On one hand, call centers operate as the backbone for a business' support. Despite the growing trends in contact centers (shaped by the idea of an omnichannel experience), call centers still handle the bulk of contact requests. Combine a popular channel that focuses on both quantity with quality, a lack of security built in, and the standard of agent training, and call centers by nature almost offer a recipe for abuse.
What Is Call Center Fraud?
Many might think at first that call center fraud encompasses the dreaded robocalls that keep plaguing the U.S. -- but it's quite the opposite, actually. Loosely defined by Pindrop, call center fraud is essentially "any interaction between a criminal and a call center agent." Now, that seems too loosely defined, until we dive a little bit deeper. But, right off the bat, we can see how massive of a problem this really is.
Call center fraud generally does not involve a criminal placing fraudulent orders with a stolen credit card -- that actually only covers a small fraction of fraudulent calls. In reality, the majority of fraudulent calls are much less obvious unless your business knows what to look out for. Generally, fraudulent callers will place an average of five or so calls before they even attempt to complete a fraudulent transaction.
Throughout this period of multiple calls, the "fraudsters" will simply attempt to gain more and more control over their victim's account by changing passwords, mailing addresses, email or phone numbers associated with the account. After enough time and control, the fraudulent caller can then freely place as many transactions or charges to the account as they wish without raising too much suspicion. To unwary eyes, this might just look like a customer moved or changed information over time.
Now, you might be thinking, "My business has a system in place to flag these activities!" Too many actions in a short period of time places a warning on an account. Well, fraudsters know about this and will abuse the system to their advantage; they will simply call in an effort to influence agents to remove this flag, using emotion as their weapon. And, as it turns out, call centers are a lot easier to manipulate than you might think.
It’s a Bigger Problem Than We Think
If there is one major statistic or piece of information uncovered in Pindrop's call center fraud report, it's mainly the fact that the fraud is only getting worse. Now, I think it's worth noting that this report did in fact focus itself on the United Kingdom specifically -- but these results are indicative of a major issue -- one that spreads around the world.
The U.S. is no stranger to its own share of call center fraud. In fact, the report even highlighted that the U.S. receives an influx of fraud calls -- 83% of which don't even originate from inside the nation. This is actually in part because of VoIP services specifically, but we'll touch on that later.
The main focus point here is that call center fraud is going up, not down. That fact is illustrated by these key pieces of information:
- A year-over-year increase of 113% in fraud calls was seen from 2015 to 2016
- In 2015, call centers received 1 fraud call for every 2000 legitimate calls. In 2016, that number shrunk to 1 fraud call for every 937 calls in 2016
- Call center losses actually managed to flatten, yet it is estimated that each fraudulent call still costs a call center $0.58 of revenue lost, per call for both years
- A call center is simply the "softest" target for fraud in almost every business. The nature of call centers can work to the benefit of fraudulent callers
The evidence is there: call center fraud is a growing issue. But what makes call centers so susceptible, and how can your call center take action to prevent so much fraud from slipping through the cracks? Well, first we need to understand why call centers are so susceptible to fraudulent calls. If you've ever heard the term "social engineering" before, then you already have a bit of an idea of what's going on.
What Makes Call Centers So Vulnerable?
Basically, the combination of free and easily accessible tools help trick otherwise ill-prepared agents and call center solutions. Fraudulent callers can use different tools or techniques to simply break through any of the relatively simply barriers that call centers have in place.
The vulnerabilities of a call center come from the nature of how and why call centers operate as well as a number of different outside factors. On top of Pindrop's report, Gartner had also released an updated 2017 report on contact center fraud that confirmed, supported, and expanded on Pindrop's findings.
According to Pindrop, call center's inherit weaknesses can be broken down into four categories:
Fraudulent callers can utilize numerous technologies to spoof their caller ID numbers, and the rising use and availability of free VoIP apps have allowed callers to mask their true location and identity. With solutions like Google Voice, anyone can register a number from anywhere in the country. At this point, that phone number is now no more reliable than an IP address. Beyond outside technology, fraudulent callers will also abuse the call center's technology, most notably IVR systems.
Fraud callers will abuse an IVR to reset a victim's PIN, or even find out more account information without having to speak to an agent. Building up a smart AI-powered IVR is necessary, but too much freedom weakens defenses. To make things even scarier, Gartner noted that software can be used to modify and change a caller's voice just in case voice biometrics are used to help identify callers.
Perhaps the weakest link inside your call center is also your strongest. Agents are trained to handle wild emotions from callers and a massive influx of calls on a daily basis. But overall, agent training focuses specifically on providing quality service. Agents are trained to respond to a caller's emotion to help deescalate the situation and leave everyone happy.
This, unfortunately, creates a large weakness for your call center. Fraudulent callers know this, and will use emotion against agents. But more importantly, agents simply are not trained to handle or detect fraud. And we cannot train all agents to interrogate all calls because that would simply diminish quality and quantity.
Along with the human aspect of call centers, the overall organization of how a center functions and how calls are handled allows for abuse. As mentioned previously, call centers are designed to handle as many calls as possible while still providing complete and total service. Agents are not trained to interrogate or act as a fraud defense -- they simple handle requests as they come in.
Agents are measured with how quickly and completely they solve an issue, which is counter-productive to the security sensitive concept of fraud detection. Overall, call center fraudsters will "socially engineer" agents and abuse the organization of a system to break through its weak defenses. The generic question-based authentication keys are no longer enough as it's incredibly easy for a fraudster to find out their victim's mother's maiden name, address, or phone number.
Different industries have worked hard to strengthen their online and digital channels: websites will require two-factor authentication with an email address or phone number; encryption is built in from the ground up; and a lot of security effort is placed on keeping these channels closed off and safe. This is great, except it has lead to making online fraud extremely difficult, which has pushed fraudsters to focus on a much easier, older channel -- phone support.
On top of this, card issuers in the United States have begun rolling out EMV cards with chip authentication, replacing standard PIN numbers and other authentication methods. Beyond these systemic factors, fraudsters will go out of their way to compile massive amounts of information on victims to have the perfect answer for every question an agent would throw at them.
How to Build Up Your Call Center Defenses
Thankfully, for those concerned about the thread of call center fraud, we have Gartner on our side to help guide us in the right direction. In their very detailed report, "Don't Let The Contact Center Be Your 'Achilles Heel' of Fraud Prevention," analysts Tricia Phillips and Jonathan Care highlighted a number of recommendations to help protect your business and strengthen your call center's fraud defenses.
Generally, the first step of any security measure is to identify the issue itself. But beyond simply knowing the problem exists, a few measures and protocols can go a long way. Add in some new technology to leverage big data and analytics, and your contact center can fight back with the same tools the fraudsters are using.
Overall, Gartner recommends some key points:
- Partner with both contact center leadership as well as third-party providers to help implement a fraud-prevention-based phone printing technology. Essentially, this technology provides an entirely new method for authenticating callers instead of the basic knowledge-based questions. This is actually where blockchain technology might come in, providing a totally new way to authenticate callers immediately without agents asking questions. As a dual-pronged solution, this tech helps weed out fraud and reduce call times for legitimate customers. Recognizing a caller based on their "phone's signature" could allow a center to divert the call to the best agent, whether that be a fraud specialist, or the last agent that caller worked with.
- Implement and leverage biometric voice recognition capabilities. Voice recognition technology will do just that -- recognize the voices of callers. Similar to phone printing technology, software will analyze callers voice and match it up to a known "voice," generally one recorded on previous phone calls or interactions. On the flip side, a business could keep a database of known fraud voiceprints, and identify when software is being used to change a voice.
- Remove and replace the traditional knowledge verification process. Don't just ask callers to identify themselves with their date of birth, mailing address or any other generic piece of information. Instead, replace these questions with those that relate specifically to the individual's business with your call center. Use information only the caller and agent would know. You want to rely on knowledge specific to the account that is unavailable outside the organization.
- Integrate call center systems and CRM solutions with powerful fraud analytics tools to "enable channel-specific and cross-channel consumer behavior analytics." This will allow your call center to detect high risk activity that would fall under a specific "threshold of suspicion." Flagged accounts can then be transferred to fraud experts within the call center.
- Designate specific fraud-trained individuals within your call center. These agents will take responsibility for high-risk calls, and can therefore be appropriately trained to handle these uniquely sensitive calls. As opposed to training all agents to attempt to identify fraud, muddying the experience for legitimate callers and impacting productivity, dedicating a specific task force to the problem is the best way to handle the sensitive nature of these calls.
Build The Proper Defense For The Job
Not to echo the campy G.I. Joe PSA's of the 80's, but knowledge is half the battle. Simply learning about call center fraud can help a business implement a few minor changes to their policies, and inform agents to stay more alert. Understanding and acknowledging the issue then allows your business to handle it properly.
But, combine these simple protocols with some of the more intense technology listed above, like fraud analytics and voice biometrics, and your business can build up a proper defense to fraud. Just as digital and web channels have become more effort than it's worth, the call center needs to follow suit. Now, the human nature of call centers might mean they are impossible to secure 100%, but that doesn't mean we can't stop he majority of fraud in its tracks.
While fraud has been increasing, Pindrop also reported that fraud quality has been declining -- more copycats and amateurs are trying, and failing to social engineer agents. With the proper planning, protocols, and understanding of the issue, call center fraud can easily be defeated.