The call centre is on the front line of customer service. The techniques used by fraudsters to exploit it are getting more and more complex – as are the means that can be used to defend against them.
Phoneprinting™ is a patented technology that analyses phone calls to identify malicious behavior and verify legitimate callers. Here are five reasons why it’s become so essential for businesses and their call centre operations:
1. Caller ID is no longer reliable
With readily-available technology, it’s very simple for attackers to ‘spoof’ their caller ID and impersonate the number of a legitimate customer. In short, it’s no longer a reliable way to authenticate identity.
Why you need Phoneprinting™: It cross-references caller ID with a multitude of other call characteristics to determine whether the call is genuine.
2. Social engineering is sophisticated
Call centre agents are trained to resolve calls quickly and to the satisfaction of the customer. Fraudsters realise this. They have become masters of manipulating conversations, putting pressure on the agent in order to gain account access.
Why you need Phoneprinting™: It takes the burden of fraud detection off the shoulders of call centre agents.
3. It’s not just about the caller’s voice
Many of the call characteristics that are most useful to catch attackers are unnoticeable to call centre agents. Geographical data, carrier, device, call routing – these are not things that are immediately apparent when they pick up the phone.
Why you need Phoneprinting™: The technology can analyse these characteristics and present them to agents so that they can make more informed decisions.
4. Customer experience is essential
Having call centre agents manually authenticate whether a caller is who they say they are increases the handle time for every call. This obviously isn’t good for the customer, and their viewpoint of your business will be affected.
Why you need Phoneprinting™: It automates the process, quickly marking callers as high or low risk. This allows for high-risk callers to be handed off to the fraud department, and agents can focus on providing a great service to everyone else.
5. The call centre is the biggest target for fraudsters
According to research by Aite Group, 61% of fraud losses from account takeovers involve the call centre. Fraudsters target the phone lines more than any other channel.
Why you need Phoneprinting™: Early detection and defense of fraudulent behaviour can stop losses from occurring through other channels.
Learn more about how Phoneprinting™ technology can efficiently identify phone fraudsters when they reach your call centre and schedule a demo.
Call centres have come a long way from purely recording calls for training and monitoring purposes. With the growing popularity of voice biometric technology, call centres can now collect new, crucial data points that businesses use to identify their customers. Because of that, it is imperative that the call centre is more aligned with other departments – so any data that is collected can be stored easily and securely.
With the EU General Data Protection Regulations (GDPR) incoming, this issue is more relevant and urgent than ever. Under the new rules, data breaches will be met with severe fines – up to €20 million, or four per cent of total annual global turnover, whichever is greater. Not just that, the floodgates could open to a greater number of disputes over data security.
Cases such as the 2015 Court of Appeal ruling against Google that meant that Safari users have the right to sue the tech giant en masse for tracking their browsing data, and the matter involving Morrison’s employees having the ability to bring group action against the retailer after a data breach in 2014, are just a couple of instances that could be a regular occurrence when GDPR comes into force in 2018.
In light of this, companies storing sensitive data about their customers must treat it with absolute rigor. Here are five considerations prior to GDPR launching:
1. Review how (and where) you store customer data
The GDPR governs how organisations must handle the personal data of individuals based in the EU. This means that there will be tighter regulations on recording and archiving customer calls, amongst other data. How is this information stored? Is it even stored within your organisation? If you outsource any touch point of the call journey – i.e. tech support, customer service, sales – how do they access this information? A thorough audit of the data trail, to and from the call centre, will need to be done to identify where there are gaps.
2. Update your customer-facing processes
The GDPR guarantees customers a vast array of rights when it comes to their personal data. Individuals have the right to know why an organisation is processing their data, the right to object to automated decision making based on their data, and the right to change inaccurate data. How will your call centre operation communicate this information or process these kinds of requests? This could be a particular issue with passive enrolment processes, for voice biometric data, which by their very nature capture customer data automatically. Businesses will need to invest in technology that facilitates these new processes and training to ensure call centre employees are up to speed.
3. Check that your providers are GDPR ready
Data controllers are liable for all other controllers and processors included in the ‘value chain’. That means if you use a server provider to store your customer data, it’s up to you to make sure their processes are GDPR ready. Be sure to conduct a thorough review of every provider you use to make sure their procedures are up-to-date.
4. Co-ordinate with your wider GDPR transformation team
The GDPR is a regime that touches on every area of the business. So not only are you going to have to make sure your call centre managers and agents are trained, you’re going to have to co-ordinate with the Fraud team, IT, Operations, Legal, and so on. Each department will have their own GDPR plans that will impact how the call centre operates. Co-ordination and co-operation is key.
5. Practice regularly
Just like the occasional fire drill is necessary to refine procedures, you need to regularly put your GDPR measures through their paces. Stress test any new processes or technology. Train your staff on what they should be communicating to customers regarding their data. Then review customer calls to ensure the new processes are efficient. This regular practice means that you can successfully embed compliance into your organisation.
With less than a year before the GDPR comes into effect, the call centre operation must act now to ensure its processes and tools are ready. As the primary touch point for the majority of customer interactions, the call centre will bear the brunt of the increased rights individuals have over their data. That’s why organisations should be looking for technology solutions that put them on the front foot in terms of responsiveness.
Learn more about GDPR’s impact on your business in our new whitepaper, where Martin Hill-Wilson offers his take on how contact centre leaders should tackle GDPR.
Organized and hosted by Social-Engineer.Org, the Social Engineering Capture the Flag (SECTF) takes place each year at DEF CON, a hacking conference in Las Vegas. The SECTF competition was devised to validate the serious risks social engineering creates for companies and individuals, as well as to demonstrate how information can be easily obtained. Participants go through a period of collecting information prior to DEF CON, where they gather potentially damaging data from online sources and telephone elicitation. Participants put the pieces of information (or “flags”) they obtained during the first segment to use during the live call phase of the competition during DEF CON. Reflecting on this year’s SECTF competition, we decided to take a deeper look at the effects of social engineering:
Social engineering attacks, whether targeted toward large enterprises or individuals, are both based off of the same tactics. Fraudsters change their approach, altering the pretext of their scheme to make the victim comfortable and typically unaware of the attack. Pindrop’s Director of Fraud Prevention and Strategy, Shawn Hall, shares that pretexting is a critical technique and allows fraudsters to create a “believable story” in advance of targeting the victim. The pretext as well as building rapport during the call increases the chance the victim will share confidential information or change account information with the fraudster.
In addition to pretexting, fraudsters will combine other tactics to improve their chances of obtaining information. For example, they may impersonate an authority figure, like an executive at a company or a government agent, placing the victim in a position where they feel like they are forced to answer questions. Alternatively, fraudsters may take an opposite approach where they play someone in need of assistance, creating a sense of obligation for the victim to help.
It is estimated that 61 percent of all fraud activity can be traced back to the call center, which can be attributed largely to the use of social engineering, making it clear that fraudsters do not discriminate against companies or individuals. On one hand, companies can be targeted for high impact breaches causing monetary losses as well as a loss of consumer confidence. On an individual level, fraudsters can use DOB, SSN, or an account numbers to gain access to accounts or steal an identity.
Social engineering can take various forms, but all with one goal – obtaining information to assist in other fraudulent activity. According to Shawn Hall, there are five best practices to protect against social engineering:
- Awareness – Education of social engineering and the ramifications of falling victim is key.
- Training – Training programs should be regularly scheduled with employees to keep awareness high and in focus.
- Internal Policies – Strong policies should be in place that only allow employees to discuss very scripted scenarios with callers.
- Authentication – Strong authentication procedures to verify callers and customers are who they say they are.
- Technology – Invest in technology that can help protect against social engineering. Pindrop is able to detect a fraudster who is attempting to hide in a VoIP gateway, spoof an ANI, or alter their voice.
Learn more.
by Martin Hill-Wilson – Consultant, Brainfood
Protection seems an obvious thing to talk about in relation to GDPR – it’s in the name, after all.
But it’s worth a closer look, for a few reasons. First, who is doing the protecting? On the face of it, it’s the enforcer of the legislation itself, which will be the relevant (and pre-existing) national data protection authority. But GDPR also confers significant responsibilities for protection onto the processors and controllers of data.
Contact centres can be defined as either processors or controllers – it depends on how they operate – but GDPR will increase the legal exposure of processors to the extent that it’s unadvisable to lean on the lesser categorisation as a defence.
Second, before a contact centre can protect customers’ personal data, it needs to know everything about it. Where is it all? How is it being used? Who has access to it? These are not simple questions to answer. Digital data flows have never been more complex, opaque and widely distributed. But if you don’t know where your data is, you can’t even begin to guarantee its protection.
Knowing Data, Knowing EU
Here are some examples of why GDPR means you need to get to know your data in order to protect it.
Get to know:
- The definition of personal information
Starting at the beginning, GDPR broadens “personal information” to mean any data that can be used to identify a person. This includes data garnered from online behaviour; derived by combining datasets; or inferred by using algorithms to analyse metadata in order to profile a person for, say, job suitability.
- How widely the protective net is cast
GDPR doesn’t just protect data pertaining to EU citizens. It extends to anyone physically present in the EU – nationality is irrelevant. What’s more, it still applies to their data even if it’s stored outside the EU.
- Where the data is and how it’s being used…
Organisations will be required to provide evidence of how customer data is being used, where it is being stored and processed at any given point in time. Think about the sum total of the data held on mobile devices; how frequently they go missing; how frequently they’re used by friends and family. Think too about the cloud. It’s accessible anywhere by design. From home or the office; inside or outside the EU.
- …so you can comply with the right to erasure.
GDPR allows individuals to request the deletion of their personal data. The circumstances under which they’re entitled are broad enough to include the basic withdrawal of consent. Consequently, a contact centre will have to ‘know how and where call recordings are stored, ensuring they can identify, access and, if necessary, delete any recording or record that includes a customer’s personal information.’[1]
Going beyond compliance
By tying the penalty for non-compliance to company earnings, GDPR is effectively creating means-tested penalties. It will no longer be feasible to consider them as a cost of doing business.
As an example, TalkTalk’s £400,000 fine for their 2015 data breach would, under GDPR, have been roughly £72 million. And that’s without placing a figure on the reputational damage.
Any business hoping this issue will go away is kicking a hugely expensive can down the road with ‘PR disaster’ spray-painted on the side.
But this needn’t be a festival of feet dragging and begrudging compliance. GDPR can be reframed as a huge opportunity, because it fundamentally reshapes the relationship between companies and consumers. You no longer own their data – it’s yours to look after, on loan and on trust. Any company that meets or exceeds those expectations – that gets to know its data and ensures its protection – will, in the process, gain greater customer trust and loyalty.
For more information, download the whitepaper: GDPR – How it changes your contact centre.
[1] http://www.continuitycentral.com/index.php/news/erm-news/1996-the-impact-of-the-gdpr-on-contact-centre-operations
Mike Haley – Deputy Chief Executive, Cifas
The amount of identity fraud has doubled over the last decade, and by 20% over the last two years. Almost 173,000 cases of identity fraud were reported by UK organisations last year, the highest levels ever recorded.
At Cifas, we work with businesses, charities, public bodies and individuals to detect, deter and prevent fraudulent activity. We know identity fraud is on the rise and we don’t expect the number of instances to decrease any time soon.
Whenever a fraudster contacts an organisation pretending to be a genuine customer, data is their intended target. And attackers are now so sophisticated in their methods that the traditional methods of security – such as knowledge-based authentication – aren’t enough to protect sensitive customer data.
In recent years, we’ve seen the rise of social engineering, where fraudsters contact call centres and manipulate the conversation to get information about customers. They might pretend to be the wife of a customer, or claim to be calling on behalf of someone who can’t speak English. Whatever the conceit, attackers have become masters of extracting key information from their targets.
Armed with just a handful of details about a customer, fraudsters can then target financial institutions and use this information to gain access to bank accounts or other financial products.
Fraudsters are innovating – you should too
Your business needs to tackle the ever-evolving threat by investing in modern technologies that provide a multi-layered approach to fraud prevention. This means robust, omnichannel defence measures. Every channel your customers can contact you through needs protection, whether online, face-to-face, or over the phone.
Voice – and the call centre by extension – is a particularly vulnerable channel. It’s seen some of the biggest increases in fraudulent activity in recent years. Nearly 50% of bank account takeovers, for example, were committed over the phone.
However, there are various technologies available for countering fraud specifically on this channel. Voice biometrics (analysing a customer’s voice to identify its unique characteristics) and similar technologies allow call centre operatives to distinguish between genuine customers and fraudsters. Crucially, they act as an immediate barrier to fraudsters while allowing businesses to quickly onboard honest callers. This way, they strike the right balance between security and customer experience.
For full protection, these types of solution need to form part of a wider and more robust omnichannel fraud strategy that covers every customer touchpoint. But with identity theft becoming an increasingly complex threat, these technologies have a vital role to play.
Read this Gartner report on how to stop your contact centre from being the weakest link in fraud prevention.
Last week, Pindrop’s CEO, Vijay Balasubramaniyan, was featured on Quora, a question-and-answer forum where questions are asked and answered by its’ multitude of users. Available in Spanish and French, Quora has plans to expand to other languages with its $1.8 billion in Series D funding. With over 200 million monthly viewers, Quora is a popular site focused on sharing information and insights on endless topics.
Vijay’s Quora session was focused on voice security, machine learning, social engineering, as well as the Atlanta tech scene. Here are the top five questions and answers from Friday’s session:
1. How will applications of machine learning change in the next 10 years?
With machine learning, we are heading towards a future where technology becomes more human. We are already seeing this trend with machine learning getting close to human parity in tasks like image recognition and classification, speech recognition, self driving cars…(cont.)
2. How is social engineering being used as a hacking tactic?
Social engineering is about building trust through careful exchange of information, such that the person on the other end of the informational transaction is eventually convinced to perform some task.Hackers know that it is much easier to hack a human than a machine…(cont.)
3. How can consumers ensure that their voice-controlled products are secure?
I would recommend that the consumers look at the following to ensure that their voice-controlled products are secure: Is it equipped with trustworthy voice biometrics? While some products have voice biometric technology already integrated, the technology by itself is often vulnerable to malicious voice attacks such as pitch morphing or replay attacks. If your device includes voice biometric technology, make sure that it also includes voice spoofing countermeasures…(cont.)
4. What are the most recent developments in the field of voice security as of 2017?
There have been many interesting developments in the field of voice security this year. One is the availability of secured voice-activated IoT devices. At the beginning of this year, there were several news stories about accidents involving Amazon Echo and Google Home that raised security concerns. While the current solutions are still not optimal, good progress has been made towards making voice interactions more secure…(cont.)
5. What are the shortcomings of machine learning?
Machine Learning has several shortcomings. First ML is only as good as the quality of data used in the models. The old adage, “Garbage in, garbage out” holds true here. In addition, with ever increasing amounts of data and model complexity, it is easier than ever to reach false conclusions or “see what you want to see” when developing ML models…(cont.)
Visit Vijay’s Quora session here to read the full answers and insights on machine learning and the future of voice.
Earlier this year, Gartner released a report which shed new light on how organisations can continue their pursuit against contact centre fraud.
Analysts Tricia Phillips and Jonathan Care recommend to “partner with contact centre leadership or third-party providers to implement fraud-prevention-based phoneprinting technology. This, they suggest, will help improve customer authentication and reduce call times for legitimate customers, while identifying high-risk calls for appropriate scrutiny.”
The report uncovers three important facts that are driving this urgency:
- Contact centres are often neglected in the fight against fraud and as such become the weak link in omnichannel organisations
- By 2020, 75 percent of omnichannel customer-facing organisations will sustain a targeted, cross-channel fraud attack with the contact centre as the primary point of compromise
- The technologies and techniques available to detect and prevent contact centre fraud and omnichannel fraud have reached a maturity point that justifies investment and integration for most organisations that have the need to mitigate contact centre fraud
At Pindrop, we have been tracking the increase in fraud call rates and have seen fraud exposure costs within call centres skyrocket during this time. Last year we analysed more than 500M calls and witnessed more than a 100 per cent increase in fraudulent activity.
Pindrop delivers solutions to cover nearly all components that Gartner highlights in the report to help solve the contact centre fraud problem, including:
- Implementing a solution: Pindrop’s Phoneprinting™ technology uses 147 unique call features to create a distinctive identifier for each caller so that calls are identified quickly and fraud is eliminated
- Using of biometric voice recognition: voice biometrics are imbedded in fraud detection technology and passively voiceprints every call to identify known fraudster
- Sending fraud activity to central fraud analytics tool: Use a centralised case management system that allows you to hear the full call exchange, review each calls risk assessment, and provide feedback leveraged by our consortium to help spot known fraudsters in your organisation and even other companies in our network
- Allowing CSRs to service customers without asking them to detect fraud: With advanced fraud detection technology, you should be able to catch over 80 percent fraudulent calls with less than 1 percent false positive rate. This assurance allows more focus on providing a positive customer experience
The contact centre is under attack and companies urgently need to reduce fraud exposure and provided a better authentication experience for their valued customers.
Still need to be convinced? Read the full Gartner Report to find out why phoneprinting is necessary.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
For many businesses, the cost of phone fraud is stacking up. Data collected by Pindrop® Labs found that, in the UK, £0.86 per call was lost to phone fraud in 2016 – a 68% increase from £0.51 in 2015.
It doesn’t help that phone fraud is getting harder to detect. Fraudsters have found many ways to exploit the vulnerabilities in call centre defences, and they attack in ways you might not expect…
- You don’t really know who’s calling you
Technology to spoof caller ID and manipulate voice is easily available, which means caller ID is no longer truly reliable for authentication. Voice distortion apps also help fraudsters bypass voice biometric solutions, making both solutions poor stand alone options. - Your call centre staff are only human
Call centre staff aren’t trained adequately on how to spot fraudsters. They may not necessarily be on the lookout for attackers, and wouldn’t know the telltale signs even if they were. - Your efficiency is actually a weakness
Call centres are designed to be efficient. Agents are measured on how quickly they resolve each call. Fraudsters know this and often pretend to be in a rush or angry to gain sympathy and move the call along quickly.
Understand the scale of your vulnerability, and the ways in which fraudsters might exploit it, in our free 2017 UK Call Centre Fraud Report.
We use voice controls to adjust the temperatures of our homes, order movies on-demand, schedule appointments using virtual assistants, and even accommodate in driving. With each advancement in voice-to-machine communication, the interaction becomes more human, expanding the types of opportunities for voice as an interface. However, with these leaps in consumer voice interfaces like Amazon Echo, criminals have kept up.
As we transition away from the technology we know best – from clicking a mouse to using a stylus on a touch screen, we’re moving towards voice. This rise of voice based technology is not only removing the physical elements of the technology, but is also taking away the one-to-one aspect. For example, when the command is given to a shared Amazon Echo “Alexa, read me my emails;” how does Alexa determine the who’s emails to read?
When a smartphone is prompted with the same command, the individual has already been identified through a pin or other form of biometric, like a fingerprint, and therefore does not face the same barrier as devices such as Amazon Echo or Google Home. The transition to voice adds new complications to authentication that have not existed before due to the removal of the physical interface – voice is in the air.
Even though voice is utilized today mostly by simple requests and demands, it is moving in a conversational direction. Not only has voice been expanding through consumer interfaces, but has been utilized by enterprises in terms of taking payments, and more widely used in authentication processes.
Voice biometrics can be used in authenticating an individual, most commonly over the telephone. Instead of relying on traditional authentication methods such as the employment of knowledge-based-authentication questions (KBAs), voice biometrics provides an extra layer of security. However, voice biometric technology is not inherently multi-factored and is limited by the aging qualities of voice.
There is a greater need for authenticating and securing voice as an interface because of its ubiquitous nature.
Contact Pindrop to start securing the future of voice now.
How Phone Fraud by Actresses Damages Customer Trust in Businesses
Breaches and fraud cost businesses their reputations. If you can’t protect your customers’ data – or their money – then how can you expect to earn their trust?
But sometimes keeping customers safe and maintaining operational efficiency can tug the business in opposite directions. In a call centre, the time and resources needed to detect phone fraud can conflict with the goal of reducing call times and overheads.
Fraudsters are an operational drain on the call centre. Attackers often make multiple calls to gather intelligence about potential targets, reset passwords, change mailing addresses or make other account modifications. Not only does this reduce the number of customer service agents able to take legitimate calls – it increases the risk of money going missing and the reputational damage that inevitably follows.
To better understand the different methods used by fraudsters and how those methods sap call centre resources, Pindrop® Labs reviewed more than half a billion calls for fraudulent activity. We discovered that attackers assume a variety of personas, each with unique ways of siphoning off both your time and money.
Your awareness of these methods could be the key to protecting both your customers and your brand.
Introducing the Actress
This female fraudster calls from a service centre on behalf of other people who “do not speak English very well”.
The Actress is so-called because of her use of impressions to con call centre agents. She often switches between being herself and being the ‘actual customer’ on the same call. She’s also able to make herself sound like a man, or even a young boy.
Despite her unusual approach, the Actress has an extremely high hit rate.
Beating fraud without sacrificing efficiency
Trustworthiness as a brand is rapidly becoming predicated on how well organisations can protect their customers’ money and data. A 2016 study found that 75% of UK consumers would stop doing business with an organisation that had suffered a breach.
The Actress is just one of many different types of fraudsters that pose a threat. Any business that loses customer money to fraud faces both reputational damage and the cost of compensating affected customers.
The challenge is to find a means for tackling phone fraud in a way that doesn’t add exorbitant operational costs to the business. The right solution will accelerate the verification process and free up agents to deal with a greater volume of calls, ensuring long-term opex reductions and an increase in call centre efficiency.
What’s more, if businesses are seen to be investing in solutions that protect customers without compromising their experience, there are huge reputational gains to be made.
But first, you need to understand the full scale of the threat fraudsters pose.
Find out about other types of fraudsters targeting businesses, and how to deal with them, in our free 2017 UK Call Centre Fraud Report.
