Financial Institutions Face a New Contact Center Threat

By Mark Horne, Chief Marketing Officer, Pindrop

Contact centers are an essential channel for banks and customers to communicate, but every channel has security risks to accompany its benefits. Traditional contact center fraud security emphasized two major threats. First, there was the worry that rare unscrupulous contact center agents would abuse the knowledge they gained in the course of work for nefarious ends. Second, there was the danger that scammers could “socially engineer” and trick agents into disclosing information they should not. The first problem could be handled by appropriate interview screening and good on-site and remote protocols; the second problem was handled through training and education. Today, there’s a third vector for contact center fraud loss: IVR exploitation.

New Tech for a New Era

While the general public may imagine the typical contact center to be a vast cubicle farm, with customer service agents answering each and every query they receive, this vision is somewhat outdated. First, COVID has forced the vast majority of contact center agents into work-from-home setups; cubicles have been temporarily abandoned all over the country, and some firms may choose to retain remote working even after the pandemic subsides. Second, most institutions try to ensure that relatively few calls ever reach human operators. If you’ve placed a call to your bank, your health insurance provider, or even your pharmacy in the last decade, chances are you’ve encountered an Interactive Voice Response, or IVR, setup. An IVR can complete many basic functions without agent intervention; if a call must go to an agent, the IVR has usually gathered information, like customer name or customer account number, that will be provided to the agent to accelerate their work assisting the caller.

Now, it’s the rare and foolish financial institution that would leave sensitive transactions to an IVR — such high-value interactions would usually happen through a website, through a person-to-person call, over a mobile app, or even face-to-face at a teller’s window. It doesn’t follow, however, that an IVR is safe because it can’t be directly exploited. Bad actors will perform account reconnaissance (the most common type of IVR fraud) to slowly gather enough data that can be used to take over customer accounts, using phishing techniques, spoofed calls, and other methods. Furthermore, fraudsters scrape together information from social media, from already compromised accounts, from socially engineered and tricked agents, and from IVRs. In fact, recent research from Aite Group found that fraud often begins in the IVR and ends elsewhere.

Real Firms, Real Losses

The IVR threat to financial institutions and their clients isn’t theoretical. Aite Group discovered that 41% of financial institutions were aware of IVR fraud loss at their institutions. A further 33% didn’t know if they’d experienced IVR loss; it’s likely that some suffered losses that they were unable to identify. Just as disturbing, half of the institutions that identified IVR-originating fraud admitted that they were not, at present, monitoring their IVR installation. Because IVRs are automated and because the opportunities they offer criminals are poorly understood by some security professionals, there’s an unfortunate tendency to set up an IVR and assume that it can operate unsupervised. That’s an understandable mistake, but for businesses and customers alike, it’s a costly one.

If there’s insufficient IVR tracking and monitoring, recognizing the most sophisticated fraud becomes less likely. Thankfully, it appears that change is coming to financial institutions, with 62% reporting that they’ve either increased their security in the last few years or that they have plans to do so in the next 24 months. The experts are clear: Omnichannel fraud demands omnichannel security.

How the Technology Works

Incompetent scammers are relatively easy for trained contact center agents to unmask in a conversation. But how does an automated IVR monitoring system fare? It analyzes phone carrier metadata, recognizes unlikely call patterns (like multiple calls from the same number at odd hours), and confirms that caller IDs have not been spoofed. Because IVR and contact center attacks aren’t scammers’ endgame — these attacks are primarily focused on data mining and data gathering — new machine learning tools can warn institutions that a fraud attempt may be in progress. IVR monitoring can identify the accounts that fraudsters are slowly and methodically attempting to crack. All of this happens in the background, so there’s no deterioration of the caller experience, and would-be fraudsters won’t realize that the system has flagged and identified them.

Looking to the Future

Criminals are good at adjusting to changing circumstances: consumers have already reported nine figures’ worth of COVID fraud losses. Institutions must be just as attentive and equally adaptable. When the coronavirus recedes and offices fill back up, scammers will change their strategies again, but they won’t give up and they won’t disappear. As IVR and other automated systems grow ever more essential to financial institutions’ functioning, there will be fewer and fewer justifications for leaving these tools unattended. Fraud hurts your customers, hurts your reputation, and hurts your bottom line. Your institution should invest in today’s tools to stop tomorrow’s fraud.