally, call authentication solutions are becoming more sophisticated. Some use voice recognition technologies, while others validate the signal data from incoming calls against expected patterns to identify trusted callers.
In the current climate, traditional KBA practices provide limited defense against contact center fraud. What’s more, the customer experience suffers when customers must answer multiple personal questions before they can begin to address the reason they called. Give us a call to discuss ways to mitigate phone fraud without disrupting the customer experience.