But how exactly did Pindrop achieve this? By attacking these challenges on multiple fronts leveraging our authentication, anti-fraud and data intelligence platform.
Vector 1: More effective fraud detection
Pindrop improved fraud detection rates by 15% over and above existing tools and systems used by customers. Pindrop’s multifactor approach and analytic capabilities led to over $5 Million in fraud loss prevention and an increased ability to see when a fraudster is coming into multiple lines of business at the same time.
Vector 2: Streamlined authentication
Customers leveraged our automatic number identification (ANI) validation, voice biometrics, and caller analytics to remove two knowledge based questions (KBAs) and lower average handle time (AHT) by as much as 90 seconds for customer interactions. They saved $6.8 Million and were able to personalize call experience for their callers.
Vector 3: Increased self-service
Pindrop’s risk scores and ANI validation allowed customers to trust the verified callers and opened the door for self-service more securely within the interactive voice response (IVR) system. Contact centers were able to contain an additional 1.5% calls within the IVR system in the first year itself leading to $6 Million in cost savings.
Vector 4: Improved security operations effectiveness
Pindrop’s case management tool helped fraud investigators to fine-tune their fraud alerts, work cases faster and to reduce fraud investigation time by up to 25%. These gains contributed to savings of more than $200,000.
In the words of one of our customers,
“It’s better for our customers, better for our agents. It is certainly saving us money on fraud, and it does allow us to adjust faster to new trends and be able to capture them.”
– VP of Authentication and Identity Technology, Banking.
If you are thinking of ways to keep your contact center secure, to delight your customers, and make your call center agents more productive, the Forrester TEI study is a must read.
Download the study to discover how advanced authentication and fraud detection leads to a stronger bottom line.
There was a point in time where knowledge-based authentication (KBA) questions were an effective form of identification. But that time is gone. It’s likely that more personal information about each and every one of us is available on the web than any time before in history, and the growing amount of cybersecurity incidents each year isn’t helping. Pindrop’s data shows that fraudsters tend to pass such questions with success more than half of the time whereas the true person forgets the correct answers one third of the time.
KBA on the outs
Even though the security questions in KBA appear to be personalized, there are only so many questions a system can use, and for fraudsters it often only takes a Google search to crack the KBA code. Information from hacked databases is available for hackers to purchase, making it easier to undermine dynamic KBA strategies. Phishing attacks allow third parties to gain access to individual accounts and detailed user information, making security questions practically useless.
How can KBA still be useful for authentication?
However, there is still a significant familiarity between customers and KBA. Therefore, deploying a KBA solution shows your customers that you are serious about protecting their identity and raises their confidence in your business so it’s a great first step to build a better, long-term relationship with them.
While establishing KBA, the reliability of the source of the data is directly related to the level of security the authentication provides. Sources like existing account information or trusted third-party sources should be utilized to get to dynamic, non-traditional data and to generate unique questions.
KBA questions should aim at a balance between convenience and security. Asking a question that is too complex can create painful obstacles for customers to access their data hence negatively affect the customer journey. But a question that is too simple can be an invitation to fraudsters. Therefore, it is important to explain the security features to the customer and include reasonable and unique questions.
The difficulty of KBA-challenges should match the value of the credentials they protect. Individuals and organizations providing higher-value targets, who will be subject to reconnaissance prior to the attack, must boost their KBA challenges.
Multi-factor authentication (MFA) protocols require two or more identifiers from users before granting access. Businesses of all sizes are beginning to adopt complex rules for authenticating specific devices and are implementing single sign-on to streamline access without compromising data security.
In such an authentication protocol, KBA may still be used safely — not as a primary verification tool but as a secondary one. Companies with robust user data protected by strong encryption can draw from their own information to create dynamic KBA queries. Fraudsters may still be able to gain access to this data, but it requires more work than looking up public records or obtaining aggregated information.
In systems designed to operate on a contextual basis, KBA is useful to fall back on when users can’t meet the requirements for other forms of authentication. Using KBA along with patterns of the user’s behavioral actions in the authentication process would allow for termination of sessions or denial of access should unusual behaviors be detected.
KBA can satisfy the “something you know” requirement and doesn’t have to be limited to security questions. The combination of graphical passwords with something you are (fingerprint), or something you have (smart card) strengthens usability and authentication security.
In summary, it may be premature to fully cancel KBA but necessary to recognize that KBA’s role has been relegated from the featured authentication tool to a complementary method. Do not solely count on KBA but do not totally forget about it, either.
On a quiet Friday afternoon a family member of mine, who will remain anonymous for my own protection, received an email from a man from Australia claiming to be a long lost brother. Since her father had recently passed away, a new familial connection can seem like a very pleasant prospect. The moment I heard this, my disbelief began immediately. In my line of work, unexpected good news from the internet usually means fraud is about to happen. I wanted to believe but my background in fraudster tactics working knowledge background in fraud prevention previous experience wouldn’t let me. I have seen too many examples or fraudsters taking advantage of psychological manipulation as part of their arsenal. Since the pandemic, news reports are telling of increased romance scams and others that use love as part of the deception. The act of saying that you love someone can even become addicting.
That is where the psychology of fraud comes into play. As human beings, we can be manipulated to trust an individual, whom we have no business trusting. Dr. Robert B. Cialdini wrote a book called Influence: The Psychology of Persuasion, in which he speaks about factors involved in creating trust where social proof and consistency can build trust with almost anyone. Their simple but effective technique is based on showing credibility by knowing things about you most wouldn’t. Just knowing a name, two random facts about a person might be enough to create a false sense of trust with someone new. In short, with most people, their heart simply overrules their heads.
Even people who know how scams work still fall for it. Why? Because we are human. We are tempted by people saying nice things about us, tempted when people can provide a lot of money for no effort, and sometimes you can convince yourself just long enough to give in to the temptation. That is when they have you in their grips. One estimate suggests our older adults lose as much as $36.5 billion a year to financial abuse. But assessments like that are “grossly underestimated,” according to a 2016 study by New York’s Office of Children and Family Services. We are only seeing the tip of the iceberg when it comes to the actual devastation this criminal industry is causing; the body of it is being buried under the silence of unreported incidents. The underreporting cause? Embarrassment. Nobody likes to admit they’ve been duped, let alone duped out of a large sum of money. Victim shame can silence many that have been defrauded.
So, does my family have a long lost brother? Or is this a wild coincidence that no one knew about this person until recently, and anyone who could corroborate the story is no longer alive? Do I believe? I want to believe, but my job won’t let me.
Is my mystery guest who he claims? or will I get a call where he either is in trouble and needs our help with bail, or a family member of “ours” died and left everything to us, all that is due is the processing fee? Check back for a follow-up post as more unfolds.
Fraudulent activity in the IVR has become a tool for more sophisticated fraudsters and scammers to gain sensitive data that puts contact centers and financial institutions at risk.
Fraudsters often use Interactive Voice Response (IVR) systems to mine information, which they subsequently leverage to commit fraud at various other touchpoints downstream. Forward-thinking contact centers need strategic defenses in place to prevent fraudsters from exploiting the IVR.
As fraud tactics evolve to adapt to the changing landscape in which businesses are operating, virtually and in the cloud, sophisticated technology solutions can help contact centers sustainably address fraud. Securing the IVR is an integral step in this process.
Why Does Fraud Happen in the IVR?
The IVR call experience has become feature-rich and simpler to use, allowing fraudsters to gain access to data quickly. It is not about the transaction at this level, but rather the mining of sensitive information. Because there is little visibility into the traditional IVR for many companies, fraud is on the rise, and contact centers are starting to learn how to fight it.
Fraudsters exploit the IVR to surveil accounts and to operationalize their fraud and planning tactics. These scam artists can operate covertly within the IVR once they have an account number, guessing at pin codes and answers to security questions with relative impunity. When they automate this process and generate a new pin code every ten minutes, they crack a four-digit code in an average of 21 days.
How Do Fraudsters Exploit the IVR?
One typical example of IVR fraud is referred to as “Man in the Call.”
In this scenario, a scammer buys data such as a telephone number from the dark web, and “spoofs” it to begin making calls to banks at random. Depending upon the nature of the interaction within the IVR, the fraudster learns where the owner of the phone number banks, and then uses this information to initiate fraud.
If the fraudster is greeted with a first-time “welcome” message, they can assume it is not their target’s bank. However, if they are immediately taken through a series of questions to authenticate, the fraudster can assume they’ve reached the person’s financial institution.
The fraudster will then contact the account owner, representing themselves as an agent from their FI, and attempt to have the individual authenticate their account by providing sensitive, personal information which leads to fraud at other touch points downstream.
They may also commit SMS fraud by messaging the legitimate person to notify them of fraud on their account. When the victim clicks on the link within the message, or calls the number provided by the scammer, they are routed to an illegitimate operator who puts them through authentication. If the caller provides answers, the compromise is complete.
If the caller balks at the fraudster’s request for authentication, savvy scammers will route them to an actual customer service representative at their FI, and then listen in on the conversation to complete the fraudulent act. The “man in the call” is still present on the line. This level of sophistication demonstrates how fraud can take place on a call even when a customer is working with a legitimate agent on a verified bank phone line.
How to Detect and Combat Fraud in the IVR
Detecting fraud in the IVR helps ward off fraudsters pretending to be legitimate agents. Millions of calls flow through the IVR, and far fewer of these calls ever reach an agent. Contact centers can employ strategies and best practices to operationalize intelligence from their own IVR systems.
A reimagined contact center for the modern era is one in which the IVR is protected through systematic risk scoring and call intelligence driven by AI and machine learning.
Pindrop Protect rates the level of risk for a call based on factors that include behavior spotted in the IVR. An intuitive case management tool flags calls based on a customizable risk threshold and facilitates intelligent filtering of flagged activity. AI and ML work in tandem to offer root cause analysis that enables fraud analysts to detect and protect against fraudsters operating across multiple channels and accounts.
Contact centers should not settle on a solution that can IVR fraud detection and agent leg protection. Look for an integrated strategy that deploys AI and ML to deliver on-premise and cloud-based fraud detection for both the IVR and agent legs.
Learn more about the rise of fraud in the IVR on Pindrop Pulse, and find out why IVRs and contact centers are the new vector of choice for fraudsters.