Take on any CX challenge with Pipeline+ Subscribe today.

Caller Authentication: The Cybersecurity “Seat Belt”

Caller Authentication: The Cybersecurity “Seat Belt”

/ Operations, Technology, Data Security
Caller Authentication: The Cybersecurity “Seat Belt”

Utilizing caller authentication with voice biometrics can protect customers.

When we train new agents in healthcare about caller authentication, we view it as a key to unlocking secure access to their medical records. Verifying callers and their identities ensures that only authorized individuals can access confidential medical information.

While sometimes I feel we overtrain, caller authentication has reduced the number of our agents’ Health Insurance Portability and Accountability Act (HIPAA) violations. Most critically, we have no doubt protected our customers from being victims of cybercrime.

Yes, call authentication requires customers and agents to take additional steps and time, and it can be annoying and frustrating, like when you forget passwords or answers to verification questions.

But think of it like seatbelts. Seatbelts may be uncomfortable, wrinkling our neatly pressed clothes, and rubbing against our skin, but they can be the difference between life and death on the road. We never know when they’ll save us from becoming crash test dummies doing somersaults on the road.

Verifying callers and their identities ensures that only authorized individuals can access confidential medical information.

Similarly, caller authentication is crucial in protecting all of us from becoming a statistic on next year’s Federal Trade Commission (FTC) Identity Theft report. Verifying callers can proactively reduce the risk of identity theft and other malicious activities. So don’t be a statistic: buckle up and verify callers!

As companies strengthen their website authentication protocols with security measures such as two-factor authentication, cyberattackers endlessly search for new ways to target their victims. By impersonating them through less secure channels, such as our call centers, attackers can gain access to their accounts, potentially exposing them to severe risks.

Guarding Against ATOs

Call centers are unfortunately vulnerable to account takeovers (ATOs) - the most common type of cybercrime they face.

ATO, misrepresentation, and ID Fraud are not new. And the best defenses against them...are vigilance and common sense.

In an ATO scenario, the cybercriminal obtains their victim’s information and calls the call center, pretending to be their victim. They may use emotional manipulation or blackmail to pressure the agent to provide additional sensitive details or make changes to the account. Once the cybercriminal has control, they can cause considerable damage to their victim’s account.

ATO, misrepresentation, and ID fraud are not new. And the best defenses against them, or any fraud or other crimes are vigilance and common sense. If something doesn’t look, sound, or smell right it isn’t right.

Case in point: I received a call back in 2008 from someone claiming to be a case worker from the Indiana Department of Child Protective Services (DCS). They mentioned that they needed to get the child in to see a doctor because the parent physically abused the child. They provided the member’s Social Security Number (SSN) when I asked for the member’s Medicaid ID, case number, or SSN.

Then the caller verified the person’s full name, address, and phone number but crucially they could not provide me with the date of birth.

The caller seemed very upset when I explained that this is part of caller authentication to keep our member’s account safe. I empathized with the caller and let them know I wanted to help, but I could not provide any account-specific information without the proper verifications.

The caller even started to cry. So, I asked what information she needed, and she wanted the child’s Medicaid ID because the doctor needed the number.

Something was off when the caller asked for the child’s Medicaid ID. My suspicions were confirmed when I looked into the account and discovered that the SSN provided belonged to a 32-year-old adult.

I had to let the caller know I couldn’t give her that information. Still, I apologized and kindly informed her that I could provide general program information, such as names of doctors in the area or member benefit information.

I can’t recall us receiving any training on cybersecurity or reporting the attempt to the fraud department through an email.

We were simply trained on HIPAA, such as what information we had to obtain before speaking to someone about their account. If they couldn’t verify HIPAA, then we couldn’t release any information about their case.

Protecting Against Overzealousness

Our agents, like those in other contact centers, understandably take compliance with regulations to protect customers, like HIPAA, to heart. But sometimes too much so.

Just a few months ago, I was recently disappointed to hear that a call center agent refused to assist a caller, even though the assistance the caller needed did not require the agent to provide any details about the caller’s account.

The agent had to receive and send the information to the analyst, who would verify it before making the update. Unfortunately, this authentication process became a barrier to assisting the customer. As you can imagine, the caller asked to speak to a supervisor, the team lead, who mentioned the incident to me.

Both my colleague, David Sluss, and I had to go back to the drawing board to figure out how we could better emphasize that authentication is a necessary first step before you can read any information from our system’s screen.

However, no caller authentication is required if the agent takes information from the caller or provides general program information, which can be found on a public-facing website. By making this tweak to our training, agents are now asking callers how they can help and determine if caller authentication is necessary.

How can we use technology to help our agents while adding extra protection to customers' accounts without the intrusiveness that may come with caller authentication?

As a customer, I feel that caller authentication can sometimes be overbearing. I recall calling an organization where I had to authenticate twice — once on their IVR system and then again with the agent.

Another time, I had a simple question — Did my order get shipped? — but the authentication process took over five minutes!

It started with basics like my full name, address, email address, date of birth, and phone number. It went overkill when the agent sent me two verification codes to my phone, which I had to provide to him before I could get a simple confirmation that my order had shipped. It was too much — I felt overly scrutinized to get a simple answer.

Enhancing the CX Through Improved Caller Authentication

How can we use technology to help our agents while adding extra protection to customers’ accounts without the intrusiveness that may come with caller authentication?

...I'm all in for something that strengthens the call authentication process while improving the customer experience...

Let’s get fancy and simplify the authentication process with voice biometrics. When an agent asks the caller to verify their identity, they can use elements such as their full name and date of birth, but while that happens, the customer’s unique voice print is used to authenticate the call quickly and securely.

I understand that I sound like a commercial you would watch and then ignore, but I’m all in for something that strengthens the call authentication process while improving the customer experience (CX).

Voice biometrics, also known as voice authentication, isn’t something new. They live among us, hiding in plain sight – think Amazon’s Alexa and Apple’s Siri.

The technology analyzes and stores a person’s voice to create a voice print. This voice print is then compared to a pre-recorded version of the user’s voice to verify their identity. It is capable of recognizing a person’s voice even if their accent, regional variations, or other factors are different from the original voice print.

...caller authentication can feel uncomfortable.Yet it's a necessary step to ensure our customers' information remains secure...

But let’s take things further by offering our agents a few tips that I’ve used to help my agents with call authentication:

  • “To ensure the security of your account, could you please provide me with your ID number or case number so I can easily access your account?”
  • “To verify that I have the correct account, please confirm your full name and date of birth (pause for the caller to respond).”
  • “Lastly, may I please have your full Social Security Number (thank the caller for authenticating)?

If a caller goes too fast, say “I’m sorry I didn’t catch your ID number. Could you please provide it to me again?”

Just a friendly reminder: when having conversations over the phone or online, it’s essential to be mindful of your tone of voice since body language is not visible. Your words may not always convey your true meaning, so it’s vital to consider how you say them.

At the end of the day, caller authentication can feel uncomfortable. Yet it’s a necessary step to ensure our customers’ information remains secure and out of the hands of malicious actors. Ultimately, this is a small price for peace of mind with secure customer information.

How Does the Caller Feel?

It is important to understand how the caller feels: particularly so when you ask them to verify their identities.

When I took inbound and outbound calls through an automated dialer, I noticed that customers were more hesitant to provide me with their details to authenticate the call when I was making outbound calls. Even though their caller ID showed our phone number, their “Spidey senses” seemed activated.

Take, for example, the case of one caller I asked to authenticate the call. She told me I should already have her account details pulled up since I called her. I explained that her number was placed in the system since she had to select a medical health plan and that I didn’t have her details.

She was still not convinced and decided to hang up with me, call the center back, and ask to speak with me. Once we were connected again, she was more comfortable providing me with her details to authenticate the call and help her with her plan selection.

I remember one of my colleagues who got annoyed with a caller she asked to authenticate the call, as the caller started to push back, asking her questions such as “why do you need the information?” Or “can’t you look up my case with my name?”

The agent told the caller, “You called me and not the other way around. If you want me to help, you must help me first.” And yes, the caller wanted to speak to a supervisor instead of continuing the call with the agent.

Mark Pereira

Mark Pereira

Meet Mark Pereira, a passionate learning and development professional with a wealth of knowledge and experience. He is an experienced Trainer and On-Site Supervisor who has earned several certifications. These include the Certified Professional Trainer (C.P.T.), Certified Customer Service Professional (C.C.S.P.), and Modern Classroom Certified Trainer (M.C.C.T.). Combining his academic background in Commerce and Innovative Education and Teaching with practical experience, Mark is a valuable learning leader who boosts retention and productivity through proven teaching methods. He provides expert coaching to agents with empathy and skill and stays up-to-date with industry developments and advancements from his base in Indianapolis.

Contact author


Most Read

Customer Experience

The Four Pillars of CX

Upland 20231115
Cloud Racers
Verint CX Automation
Go for the CX Gold Report