Fraudsters are targeting call centers at an unprecedented clip, with one in every 937 calls being fraudulent, according to new data published today in the Pindrop 2017 Call Center Fraud Report.
The data, compiled from Pindrop® Labs enterprise customers around the world, shows that the rate of fraudulent calls hitting call centers is continuing to increase as criminals move from in-person fraud to the phone channel in search of new revenue opportunities. In 2015, one in every 2,000 calls was fraudulent, and that number increased 113% in 2016 to one in 937. For financial institutions, insurance companies, and other enterprises that rely on call centers for their main interactions with customers, this is a troubling trend that shows no signs of slowing down.
Pindrop® Labs researchers gather and analyze data from a diverse set of customers across several industries each year to identify fraud trends. This year’s report comprises data from banks, card issuers, insurance companies, government agencies, and other organizations.
The sharp rise in the number of fraudulent calls is the result of the confluence of several developments, most notably the increased difficulty of conducting online fraud and the continued improvement of fraudsters’ tactics. Companies that are the most frequent targets of fraud, such as banks and credit card companies, have put a lot of time and money into defending against online fraud in the last few years. That strategy largely has been successful and it pushed criminals into the riskier world of in-person fraud.
But card issuers have stepped up their game as well, rolling out chip-and-PIN cards that prevent fraudsters from printing their own cards and makes using stolen ones much more difficult. The result is that more and more fraud is moving to the phone channel, which has less-developed defenses in most cases and offers criminals the safety of distance and anonymity in their operations.
This move has paid off for fraudsters. In 2016, fraud losses were $0.58 per call. Those losses can add up quite quickly for victim organizations, especially those that receive tens of millions of calls each year. Technology also is helping these fraudsters, who largely use VoIP lines (45% of fraud calls) and mobile phones (43% of fraud calls) to make their calls. Tracing those calls can be more difficult and they also offer tools such as voice modifiers and caller ID spoofing, which complicates the identification process further.
Phone fraud has become a global problem with many different components and challenges. Addressing the problem requires a combination of technology and human intelligence and right now the fraudsters are winning the battle.
You’d think that the signs of ageing are obvious. Grey hairs, wrinkles and fading eyesight. But, as a study by Pindrop points out, it’s also your voice that can change.
With the growing use of voice recognition as a way to identify and authenticate callers, there has been a real need to make sure that businesses using this technology are doing so accurately. False readings not only hinder the customer experience, they can also open the door for fraudsters. Age, it turns out, can be a huge factor here.
A changing voice
Pindrop’s recent two-year study into voice ageing analysed 122 people, including native English, Dutch, German, Spanish and Italian speakers. It found that the expected error rate (EER) of positively identifying a speaker increased as time passed and the survey sample aged. In fact, in the study, the EER almost doubled over the course of the two-year period. It demonstrates that organisations who depend on voice biometric technology may find it very difficult to authenticate a person on voice alone, especially if they are an infrequent caller, as time passes.
The research also revealed that other factors, besides age, can lead to a change in voice. Dr. Elie Khoury, the principal researcher in the study, says that a person’s emotional state, stress levels, health and vocal effort can affect the pitch and speed of their voice, and therefore the accuracy of identification. What’s more, someone calling from a mobile phone in a rural part of Germany will sound different from someone calling from a landline in Berlin – a subtle difference that may not always be picked up by standard voice biometric technology.
Finally, the research suggests that people’s voices age uniquely at different rates. Which means that there is no one accepted factor that can be applied to take ageing into account. This finding highlights one of the key flaws of voice biometrics: it’s trouble with adapting to voice variation. Because unlike irises or fingerprints, which stay the same over the course of a person’s life, a changing voice can directly affect the accuracy of acceptances or rejections.
“Voice biometrics aren’t accurate enough on their own,” Khoury says. “You have to add other factors like spoofing detection and Phoneprinting™.”
Hear this out
Compensating for the changing properties of an individual voice will be the main challenge researchers have when they are looking to improve voice recognition in the future. But it should not be a deal breaker for companies considering implementing voice technology.
According to Dr. Khoury, updating a model frequently enough can account for voice ageing – a theory he tested on 400 recordings of Barack Obama’s public speeches, taken from the inauguration in 2009 up until January 2017. By recalibrating the biometric model, he significantly reduced the effects that time had on the score.
Yet, as Khoury points out, the idea is not without risk, unless properly protected. “You can update the model with each new recording,” he says. “But that’s risky if someone is able to attack the system and compromise it.”
His warning is simple. Organisations shouldn’t rely on voice biometrics for authentication alone. Rather, they should embrace a multi-layered approach to security, considering safeguards such as Phoneprinting™. Because while voices may change, the need to balance customer service and fraud prevention will always remain.
The General Data Protection Regulation (GDPR) comes into effect on May 25th 2018. This means you have less than 500 days to get on top of it. Failure to adhere to these new rules will result in regulatory fines of up to €10M, or 2% of your global annual turnover.
The GDPR is a significant new set of laws and compliance measures that will affect the operations of any organisation that holds EU citizen data – including contact centres across EMEA and beyond.
Under the GDPR, individuals will have the right to access, change and remove any of their personal data. This means that contact centres must ensure that the information they house is not only properly stored, but also made available to legitimate customers.
It sounds like a straightforward requirement. However, because contact centres are often the target of data breaches, it’s fraught with risk.
The average contact centre is home to huge volumes of valuable data. Yet it will often lack the same protections that are afforded to physical offices and digital networks. Subsequently, we’ve found that 61 per cent of fraud originates in the telephony channel before spreading to digital channels like email and web. What’s more, contact centres are also vulnerable to social engineering from fraudsters, especially when agents are trained to prioritise high quality customer service above causing conflict.
In a GDPR world, data protection will have to be incorporated into the core of all business procedures, products and services, and all employees will have to be aware of their obligation to protect consumer data. By taking steps to prevent data breeches, customer data is protected and brand reputation remains unaffected.
Obviously for any new EU regulation, there is the question of how Brexit will affect it. In the case of the GDPR, it’s widely accepted that UK law will mirror that of the rest of the EU. Especially while discussions about what a post-Brexit regulatory environment will entail are still ongoing.
For contact centres that solely operate in the UK, or whose customer base is wholly British. That means there’s no free pass on GDPR compliance. And all companies that fail to comply will face written warnings that can escalate to hard and expensive penalties.
Capitalising on the GDPR
Contact centres ultimately have two choices. Either comply with GDPR and retain their customer base, or disregard the new rules and stop serving the EU market. For large organisations, and small businesses who hope to grow, the latter is simply not feasible.
Yet GDPR compliance should not be seen as an inconvenience. Rather, it should be a way for companies to introduce a robust data protection strategy, and to realise the benefits of being a voice-protected company in the digital era.
We’re already seeing technologies such as Amazon’s Alexa, Apple’s Siri and Microsoft’s Cortana working with everything from phones and tablets, to cars and refrigerators. And future-gazing experts expect voice assistants will play an integral role in how we connect with Internet of Things (IoT) devices in years to come. So, for businesses, protecting sensitive voice data today means being able to broaden the amount of solutions it’s possible to take advantage of tomorrow.
Our advice is simple: don’t wait until it’s too late. Look at phone network protection now, and what adaptive, layered security measures can be put in place to protect sensitive data going forward.
Read our whitepaper, GDPR Impact on Contact Centres, to learn more.
By: Vijay Balasubramaniyan, CEO, CTO & Co-Founder
Pindrop is in a period of hyper-growth. In 2016, Pindrop doubled its customer base and saw revenues increase more than 100% year-over-year. For years, enterprise companies have been investing heavily in both physical and cyber security, leaving one place where customer information is not as protected – call centers. With call center fraud up 100% in the last year alone, major banks and enterprises have turned to Pindrop. Currently, our Phoneprinting™ technology is monitoring hundreds-of-millions of calls and is proven to catch 80% of fraudulent calls.
Pindrop’s growth, among enterprise call centers, is driven by its success in mitigating its customers’ exposure to rapidly-expanding fraud, totaling $10 billion in fraud losses in the US alone last year. The old methods of keeping phone lines safe no longer works. For example, when you call a bank they will most likely ask you basic question to authenticate you like your first pet’s name, mother’s maiden name and your social security number. Fraud rings have all this information due to ongoing identity hacks and even low level criminals can easily find that information on Facebook or through a simple Google search.
Every month, 100 billion phone calls are made and now voice is becoming the dominant platform to control our devices, TVs, car dashboards and more. To help scale Pindrop’s mission, to provide security and authentication on every voice communication and every voice device, we have added three incredible entrepreneurs to our board that have created billions of dollars in value, creating and defining new technology markets: Martin Casado and John Chambers as board members and Marc Andreessen as a board observer. While growth in the enterprise is a major focus for Pindrop and our board, there is a large and unique opportunity to apply Pindrop’s technology to another sector as well – the Internet of Things. With deep experience in both back-end and consumer-facing platforms, Marc, Martin, and John will be critical advisors to Pindrop’s utilization and growth in IoT.
Nearly every major technology company is investing heavily in natural language processing and the development of voice services to power Smart Home environments, to give consumers a mobile personal assistant, and enable voice experiences in cars, on TVs, and other devices. But a major missing piece in voice services today is identity, the ability for voice services to not just understand you, but know who you are. This enables a world of new and streamlined personal services – unlock a rental car or hotel door with your voice as the key, launch your music or video streaming subscriptions to any device with the unique biometrics of your voice. The possibilities are endless, and it’s a very exciting time.
For IoT, Pindrop technology doesn’t see identity verification as the end point, there are also opportunities with context. In order for AI/voice services to be truly helpful, they will need to understand the context in which requests are made. A request of “call the police” to a voice service is an example. This could be a non-urgent call about a minor car accident outside, an urgent call about someone breaking into a car across the street, or an extreme emergency like an intruder in the house. Voice services today do not measure stress, inflection and other biometrics that provide real context to requests. Once identity and context are baked into voice services at the security layer, a new wave of IoT services will follow.
History has shown that security lags every time a new platform shift occurs – the shift to the Internet, the shift of IT to the cloud, the shift to mobile. Two-factor authentication was a great step forward for security on the Internet, but with voice there can be 100+ factor authentication in just seconds. With IoT, we have an opportunity to do it right, at a very early phase.
As the implementation of voice biometrics has become increasingly popular as a form of identification and authentication, researchers are challenged with determining how users’ voices change over time. New research shows that voices age significantly, even in the short term, making positive authentication more difficult with just voice biometrics alone.
One obstacle making the measurement of voice aging difficult is that every speaker’s voice ages uniquely and at a different rate. There is no universally accepted factor that can be applied to a known authentic recording to compensate for aging.
“Voice biometrics aren’t accurate enough on their own. You have to add other factors like spoofing detection and phoneprinting,” said Dr. Elie Khoury, a principal research scientist at Pindrop, who has conducted a long-term study on voice aging. Khoury delivered an eye-opening presentation on his results at the RSA Conference on February 17.
Biometrics have gained popularity in both consumer and enterprise applications for a number of reasons, specifically their trusted persistence. Most fingerprints and irises don’t change much over time, so these traits can serve as accurate long-term identifiers. But voice is different. Small changes in a user’s voice can have a direct impact on scoring models and result in false acceptances or rejections.
In a two-year study of 122 people — native speakers of English, Dutch, French, German, Spanish, and Italian — Khoury found that the expected error rate (EER) of positively identifying a given speaker increased significantly over time. In fact, the EER nearly doubled over the two-year the study. And it’s not just one trait that changes in a speaker’s voice, either.
“There’s a change in the pitch and the speed of the speech. When you compute the score, it will decrease slowly over time,” Khoury said. “That’s what’s risky for voice biometrics. The score should remain as high as possible for a match. Aging can make false detection or rejection go up over time. And the pitch will change multiple times during a lifetime.”
There also a number of additional factors, besides age, that can contribute to variances over time, including the emotional state, stress levels, health, and vocal effort of the speaker, all of which can have an effect on accurate identification, Khoury said. Compensating for these factors is the challenge for researchers looking to improve the accuracy of voice models.
One way to do improve accuracy is to change the threshold for acceptance, based on the amount of time elapsed between tests. Khoury said updating a model frequently can help account for voice aging. He studied more than 400 recordings of Barack Obama’s public speeches from the beginning of Obama’s first term through the end of the second and found that recalibrating the biometric model significantly reduced the effect voice aging had on the score.
“You can update the model with each new recording, but that’s risky if someone is able to attack the system and compromise the model,” Khoury said.
View the on-demand session:
In an age of such aggressive attacks, voice biometrics alone will not offer the multi-layer approach organizations should implement to fully secure their call center. Phoneprinting provides universal protection for all incoming calls to the contact center, allowing contact center agents to identify unknown attackers on their very first call while also creating a robust intelligent blacklist of known attackers. Contact centers are empowered with the technology necessary to stop fraud loss, reduce operations costs, protect brand reputation and compliance, and improve the customer’s overall experience.
Last week, Pindrop joined nearly 35,000 attendees at the NRF Annual Convention and EXPO in New York City. According to speakers from the event, retail brands will need to focus on their customers, their technology, and their leadership in 2017. Customer priorities are constantly adapting as available technology changes. These new innovations and technical capabilities will continue to transform the retail experience for customers, and brands will need to hone in on how to administer an experience that is not only timely, but also secure. According to Vishaal Melwani, CEO of menswear retailer Combatant Gentlemen, “there will be more emphasis placed on the omnichannel experience as companies continue to look for fresh ways to connect with consumers through the intersection of offline and online” in 2017.
While the retail experience is becoming increasingly omnichannel, retailers are still neglecting the phone channel, the weakest link in security, as a common point of access for customers. Despite the intent to administer positive customer experiences, contact centers agents often fall victim to the methods that enable fraud attacks. Today, Caller ID is freely spoofed and knowledge-based authentication questions (KBA’s) are easily bypassed. Criminals either socially engineer the answers, find them online, or purchase them on the black market. Fraud efforts are becoming increasingly aggressive in their attempts to fool contact center agents into processing fraudulent card-not-present (CNP) transactions.
According to Aite Group, an independent research firm, 72% of executives expect call center fraud loss to continue to grow, with $4 billion in counterfeit card fraud moving into the phone channel. These fraud attacks increase operational costs, decrease customer satisfaction, and jeopardize brand reputation as customer data is repeatedly lost to fraud. Retailers’ existing security systems are not robust or secure enough to handle the increasing volume of data filtering across web-enabled devices and processes. A digitally-influenced retail experience may enable brands to conduct business from a variety of access points, but it is also putting their enterprises under siege. By adopting next-generation security measures, including data loss prevention methods, cloud-based solutions, and contact center protection initiatives, retailers are sheltering sensitive digital content and lessening their exposure to fraud.
Businesses of all sizes need to assess which data is most at risk from a cyberattack and ensure their security solution protects against potential threats. Learn more.
Analysts at Aite Group have identified five key security and service steps that legacy solutions are failing to perform. These are the features that are keeping Caller ID, KBA, and voice biometrics from being viable anti-fraud and authentication solutions for the contact center. With 61% of account takeovers traced back to the contact center, this $400 million problem needs immediate resolve.
Protecting personal data in the contact center relies on a best-in-class security solution that benefits both the organization and the customer through:
- Universal Coverage. Customers must be authenticated and fraudsters must be identified on their first call. This prevents fraudsters from being able to enroll as illegitimate customers and alleviates customer privacy concerns.
- Accuracy. The right solution accurately differentiates between legitimate and illegitimate customers. Legacy solutions, such as Caller ID verification and KBA, fail to provide the accuracy needed.
- Speed. Contact center agents must be informed about the legitimacy of callers before they provide access to personal data. KBA takes a long time, which frustrates legitimate customers and offers fraudsters many chances to collect data.
- Low Friction. Customers want service that requires little effort on their part. Most voice biometrics solutions require an enrollment process, which leads to longer call times and lower customer satisfaction.
- Foolproof Technology. Fraudsters are currently using voice distortion, spoofing, social engineering, gateway hacking, and more to circumvent traditional security measures. The right solution needs to withstand these attempts to break through protection.
How do the largest global contact centers stop fraud and protect their customers?
According to a recent survey of 25 executives at 18 of the 40 largest US financial institutions, Phoneprinting™ is the highest ranked contact center anti-fraud solution. Pindrop’s patented technology analyzes 147 different factors in the audio of a phone call in order to create a unique signature that allows contact centers to accurately detect fraud. Avivah Litan, VP Distinguished Analyst at Gartner, describes phoneprinting technology and voice biometrics as “complementary technologies” that mutually benefit both contact center agents and security teams. This phoneprint allows a fraud analyst to create a unique signature for an illegitimate caller, while also determining the caller’s true geographic location, device type, and more. Unlike a phone number or a voice, this information is impossible for fraudsters manipulate. Phoneprinting allows Pindrop’s customers to catch over 80% of fraud calls with less than a 1% false positive rate.
Phoneprinting provides universal protection for all incoming calls to the contact center, allowing contact center agents to identify unknown attackers on their very first call while also creating a robust intelligent blacklist of known attackers. Contact centers are empowered with the technology necessary to stop fraud loss, reduce operations costs, protect brand reputation and compliance, and improve the customer’s overall experience.
The wealth of information housed by contact centers can be leveraged by fraudsters for data mining and cross-channel attacks. In an effort to prevent phone fraud, many businesses implement authentication methods; however, most fail to administer the authentication required to provide a layered defense system. As social engineering and fraud technologies have become more advanced, standard authentication methods have proven to become less sufficient. “You have to assume the criminals can get through one layer [of authentication]; they can get through two, they can even get through three,” says Avivah Litan, Vice President with the consultancy Gartner. “But if you have multiple layers, up to five, and you’re continuously authenticating that user and continuously looking at their activities against their profile, you should be in pretty good shape.”
Multiple layers of security allow organizations to meet regulatory requirements and effectively safeguard customer data. Knowledge-based authentication (KBA), has served as a standard authentication method for years; however, 10-15% of KBA fails entirely, proving that authentication requires another layer of security in order to ensure data protection. A layered approach to authentication starts with “protecting the endpoint, trying to secure the browser, going all the way up to looking at the navigation, building profiles of users and accounts and looking for anomalies, doing that across channels,” says Litan. This kind of identity assessment analyzes endpoint and user data, metadata, and ehavior as it identifies linkages across and between entities.
No singular authentication method used on its own is sufficient enough to keep determined fraudsters out. Creating a layered defense system makes it more difficult for an illegitimate caller to access desired information, such as a physical location, computing device, network, or database. If one barrier is broken or compromised, the fraudster still has at least one more barrier to breach before successfully accessing the desired information. This system ensures that each layer defends the previous layer, making it more difficult for a fraudster to circumvent the security of the entire system.
Aite Group, an independent research and advisory firm focused on business, technology, and regulatory issues, interviewed 25 executives at 18 of the top 40 largest U.S. financial institutions based on asset size in order to provide an accurate evaluation of the most effective technology solutions to protect against fraud. On Tuesday, Aite’s Senior Analyst, Shirley Inscoe, joined Pindrop’s Director of Research, Dr. David Dewey, for an online discussion of the growing threat of fraud in the contact center.
Top 10 Takeaways
- As EMV continues to gain momentum in the US, organized fraud rings will move to the phone channel, replacing traditional counterfeit card fraud.
- The contact center is the cross-channel fraud enabler. Current authentication factors in the contact center often fail due to various data fraudsters can acquire through social engineering tactics.
- The majority of financial institutions (72%) expect contact center fraud loss to continue in an upward trajectory.
- The root source of fraud, the contact center, is often misdiagnosed due to fraud enablement in other channels, such as debit card, credit card, and check order takeover – online fraud that exists from reset credentials being reset by the contact center agent.
- Fraud will move downstream toward smaller institutions and credit unions as phone fraud solutions are integrated into larger firms.
- Organized fraud rings are using automated attacks, specifically robotic fraudsters, targeting interactive voice recordings (IVRs), to keep their cost down while still managing to dramatically increase market coverage.
- In the U.S., Contact center fraud is expected to double to a $775 million problem by 2020.
- 61% of account takeover losses trace back to the contact center.
- For every 1-second authentication is reduced, an organization can save $1 million annually.
- Of the 23 different technology solutions reviewed by leading executives, Pindrop’s phoneprinting and voiceprinting technologies hold the highest combined ranking on industry awareness of the product, overall product ranking, and likelihood of recommending to colleagues.
75% of Tuesday’s webinar attendees confirmed having seen a recent rise in fraud. Contact centers will continue to enable cross-channel fraud until technology solutions are implemented to thwart it. Ensuring optimal protection against fraud in the contact center requires multiple layers of security that provide high coverage, high accuracy, high speed, and low friction without being easily fooled by fraud techniques, such as spoofing, voice distortion, and social engineering. Pindrop’s technology provides multi-factor authentication through layered intelligence scores, reason codes, and risk factors.
Thank you for listening!
This week, Financial Times met with Pindrop CEO, Vijay Balasubramaniyan, to discuss the future of voice authentication. Voice is an “extremely rich” and quick way of authenticating someone’s identity.
GB Times reported after an over 70 Chinese wire fraud suspects were deported from Kenya to China in April, a gang of Chinese and Taiwanese fraudsters were arrested in Turkey on suspicion of phone fraud. The gang reportedly stole information from over 3,000 Chinese tourists.
Forbes: Scam Alert: Why the IRS won’t call you – Fraudsters frequently use psychological attempts to scare people into give up personal information used for identity theft. Once the fraudsters have possession of that sensitive information, they can open credit accounts and start stealing away. Generally anyone who asks for money immediately over the phone is a fraudster.
Tech Dirt: AT&T Falsely Blames the FCC for Company’s Failure to Block Annoying Robocalls – AT&T is pointing fingers at the FCC as the cause of the company’s lack of robocall-blocking technology. Recently, the FCC gave permission to the carriers who wanted to offer consumers robocall-blocking services. AT&T is one of the only companies that did not implement such technology.
South China Morning Post: Phone scam targets Hongkongers, exploits rocky relations between China and Philippines – Crime bosses behind an Asia-wide phone scam operation that has fleeced hundreds of Hongkongers out of HK$350 million in less than a year has shifted their sights to the Philippines as law enforcement tightens.
The Morning Call: Arrests Made in IRS Phone Scam – Five more people were arrested in Miami due to their involvement in an IRS phone scamming ring. Accused of stealing over $2 million from 1,500 people, the perpetrators targeted people all over the US. Progress is being made in combatting IRS scams, and the number of successful calls is dropping drastically.
The Journal News: Harrison cops go to Maine to bust phone scammer – Harrison Police traveled to Maine to arrest known fraudster, Donovan Wallace after cheating a woman out of over $23,000. Wallace is also linked to similar scams along the East Coast and a ringleader in Jamaica, where authorities are helping with the investigation.
KRON4- Bay City News: Elderly man falls victim to IRS phone scam in Santa Clara – An elderly Santa Clara man made 3 deposits totaling over $5000 when a fraudster posing as an IRS agent informed him that he was being audited for $5,900. The victim made 3 deposits while on the phone with the fraudster, and 2 were claimed before the police got involved. No arrests have yet been made.