AMERICAS BUSINESS
Financial Institutions Face a New Contact Center Threat
Contact centers are an essential channel for banks and customers to communicate, but every channel has security risks to accompany its benefits. Traditional contact center fraud security emphasized two major threats. First, there was the worry that rare unscrupulous contact center agents would abuse the knowledge they gained in the course of work for nefarious ends. Second, there was the danger that scammers could “socially engineer 1” and trick agents into disclosing information they should not. The first problem could be handled by appropriate interview screening and good on-site and remote protocols; the second problem was handled through training and education. Today, there’s a third vector for contact center fraud loss: IVR exploitation. New Tech for a New Era While the general public may imagine the typical contact center to be a vast cubicle farm, with customer service agents answering each and every query they receive, this vision is somewhat outdated. First, COVID has forced the vast majority of contact center agents into work-from-home setups; cubicles have been temporarily abandoned all over the country, and some firms may choose to retain remote working even after the pandemic subsides. Second, most institutions try to ensure that
32 | Issue 22
relatively few calls ever reach human operators. If you’ve placed a call to your bank, your health insurance provider, or even your pharmacy in the last decade, chances are you’ve encountered an Interactive Voice Response, or IVR, setup. An IVR can complete many basic functions without agent intervention; if a call must go to an agent, the IVR has usually gathered information, like customer name or customer account number, that will be provided to the agent to accelerate their work assisting the caller. Now, it’s the rare and foolish financial institution that would leave sensitive transactions to an IVR — such highvalue interactions would usually happen through a website, through a personto-person call, over a mobile app, or even face-to-face at a teller’s window. It doesn’t follow, however, that an IVR is safe because it can’t be directly exploited. Bad actors will perform account reconnaissance (the most common type of IVR fraud) to slowly gather enough data that can be used to take over customer accounts, using phishing techniques, spoofed calls, and other methods. Furthermore, fraudsters scrape together information from social media, from already compromised accounts, from socially engineered and tricked agents, and from IVRs. In fact, recent research 2 from Aite Group found that fraud often begins in the IVR and ends elsewhere.
Real Firms, Real Losses The IVR threat to financial institutions and their clients isn’t theoretical. Aite Group discovered that 41% of financial institutions were aware of IVR fraud loss at their institutions. A further 33% didn’t know if they’d experienced IVR loss; it’s likely that some suffered losses that they were unable to identify. Just as disturbing, half of the institutions that identified IVR-originating fraud admitted that they were not, at present, monitoring their IVR installation. Because IVRs are automated and because the opportunities they offer criminals are poorly understood by some security professionals, there’s an unfortunate tendency to set up an IVR and assume that it can operate unsupervised. That’s an understandable mistake, but for businesses and customers alike, it’s a costly one. If there’s insufficient IVR tracking and monitoring, recognizing the most sophisticated fraud becomes less likely. Thankfully, it appears that change is coming to financial institutions, with 62% reporting that they’ve either increased their security in the last few years or that they have plans to do so in the next 24 months. The experts are clear: Omnichannel fraud demands omnichannel security.
