Pindrop® Pulse: Stay Connected, Stay Informed, and Stay Ahead VIEW NOW →

PINDROP BLOG

Contact Center Network Vulnerabilities: IVR Security Best Practices for Fighting Fraud in 2020 and Beyond

As the contactless economy evolves from necessity to preferred – the lines between fraud attacks have been blurred. Increasingly criminals have begin stitching together information from social media and professional networks to target consumers and your employees.

Staggering rises in call volumes have helped to hide network vulnerabilities originating from unmonitored customer service tools like the IVR. IVRs that are leaking data are being leveraged to develop new attacks and network threats. Organizations concerned with the reduction of fraud loss and exposure should begin looking outside of traditional network concerns and into their contact centers’ IVRs.

“The fraudster’s greatest liability is the certainty that the fraud is too clever to be detected.”
Louis J. Freeh Former U.S. F.B.I Director 

Pindrop has organized a collection of tools, assets, and other resources to aid contact center leaders in their race to optimize operational costs, improve customer experience,  and improve security measures, as organizations restructure and prepare for the road ahead. You can explore the tool kit on this page linearly or choose the section you need: 

  • The IVR Experience – CX Essential or Network Vulnerability?
  • Network Threats in an IVR: IVR Fraud Defined
  • Network Threats in an IVR – What Does It Look Like?
  • 3 Benefits of Fighting Fraud in The IVR- Beyond Cost Savings
  • Best Practices For Employing Network Security IVR Monitoring For The IVR
  • Going Forward The Future of IVR Security 

The IVR Experience – CX Essential or Network Vulnerability?

Traditional Contact center IVR security solutions are employed to reduce costs surrounding fraud targeted at your contact center.  However, with the evolution of fraud tactics and the expansion of the attack surface due to a focus on the phone channel as a vector, IVR security technologies are being expanded with capabilities to help identify fraud loss across channels, accounts, and time in advance of the actual occurrence. 

On this page you will find a comprehensive toolkit complete with IVR security resources you can use to protect your consumer’s data inside and outside of the contact center. 

The IVR Experience: CX Essential 

Known IVR best practices focus on customer experience and increasing call capacity through the implementation of IVR design, conversion, and self-service tools. The capabilities these technologies add are meant to improve customer effort scores and improve value but in 2020 the IVR is now a testing ground for fraud tactics and an unmonitored channel for data validation. Though customer experience is regarded as the primary focus of IVR implementation, the focus for security and fraud professionals concerning the IVR- should be the vulnerabilities that exist within it and the opportunities it provides for future fraud loss. 

The IVR Experience: Network Vulnerabilities 

Criminals use the IVR to validate data, these data reconnaissance activities don’t look like account takeover or other fraudulent activities. Instead, network threats originating in the IVR and later resulting in fraud, often look like innocuous low-risk transactions or nothing at all. This is because IVR Fraud is about information mining- not your typical network threat, these “fraud anomaly” look like genuine query, this is not an intrusion but reconnaissance. Fraudsters use the IVR to gather and validate information, as you would on a search engine- turning your CRM into a free-entry amusement park for cheats. Unmonitored IVRs are security gaps that provide the perfect cover fraudsters need to test passwords, query account statuses and optimize their strategies for social engineering scams later. 

Network Threats in an IVR: IVR Fraud Defined

IVR Fraud is defined as fraudulent activity or activities leading to fraudulent activity that occurs within an interactive voice response system, or IVR. Fraudsters exploit IVRs to surveil accounts and to operationalize their fraud and planning tactics. 

Low monitoring rates in the IVR has allowed fraudsters to build up formidable attacks by first mining and validating customer information and then using the verified data to execute social engineering attacks against customer service agents or fraudulent activity across other channels like chat and email. Highly trained and organized, professional fraudsters can manipulate even seasoned agents into taking over accounts.

Protecting the IVR means employing software capable of leveraging all data in the call lifecycle as even the non-audio data from within an IVR, can help identify: 

  • Suspicious behavior that could be mining or validation
  • At-risk accounts across communication channels
  • High-risk callers before they are ever connected to an agent. 

Network Threats in an IVR – What Does It Look Like?

Fraudsters use IVR to do surveillance on accounts to optimize their operations. Because these actions are reconnaissance in nature and most  most IVRs do not permit “high risk” transactions, IVR fraud monitoring is low. Professional fraudsters know this and use automated scripts to gather, test, and augment data for future use.

Fraud Hides In-between Genuine Transactions

Fraudsters use your IVR as a search engine for your CRM. For years call centers have been developing processes focused on creating an enjoyable customer experience. As a result, IVRs have become information and feature-rich playlands that fraudsters use to target accounts and optimize their operations. The data-validation step is essential for fraudsters as good data is necessary for fraudulent transactions and activities. 

With organizations focusing on better self-service for customers, contact centers will gradually evolve to allow for higher risk transactions in the IVR. As this happens, the same attacks fraudsters launch today on call center agents will become more prevalent in the IVR, and at an even greater scale due to increases in call volume.  

IVR Fraud manifests in 4 ways:

  1. Information Mining & Leakage
    When fraudsters gather, test, and augment data in your IVR, they are information mining. They need little to no information to start and using your IVR they can collect the tools and information they need to commit fraudulent transactions.
  2. Account Surveillance
    Fraudsters understand contact center technology, they come into contact with it every single day. They know IVRs are developed to be easy to use to ensure positive customer experiences and leverage this vulnerability along with the assumption that the IVR is unmonitored to verify account availability and balances. Account surveillance helps criminals determine which accounts they will attack next.
  3. PINs & Passwords
    Low risk transactions like pin changes are allowed in some IVRs. Fraudsters often use this capability to crack PINs, change them, and the use the new PIN to take over the targeted account.
  4. Cross Channel Fraud
    IVR fraud also enables fraudsters to leverage information mined from or leaked in the IVR for use across channels. Fraudsters use the ill-gotten customer information to pass through authentication procedures in other channels – online, in the call center, and in-person.

IVR fraud protection actively monitors accounts, analyzes calls, and recalculates risk to prevent these manifestations.

3 Benefits of Fighting Fraud in The IVR- Beyond Cost Savings

  1. An Extra Layer of Protection Before Connecting to an Agent

Customer service agents are easily socially engineered by experienced fraudsters. Leveraging fraud monitoring and identification practices within the IVR give agents a powerful tool that empowers agents to protect customer data. By assessing calls before they are connected to agents for suspicious activity, past behavior, or account

  1. IVR Insights Predict Fraud Outside of the Phone Channel

Protect clients can provide real-time risk updates for customer accounts, letting them know which accounts are seeing fraudulent or fraud supporting activities in real-time. Our proprietary technology combined with our AI predicts which account are most likely be attacked next – while simultaneously calculating a risk per call and caller. Machine learning ingests caller behavior- like address changes, keypresses, and metadata from the call – even if performed in the IVR to assess the likelihood of fraud. 

  1. A Simplified Way to Identify At-Risk Accounts 

Anti-fraud clients like Protect provide real-time risk updates for customer accounts, alerting teams to at-risk accounts. Protect calculates call and account risk at the beginning and at the conclusion of each call, leveraging the entire call lifecycle from connection to an IVR to the conclusion of the call.

Best Practices For Employing Network Security  Monitoring For The IVR

The IVR is a traditionally under monitored component of the contact center ecosystem. As more efforts have gone into strengthening customer contact and security from online, chat and mobile perspective, IVR’s have not been protected to the same extent

Find A Solution Specifically Created For the IVR

To ensure your IVRs protection your should find is a solution that focuses squarely on this IVR vulnerability and shores up the defenses to increase security throughout the contact center. Specified anti-fraud solutions and procedures can analyze behavioral abnormalities in the IVR and use specialized non-audio analytics developed for the IVR environment

Correlate Account Risk to Risky Callers

Crime rings and professional fraudsters are crafty and practiced at staying under the radar. The longer they go unnoticed the more they can steal from you. For full protection, chose a solution with the ability to feed account-based risk information into your cross channel risk orchestration platform to identify cross channel risk at the account level. 

Link Seemingly Unrelated Data

Fraud rings are more difficult to identify the larger and more complex than they are. The use of graphic algorithms for fraud anomaly detection simplifies their identification by analyzing commonalities that exist between callers, accounts, and behaviors across time. Graphic algorithms for fraud defense in contact centers make anti-fraud solutions more accurate, supports predictive analytics, and ultimately helps you find more indicators of potential fraud. 

Mitigate Loss Real-Time

To identify and stop fraud in real-time, even from first-time callers, you need the ability to calculate risk in real-time. Real-time calculations of risk scores eliminate time lag between account compromise and fraud attempt. The eradication of these time lags means less fraud loss for your organization as perpetrators are thwarted in real-time. 

Employ Predictive Analytics

The majority of detected IVR fraud is reported 30 days or more after the first call into the IVR. This implies that detecting fraud while it happens is too late in the process. In addition to correlating risky callers to accounts, you should employ predictive analytics to ascertain which accounts are likely to be compromised before it happens. 

Beyond 2020 IVR Security is Network Security

The replacement of face-to-face customer service with alternate means of customer interaction has driven many, both genuine customers and fraudsters to the phone channel. Now, the contactless economy demands accessibility and multi-channel touches. Yet 60% of fraud in the phone channel touches an IVR. 

Pindrop has resources you can use to secure the IVR and protect your organization against attacks across channels. Visit Pulse for curated webinars, discussions, and analyst reviews of emerging threats and solution technology.