Fraudsters with their eyes on the prize of customers’ bank, credit card and other financial or monetary accounts are increasingly taking advantage of poor or inconsistent protection in contact center systems because it’s easier than penetrating tight security on networks, apps and mobile devices. By using the interactive voice response (IVR) system for data gathering, or by sweet-talking an agent into a lapse, the criminal may snag details needed to access and drain the account. That’s why contact centers need a holistic, multi-layered approach for authentication, fraud prevention, detection and remediation. Benjamin Franklin would agree – here's why...
In a previous blog post, In the Contact Center, Old Fraud Channels Have Become New Again, we talked about the growing preference of fraudsters for leveraging contact center phone systems, particularly IVR solutions, instead of other channels. New security advancements, such as chip technology in credit cards, have prompted fraudsters to get back to basics with the old-fashioned phone channel. One phone fraud tactic building up steam is spoofing, a practice where a victim’s phone number is used through a fraudster’s phone line, generally committing crimes through automated customer service systems.
These criminals use various strategies to obtain critical missing pieces of data – such as PIN numbers – needed to verify and access accounts in the IVR.
- They may use IVRs for surveillance in preparation for phishing attacks on live agents or to gather data to sell on the black market.
- They may call an IVR using stolen credentials in the hope of finding a breach.
- Or, they may conduct thousands or millions of robo-calls in an attempt to correctly guess the four-digit PIN number, or the right combination of credentials, to unlock an account.
Why Contact Center IVR Systems are so Vulnerable
One reason why IVR systems in contact centers present greater risk is higher call volumes. As organizations try to control costs by encouraging automated self-service through the IVR vs. using expensive live agents, IVR usage has increased. Customers also like the convenience and control of self-service.
Another reason is that the IVR can be a great test bed for trying out stolen credentials without alerting a human. Some IVRs may not be equipped to flag multiple sessions, excessively long calls and other unusual behaviors.
To that point, complacency is still another reason why IVRs are fertile ground for fraud. Organizations may take them for granted, unaware of all the illicit activity going on behind the scenes. They may fail to update or replace older IVR technology to match new threats.
Multi-Layered Approach is the Key
As Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.” Now that quote referred to being prepared to combat fires, but, as we see it, fraud prevention requires similar advanced preparedness and readiness to stifle big and small disasters before someone gets burned.
That’s why pre-fraud monitoring and detection capabilities for an IVR system, to protect financial and monetary accounts and the customer identities tied to them, are so critical.
High-risk and suspicious call activity needs to be identified and stopped as early in the cycle as possible in an efficient, cost-effective manner that the criminal can’t detect and that legitimate customers can depend on without impact on their interactions.
The following Adaptive Fraud Prevention technologies contribute to a holistic system for IVRs:
- Multi-factor authentication to validate legitimate callers
- Automatic Number Identification (ANI) analysis
- Risk analysis and scoring of caller information, behaviors and actions
- Detection and tailoring of appropriate responses to suspicious activity or high-risk calls using real-time analytics in the IVR platform
- Automated, dynamic knowledge-based authentication (KBA) in which responses are verified in real time in the IVR to instantly authenticate the caller
5 Fraud Prevention Steps You Should Take Now
- Elevate the discussion of contact center authentication to include fraud prevention measures.
- Bring together stakeholders from fraud, risk and compliance, contact center, and CX teams to validate value of improving fraud measures in the IVR.
- Determine how much you know about what happens in the IVR, and what happens that your agents control. What’s missing?
- Identify where you see the biggest losses from customer accounts. Are any areas trending toward the call center?
- Set a meeting with Contact Solutions to review how automated authentication and fraud prevention combined can improve your risk management KPIs.