Pindrop® Pulse: Stay Connected, Stay Informed, and Stay Ahead VIEW NOW →

PINDROP BLOG

Contact Center IVR Fraud Mitigation: A Comprehensive Tool Kit for Fighting Fraud in 2020 and Beyond

Contact center IVR anti-fraud solutions are employed to reduce costs surrounding fraud targeted at your contact center. On this page, you will find a comprehensive toolkit complete with IVR anti-fraud resources you can use to protect your consumer’s data inside and outside of the contact center.

Fraud in the IVR hides in-between genuine transactions

Fraud in the IVR doesn’t look like account takeover or other fraudulent activities. Instead, IVR fraud often looks like innocuous low-risk transactions or nothing at all. This is because IVR Fraud is about information mining. Fraudsters use the IVR to gather and validate information, they query your IVR like you would a search engine- turning your CRM into their personal fraudster playland. Unmonitored IVRs provide the perfect cover fraudsters to test passwords, account status and optimize their strategies for social engineering scams later. 

Fraudsters use IVR to do surveillance on accounts to optimize their operations. Because these actions are reconnaissance in nature and most IVRs do not permit “high risk” transactions, IVR fraud monitoring is low. Professional fraudsters know this and use automated scripts to gather, test, and augment data for future use.

The fraudster’s greatest liability is the certainty that the fraud is too clever to be detected.”  – Louis J. Freeh Former U.S. F.B.I Director 

Pindrop has organized a collection of tools, assets, and other resources to aid contact center leaders in their race to optimize operational costs, improve customer experience,  and improve security measures, as organizations restructure and prepare for the road ahead. You can explore the tool kit on this page linearly or choose the section you need: 

  • What Is IVR Fraud?
  • The Mechanics of IVR Fraud
  • The Benefits of IVR Monitoring
  • IVR Fraud Best Practices 
  • Operationalizing 

What is IVR Fraud?

IVR Fraud is defined as fraudulent activity or activities leading to fraudulent activity that occurs within an interactive voice response system, or IVR. Fraudsters exploit IVRs to surveil accounts and to operationalize their fraud and planning tactics.

Low monitoring rates in the IVR has allowed fraudsters to build up formidable attacks by first mining and validating customer information and then using the verified data to execute social engineering attacks against customer service agents or fraudulent activity across other channels like chat and email. Highly trained and organized, professional fraudsters can manipulate even seasoned agents into taking over accounts.

Protecting the IVR means employing software capable of leveraging all data in the call lifecycle as even the non-audio data from within an IVR, can help identify: 

  • Suspicious behavior that could be mining or validation
  • At-risk accounts across communication channels
  • High-risk callers before they are ever connected to an agent.

The Mechanics of IVR Fraud

Fraudsters use your IVR as a search engine for your CRM. For years call centers have been developing processes focused on creating an enjoyable customer experience. As a result, IVRs have become information and feature-rich playlands that fraudsters use to target accounts and optimize their operations. The data-validation step is essential for fraudsters as good data is necessary for fraudulent transactions and activities. 

 With organizations focusing on better self-service for customers, contact centers will gradually evolve to allow for higher risk transactions in the IVR. As this happens, the same attacks fraudsters launch today on call center agents will become more prevalent in the IVR, and at an even greater scale due to increases in call volume.  

IVR Fraud manifests in 4 ways:

Information Mining & Leakage:  

When fraudsters gather, test, and augment data in your IVR, they are information mining. They need little to no information to start and using your IVR they can collect the tools and information they need to commit fraudulent transactions. 

Account Surveillance: 

Fraudsters understand contact center technology, they come into contact with it every single day. They know IVRs are developed to be easy to use to ensure positive customer experiences and leverage this vulnerability along with the assumption that the IVR is unmonitored to verify account availability and balances. Account surveillance helps criminals determine which accounts they will attack next.

PINs & Passwords:  

Low-risk transactions like pin changes are allowed in some IVRs. Fraudsters often use this capability to crack PINs, change them, and then use the new PIN to take over the targeted account.  

Cross Channel Fraud: 

IVR fraud also enables fraudsters to leverage information mined from or leaked in the IVR for use across channels. Fraudsters use the ill-gotten customer information to pass through authentication procedures in other channels – online, in the call center, and in-person.

IVR fraud protection actively monitors accounts, analyzes calls, and recalculates risk to prevent these manifestations

3 Benefits of Fighting Fraud in The IVR- Beyond Cost Savings

  1. An extra layer of protection before connecting to an agent

Customer service agents are easily socially engineered by experienced fraudsters. Leveraging fraud monitoring and identification practices within the IVR gives agents a powerful tool that empowers agents to protect customer data. By assessing calls before they are connected to agents for suspicious activity, past behavior, or account

  1. IVR insights predict fraud outside of the phone channel

Protect clients can provide real-time risk updates for customer accounts, letting them know which accounts are seeing fraudulent or fraud supporting activities in real-time. Our proprietary technology combined with our AI predicts which account are most likely be attacked next – while simultaneously calculating a risk per call and caller. Machine learning ingests caller behavior- like address changes, keypresses, and metadata from the call – even if performed in the IVR to assess the likelihood of fraud. 

  1. A simplified way to identify at-risk accounts 

Anti-fraud clients like Protect provide real-time risk updates for customer accounts, alerting teams to at-risk accounts. Protect calculates call and account risk at the beginning and at the conclusion of each call, leveraging the entire call lifecycle from connection to an IVR to the conclusion of the call.

Best Practices For Employing IVR Monitoring 

Find A Solution Specifically For IVR

The IVR is traditionally under the monitored component of the contact center ecosystem. As more efforts have gone into strengthening customer contact and security from online, chat, and mobile perspective, IVR’s have not been protected to the same extent. To ensure your IVRs protection, you should find is a solution that focuses squarely on this IVR vulnerability and shores up the defenses to increase security throughout the contact center. Specified anti-fraud solutions and procedures can analyze behavioral abnormalities in the IVR and use specialized non-audio analytics developed for the IVR environment

Correlate Account Risk to Risky Callers

Crime rings and professional fraudsters are crafty and practiced at staying under the radar. The longer they go unnoticed the more they can steal from you. For full protection, chose a solution with the ability to feed account-based risk information into your cross channel risk orchestration platform to identify cross channel risk at the account level. 

Mitigate Loss Real-Time

To identify and stop fraud in real-time, even from first-time callers, you need the ability to calculate risk real-time. Real-time calculations of risk scores eliminate time lag between account compromise and fraud attempt.

Employ Predictive Analytics

The majority of detected IVR fraud is reported 30 days or more after the first call into the IVR. This implies that detecting fraud while it happens is too late in the process. In addition to correlating risky callers to accounts, you should employ predictive analytics to ascertain which accounts are likely to be compromised before it happens.