Fraudulent activity in the IVR has become a tool for more sophisticated fraudsters and scammers to gain sensitive data that puts contact centers and financial institutions at risk.
Fraudsters often use Interactive Voice Response (IVR) systems to mine information, which they subsequently leverage to commit fraud at various other touchpoints downstream. Forward-thinking contact centers need strategic defenses in place to prevent fraudsters from exploiting the IVR.
As fraud tactics evolve to adapt to the changing landscape in which businesses are operating, virtually and in the cloud, sophisticated technology solutions can help contact centers sustainably address fraud. Securing the IVR is an integral step in this process.
Why Does Fraud Happen in the IVR?
The IVR call experience has become feature-rich and simpler to use, allowing fraudsters to gain access to data quickly. It is not about the transaction at this level, but rather the mining of sensitive information. Because there is little visibility into the traditional IVR for many companies, fraud is on the rise, and contact centers are starting to learn how to fight it.
Fraudsters exploit the IVR to surveil accounts and to operationalize their fraud and planning tactics. These scam artists can operate covertly within the IVR once they have an account number, guessing at pin codes and answers to security questions with relative impunity. When they automate this process and generate a new pin code every ten minutes, they crack a four-digit code in an average of 21 days.
How Do Fraudsters Exploit the IVR?
One typical example of IVR fraud is referred to as “Man in the Call.”
In this scenario, a scammer buys data such as a telephone number from the dark web, and “spoofs” it to begin making calls to banks at random. Depending upon the nature of the interaction within the IVR, the fraudster learns where the owner of the phone number banks, and then uses this information to initiate fraud.
If the fraudster is greeted with a first-time “welcome” message, they can assume it is not their target’s bank. However, if they are immediately taken through a series of questions to authenticate, the fraudster can assume they’ve reached the person’s financial institution.
The fraudster will then contact the account owner, representing themselves as an agent from their FI, and attempt to have the individual authenticate their account by providing sensitive, personal information which leads to fraud at other touch points downstream.
They may also commit SMS fraud by messaging the legitimate person to notify them of fraud on their account. When the victim clicks on the link within the message, or calls the number provided by the scammer, they are routed to an illegitimate operator who puts them through authentication. If the caller provides answers, the compromise is complete.
If the caller balks at the fraudster’s request for authentication, savvy scammers will route them to an actual customer service representative at their FI, and then listen in on the conversation to complete the fraudulent act. The “man in the call” is still present on the line. This level of sophistication demonstrates how fraud can take place on a call even when a customer is working with a legitimate agent on a verified bank phone line.
How to Detect and Combat Fraud in the IVR
Detecting fraud in the IVR helps ward off fraudsters pretending to be legitimate agents. Millions of calls flow through the IVR, and far fewer of these calls ever reach an agent. Contact centers can employ strategies and best practices to operationalize intelligence from their own IVR systems.
A reimagined contact center for the modern era is one in which the IVR is protected through systematic risk scoring and call intelligence driven by AI and machine learning.
Pindrop Protect rates the level of risk for a call based on factors that include behavior spotted in the IVR. An intuitive case management tool flags calls based on a customizable risk threshold and facilitates intelligent filtering of flagged activity. AI and ML work in tandem to offer root cause analysis that enables fraud analysts to detect and protect against fraudsters operating across multiple channels and accounts.
Contact centers should not settle on a solution that can IVR fraud detection and agent leg protection. Look for an integrated strategy that deploys AI and ML to deliver on-premise and cloud-based fraud detection for both the IVR and agent legs.
Learn more about the rise of fraud in the IVR on Pindrop Pulse, and find out why IVRs and contact centers are the new vector of choice for fraudsters.