Cybercrime statistics are shocking.
In the twelve months to September 2017, there were 4.7 million incidents of fraud and computer misuse (Crime Survey for England Wales). Norton estimates that in the UK, 17m people were targeted by phishing, online fraud, ransomware and hacking, with hackers netting £4.6bn from British internet users.
Contact centres frequently play a role in instances of fraud, either as the arena in which the crime is perpetrated, or as an additional source of customer data. It’s not surprising that contact centres are appealing to criminal gangs; you can sweet-talk or pressure an agent with techniques that have no power on digital security.
Scammers have been found to use a wide variety of tricks to bypass contact centre security. If you require customers to verify their identity with answers to questions, you could find that the scammer is armed with a cache of customer information (potentially scraped from their social media profiles). If they don’t have any information to exploit, scammers may attempt a form of coercion, perhaps by feigning stress or distraction in the hope the agent will prompt them or provide clues to the correct answers. Fraudsters may also try a more blunt approach and use aggression and anger to overpower an agent’s objections.
Contact centre agents have an obligation to provide a positive customer experience, which can leave them vulnerable to customers who manipulate them – or threaten to complain.
Those fraudsters that manage to bypass identification and verification (ID&V) procedures may then have access to valuable information – or the opportunity to make changes that facilitate further crimes. Simply changing the victim’s registered phone number could be enough to give the fraudster unfettered access to the victim’s account. And as we’ve seen with the recent spate of SIM-swapping scams, fraudsters can make thousands of pounds by changing the settings or parameters of a victim’s account.
So, what’s the answer? How can contact centres defend against the tidal wave of scams and hacks?
There is no easy answer to this question. Nor is there a complete solution, because any solution that works today is not guaranteed to be safe tomorrow. Cyber criminals are as tireless as we are, so any security solution must be prepared to evolve.
PCI DSS compliance is crucial. Your company will always be faced with malicious actors – both inside and outside your company. PCI DSS compliance helps limit your exposure if breaches occur.
Employee training should be regularly renewed. Your agents really are on the front-line. The best security in the world won’t help if your agents are leaving the back door open. Agents need to understand the risks, the methods scammers use, and how to deal with suspicious customers. Anti-fraud training must be updated regularly, both to include new threats and to keep the issue at the forefront of agent’s minds.
Biometric security is stronger than 2FA. Fraudsters can outfox 2FA. Speech recognition and voice biometrics are much harder to defraud.
Clearly, contact centres have a difficult balancing act to perform. On the one hand, we must provide a good experience, and make it easy for customers to contact us. On the other hand, we have a duty to protect our customers’ data, and resist the constant efforts to defraud the public.