Stop fraudsters from climbing your phone tree

Authenticating callers before they hear “hello” can halt scammers snooping into a bank or credit union’s interactive voice-response system.

Fraudsters’ increasingly sophisticated tactics compel enterprise contact centers to invest in fraud-prevention solutions that assess risk before callers engage with human agents. The resulting risk assessment ideally improves contact centers’ security posture and ability to treat each caller according to that individual’s trustworthiness.

This would be a change from most fraud-prevention solutions, which require some degree of engagement with the caller to assess risk. The delay can result in millions of dollars in fraud and loss of customer lifetime value.

Callers may freely explore contact centers’ automated interactive voice-response (IVR) systems during their trust assessment, which can take up to 45 seconds. Over the course of thousands of calls, that IVR access substantially increases the risk of account takeover fraud.

Sign up for the free BAI Banking Strategies newsletter and get industry insights delivered to your inbox.

“Fraudsters don’t mind calling repetitively until they are successful in impersonating a legitimate customer,” writes Aite Group senior analyst Shirley Inscoe. “The purpose of each call is to obtain an additional data element that can lead to success on the next attempt.”

Fraudsters have ready access to the tools and knowledge necessary to program a bot to navigate an IVR, either by touchtone or voice. The iOS and Android smartphone platforms allow users to “program” their phones to navigate the IVR tree behind a phone number. Automated services offer voice bots so convincing that they can deceive humans. The prerequisite mapping of an IVR tree, even manually, is unlikely to raise suspicions.

Enterprise contact centers incur undue risk by granting IVR access to non-authenticated callers. Fraud losses can quickly reach millions of dollars. A report by Aite Group found that at least 40 percent of victims of financial account takeover move one or more accounts to another financial institution.

At the heart of these issues is post-answer authentication, which significantly increases the risk of fraud. “The engagement models of service have changed,” states a report from Javelin Strategy & Research, “yet security in contact centers is, for the most part, stuck in the 1990s.” This begs the question: How well prepared are inbound call centers to distinguish fraudsters from customers over the long term?

Authenticate inbound callers pre-answer

A trust assessment before the caller hears “hello” essentially eliminates the vulnerabilities described above. Unique physical devices—mobile phones and landlines—can help to significantly expedite this process for 70 to 75 percent of inbound call volume.

Confirming the calling phone’s authenticity and matching the calling number to the reference phone number on file allows the contact center to identify and deterministically authenticate callers—similar to the way credit cards facilitate cashless transactions. Deterministically authenticated callers may receive faster service and self-serve options, such as account transfers, contact information updates and password/PIN resets.

Callers should not receive a deterministic authentication token if they use a different type of calling device, such as a call-spoofing or call-virtualization service. Fraudsters rely on these services to evade conventional call-tracing measures.

To distinguish customers from possible fraud threats, other call signals inform a probabilistic pre-answer risk assessment, such as calling history, call routing and line type. Insights from these assessments help to stratify non-authenticated callers into “trust levels” and refocus valuable fraud-fighting resources. Only risky callers receive stepped-up authentication or the full focus of the fraud department.

False positives approach zero because deterministically authenticated callers never enter a fraud review queue. The fraud department focuses its resources on the fewer remaining, potentially risky callers. The results of each non-authenticated caller’s probabilistic risk assessment may be analyzed in conjunction with other fraud signals to distinguish fraudsters from customers with even greater accuracy and speed.

Unlike a post-answer authentication approach, device-based authentication doesn’t require a past fraud incident before flagging a risky caller. Detecting and preventing “first-time attacks” reduces fraud loss, while also providing an important reference for other fraud tools.

A pre-answer trust assessment enables contact centers to mitigate risks with greater speed and security. Stratifying callers by trust level reduces false positives and shrinks the pool of callers that merit closer scrutiny. Shortening the trust assessment experience for trustworthy callers and offering more valuable self-serve options improves customer satisfaction.

Adam Russell is vice president, identity and risk solutions, at Neustar.

Find out more about how the pandemic has changed the way banks and credit unions serve their customers in the BAI Executive Report “COVID-19 is remaking customer service…forever.”