You know how you hate to dial into a bank contact center and navigate all those artificial intelligence prompts before talking to a human?
Well, the bad guys know how much you hate it. Which is why they love it.
Using customer aversion to their advantage, cyber crooks pilfer billions from the often lightly defended contact centers, according to a security expert who specializes in contact center defense systems.
“While it’s impossible to understand how much money flows through these call centers, it’s estimated that fraud losses in 2017 will approach $14 billion,” says Shawn Hall, director of fraud prevention and strategy at Pindrop Labs, an Atlanta-based phone security firm combating the problem.
It’s a big problem on the rise—and exacerbated by the very nature of contact center design, says Hall.
Contact centers handle 36 billion interactions yearly and agents are measured on how quickly they can resolve each call, according to Pindrop’s recent study on call center fraud. Last year, the global rate in banking call centers jumped by more than 60 percent, says Hall, with one in every 867 calls being fraudulent. Overall, nearly two-thirds of all financial institution fraud, he notes, is traceable to the call centers.
“This means call centers even play a role in assisting fraud taking place on line,” says Hall. The reasons for contact center vulnerabilities, he and others say, are as simple as they are vexing.
“Contact centers are often forgotten in the fight against fraud,” said Tricia Phillips, a cybersecurity analyst with Gartner, a Connecticut-based cybersecurity firm.
“Research shows that by 2020, 75 percent of organizations will sustain a targeted, cross-channel fraud attack with the contact center as the primary point of compromise,” she said.
In March, Garnter released a study on call center fraud risk that found contact centers vulnerable because they are organizationally and architecturally separate from other financial institution acceptance channels, such as web self-service or mobile applications. As a result, they fall outside the fraud and loss prevention halo that shields digital channels.
What’s more, contact center systems are costly to upgrade because they're often stand-alone, with limited fraud prevention capabilities and hard-coded integrations to supporting systems. That limits the flow of new data elements or integrations to third-party fraud tools.
Doug Johnson, senior vice president for payments and cybersecurity policy at the American Bankers Association, acknowledges that financial institutions need to keep an eye on contact center fraud, even if he's less alarmed by the current state of affairs than others in the industry.
Says Johnson: “I would not classify it as a huge concern, but an ongoing concern. Anything that impacts the vulnerability of customers’ data is a concern to banks. If you don’t have the trust of the customer, you don’t have much.”
And to that end, consumers and bank leaders depend on the folks behind the phones.
“I do think employee education at call center needs to be area where banks are eternally vigilant,” Johnson contends. “We have a tendency to spend more time focusing on customer protections: making sure they have anti-viral software and aren’t tempted by phishing scams.
Meanwhile, the bad guys are also taking advantage of the pace of operations.
Call centers present “a unique challenge because of the human element,” said Chris Luttrell, Senior Vice President of Product, Client Solutions and Marketing at IDology, an Atlanta-based identity authentication service. “Agents are expected to deliver excellent customer service while also running defense on fraud. This means banks are only as strong as their weakest contact center agent.”
Luttrell points out that since call centers represent the weak link due to how banks set up and staff them, fraudsters exploit them, compelled by several factors.
One is the move banks made when they placed EVM chips into debit cards. While that boosted security at point-of-sale locations, more $4 billion in counterfeit card fraud now needs to find a new home, she says. Aite Group reports that U.S. account takeover losses enabled by contact centers will increase 97 percent between 2015 and 2020.
The availability of personal information also sets up contact centers as a prime target, Luttrell adds.
Data breaches have created a large pool of information for criminals to use, taking data such as drivers’ license and account numbers, Luttrell says. Crooks then fill in the gaps with information from social media and other sources. With this data in hand, fraudsters wield use social engineering to deceive contact center agents with limited identity verification tools at their disposal.
In addition, fraudsters persist. And persist. And persist.
They often call several times, changing their answers and gathering bits of information from unsuspecting agents along the way, each time adding another layer of complexity to their ruse, says Luttrell.
Call spoofing is also used frequently by fraudsters. With Voice over IP (VoIP) technology, criminals from anywhere in the world can easily hide their identity, falsify the number they’re calling from and pretend to be someone else. This is common among some scammers, for example, who impersonate angry IRS auditors collecting “tax penalties.”
Such tactics make it much harder to verify the identity of a caller, who may be a criminal armed with answers to routine security questions.
For banks, protecting contact centers poses a balancing act between protecting legitimate customer accounts and ensuring that customers have a positive experience. (Overzealous red flagging of an account, for example, can aggravate and humiliate customers trying to check out at a grocery store while a long line waits behind them—and present still another security-related challenge for call centers to handle.)
Experts recommend taking several steps to ensure the balance holds.
Technologies and techniques to detect and prevent contact center fraud have matured. And that justifies investment and integration for most organizations that have the need to mitigate call center fraud, according to the Gartner study.
These strategies and tools can also support faster and more-seamless authentication and servicing of low-risk callers—driving loyalty and reducing support costs while cutting through sophisticated fraud attacks in a multifaceted way:
- Implement “phoneprinting” technology. This Pindrop-patented process analyzes phone calls to identify malicious behavior and verify legitimate callers.
- Use biometric voice recognition to identify known fraudulent voices and repeat callers who display high-risk behaviors.
- Send all account activity to a central fraud analytics tool to enable cross-channel consumer behavior analytics and anomaly detection.
- Let your customer service agents wait on your customers without asking them to detect fraud. Leave that to fraud analysts, who can take calls that fraud technologies and analytics tag as high risk.
With such measures in place, you can guess how much the bad guys will hate it. Which is why your secure customers will love it.
Want more Banking Strategies? Sign up for our free newsletter!
Howard Altman covers the military and national security for the Tampa Bay Times.