While widespread adoption of EMV chips on credit and debit cards has boosted transaction security in retail POS locations, billions of dollars in counterfeit card fraud is being redirected to vulnerable channels, methods and targets. This makes contact centers an ideal target, particularly for account takeover (ATO).
According to IDology’s “Fifth Annual Fraud Report,” the prevalence of account takeover in 2017 increased by 11% over the previous year, with almost half of organizations (49%) reporting it as a pervasive issue. Similarly, two-thirds of respondents reported that fraud attempts at their organizations have increased—a 58% increase over 2016. In fact, account takeover fraud has become so common through the contact center that analyst firm Aite Group suggested it be renamed the “cross-channel-fraud-enablement channel.” The firm also reports that U.S. account takeovers losses enabled by contact centers will increase 97% between 2015 and 2020 (“Contact Centers: The Fraud Enablement Channel,” 2016, Aite Group).
Also evolving are the techniques criminals use to execute fraud through the contact center. At the top of this list is social engineering, which 69% of survey respondents say is the most prevalent, followed by automatic number identification (ANI), such as spoofing with burner phones and voice deception (IDology report).
The human interaction element of contact centers makes them especially enticing for fraudsters who are highly skilled in social engineering by conning agents into sharing information. Fraudsters, by their nature, are professional social engineers. They thrive at manipulating people and processes to do or say things for criminal gain. Customer service representatives (CSRs) are vulnerable targets as their main goal is to help customers solve problems. Once a fraudster obtains this personal information, it can be used to take over or open an account fraudulently. By using social engineering techniques, fraudsters can build on their recon intel, making their arsenal of information bigger and stronger.
In addition, recent high-profile breaches have given fraudsters an immense amount of data to work with. Criminals are taking data such as drivers’ license numbers and account numbers, and filling in the gaps with information from social media and other sources. With this data in hand, it’s become easier for fraudsters to impersonate customers and use social engineering to deceive contact center agents who have limited identity verification tools at their disposal.
Determination: Fraudsters Are Persistent
Fraudsters looking to bypass security measures or trick CSRs into divulging information or granting access to legitimate accounts don’t give up with one call. Often, they place multiple calls, and may do so in an automated fashion using bot technology, gathering bits of information from unsuspecting agents and adjusting their strategy along the way.
Fraudsters also have stepped up their methods by using multiple channels to coordinate and commit fraud. They’ll use one touchpoint, online banking for example, to facilitate fraud in another channel, such as a contact center.
Protecting Against Social Engineering While Reducing Customer Friction
With contact center fraud and the use of social engineering on the rise, a combination of proactive education and technology can protect your contact center and allow agents to do their jobs with ease and focus on providing legitimate customers with the best experience possible.
The following are 5 steps to protect your contact center.
1. Verify numbers before callers get to agents.
Fraudsters can steal from your company before they even speak with an agent. Automated systems or IVR (interactive voice response) systems often offer account activities that allow a fraudster to make substantial inroads to account takeover. Exposure to fraudulent, spoofed calls can be avoided with an identity verification solution that can verify the phone number on an IVR is in session with your contact center. This helps greenlight legitimate calls and creates a more productive customer experience with less friction.
2. Use the most effective authentication methods correctly.
Most contact centers use knowledge-based authentication (KBA) to verify that a caller is legitimate. This authentication should go beyond a simple, “What is your user name and password on the account?” Flexible KBA that isn’t purely credit-driven and pulls from a broad spectrum of data can help you avoid the potential for social engineering. Specifically, KBA questions derived from customer data instead of external data sources will result in faster verification and a better customer experience. The last thing you want to do is punish legitimate customers with endless questions.
3. Utilize a layered identity verification solution.
If a call appears to be spoofed or KBA questions aren’t answered accurately, it’s important that agents have options for escalating to another form of verification when the time is right. A layered identity verification solution can incorporate upfront call verification with varied escalation methods depending on the level of risk.
4. Stay on top of the latest fraud techniques.
Agents on the front lines of service can be vitally important in preventing fraud. All employees should be aware of social engineering and the latest techniques used by fraudsters. Educate employees and encourage them to be on the lookout for suspicious callers.
5. Put the proper protocols in place.
Unclear or weak protocols are difficult to follow, especially under pressure from a fraudulent caller.
Identity verification isn’t only about protecting your business from fraud and preventing loss, it’s about increasing contact center efficiency, building trust and showing customers that you value and care about their personal information. A proactive approach to preventing social engineering attacks will improve customer satisfaction, reduce call times, increase productivity and reduce risk.