Our solutions meet the voice security needs of contact centers in various industries, taking a comprehensive approach to fraud detection, deepfake detection, and authentication.
Five9 + Pindrop: Fraud Detection with Better Customer Experience
Five9 + Pindrop are partners in balancing caller experience with security and fraud detection. Discover what that looks like during our collaborative webinar–which includes a success story from our shared customer: the contact center at Michigan State University Federal Credit Union (MSUFCU).
Caller authentication is necessary, but often time-consuming and detrimental to the customer experience. That’s why Five9 and Pindrop have partnered to bring advanced authentication and fraud detection software to Five9 customers.
Learn how Five9 + Pindrop technologies united to provide secure and efficient experiences for MSUFCU’s member base
Discover how to help protect your business, reduce average call handle time, increase IVR containment, and improve contact center customer experience
Explore the fraud problem in credit unions and how Five9 + Pindrop technologies work together to defend against it
We are dedicated to helping our customers quickly and easily authenticate inbound calls, drive automation in the IVR (Interactive Voice Response system), and detect fraud.
With voice-based authentication methods, contact centers can reduce caller frustration, shorten resolution times, and improve security and compliance.
Using the Pindrop® API Connector within the Webex Contact Center, we seamlessly integrate into contact center call flows, enabling quick setup and easy deployment.
How it works
In any partner integration, Pindrop® Technologies captures a copy of an inbound call and runs a thorough analysis. The analysis of an inbound call is predicated upon a deep, carrier-style integration where the Pindrop® Solution ingests the call audio, metadata, keystroke presses, and other signaling.
This approach allows our technology to perform an accurate, multifactor analysis of the inbound caller’s voice, device, behavior, network, risk, and liveness. This will help you determine if the caller is a genuine consumer or a fraudster.
For more insight into how fraudsters operate, check out our article on the fraudster playbook.
Webex Contact Center: Customer SIPREC integration
The diagram below showcases the robust architecture of the Webex Contact Center + Pindrop integration. It illustrates a scenario where a customer using a premise-based Session Border Controller (SBC) routes calls to Pindrop. Pindrop also supports a flexible Bring Your Own Carrier (BYOC) model, allowing you to route calls directly from your carrier. Contact Pindrop to determine if your carrier is supported.
This is a high-level architectural diagram illustrating the call flow from an SBC to the Webex Contact Center and then to the Pindrop network for voice authentication and fraud detection.
Key elements of the Webex CC + Pindrop integration
1. Pindrop® API connector
The Pindrop® API Connector enables your organization to establish a secure trust relationship between your Pindrop account and the Webex Contact Center, allowing you to access Pindrop’s voice authentication and fraud detection services seamlessly.
Once the trust relationship is established, integrating Pindrop’s capabilities is as straightforward as making HTTP requests within your Webex CC call flows. These requests allow you to initiate voice authentication, detect fraud, capture key data points for analysis, and make intelligent routing decisions.
2. Easy-to-use agent UI
Pindrop has constructed a pre-built agent user interface, delivered through the Webex Contact Center agent desktop.
This helps implement Pindrop intelligence and policy-driven instructions to Webex Contact Center agents as clearly and intuitively as possible. This user-friendly interface helps agents easily understand and apply Pindrop’s capabilities in their daily operations.
A view of Pindrop’s pre-built agent user interface. It showcases call risk status, phone number, call duration, and more.
3. Supportive resources for self-guided implementation
To simplify the process, we have authored a detailed user guide that provides clear, step-by-step instructions to help contact center administrators implement Pindrop® Solutions in their Webex Contact Center environment.
Additionally, Pindrop resources are readily available for support and guidance, ensuring a smooth and successful integration.
Real-world success
Some of the largest banks, credit unions, insurance companies, and healthcare providers in the world trust Pindrop to combat fraud and deliver secure, efficient customer service. To read more about how Pindrop integrates with other leading contact center platforms, check out our posts on Five9 + Pindrop authentication and fraud detection or how to integrate Pindrop® Solutions and Genesys Cloud CX.
Ongoing collaboration and future development
At Pindrop, we’re committed to continuous innovation and close collaboration with the Webex Contact Center. We adapt our solutions to address evolving customer needs. Our teams actively monitor and enhance the current integration, exploring new capabilities to support future use cases.
Do you have a call center challenge you’d like Pindrop and Webex Contact Center to address? We’d love to hear from you.
THANKS FOR DOWNLOADING
Thank you for your interest. Please click the “Download” button to download the report.
If it’s not in your inbox, check your spam or junk folder—sometimes even the clearest signals don’t land where they’re meant to be heard.
Detect incoming calls from spoofed telephone numbers
Personalize customer service(both in the IVR and when calls are transferred to agents)
Authenticate customers in the IVR reliably
Use a cost-effective solution
Telco B:
Detect ANI spoofing to prevent fraud
Increase IVR containment
Improve the customer experience while improving security
The solution
Telco A
75% “Green” Rate
3X Return on Investment
2 Months Full Implementation
Telco B:
2% Increase in IVR Containment
70% Verification “Green” Rate
Increase CSAT Scores
Methodology
This case study is based on interviews with executives responsible for contact center customer service and fraud prevention in two Fortune 250 telecommunications firms concerning the contact center challenges they faced and the needs that led them to look for a new technology solution. These interactions were for the purpose of discovering insights into the benefits and challenges associated with deploying and using Next Caller’s VeriCall® Technology.
Key Takeaways from the study include:
Reliable spoofing detection enables the reduction of account takeover fraud in contact centers.
Ensuring the incoming telephone number is accurate supports authentication in the interactive voice response(IVR) system and eliminates time-consuming knowledge-based authentication (KBA) questions and one-time passwords (OTPs).
The customer experience is improved when passive methods are used to authenticate customers, greet customers by name, and respond quickly to their requests.
Reducing the length of calls reduces costs and improves operational efficiency.
Simple and fast implementation enables fraud to be reduced and the customer experience to be improved quickly.
Point solutions that target and resolve a specific problem(e.g., spoofing) may be more cost-efficient and faster to deploy, resulting in a strong return on investment.
Telco A
Background/History
Telco A, participating in this research, is a telecommunications Fortune 50 firm. Almost 100% of incoming calls to contact centers go through the IVR initially; roughly 50% are eventually transferred to an agent.
Telco A strongly desired to improve the customer experience in its contact centers. Management’s vision was to personalize service, streamline authentication, and transfer information from the IVR to an agent when calls had to be transferred so customers could be greeted by name and meet their needs faster. To accomplish this, the firm realized it had to know definitively who agents were dealing with on each call as quickly as possible. The tipping point came when ANI spoofing escalated significantly, and executives realized it was time to take action. There was a strong desire to address the spoofing issues as fast as possible, so a solution that could be implemented swiftly was a strong consideration in the vendor selection process.
Outcomes
Implementing VeriCall® Technology was a resounding success. Using VeriCall® Technology, three potential results are possible for every incoming call—green, gray, or red. In the IVR, all calls VeriCall® Technology denotes as green are considered authenticated by Telco A. As a result, they are fast-tracked; customers are greeted by name, and no further authentication is performed. If the customer’s needs cannot be met in the IVR, the caller is transferred to an agent who also greets him or her by name and acts to address the customer’s request. Telco A estimates that all green calls transferred to an agent have a reduction of two to four minutes average handle time; this is time that was previously required for authentication, primarily using KBA questions and OTPs. The reduction in authentication time resulted in an operational expense reduction in the millions of dollars annually. About 75% of incoming calls are green. Calls coded gray by VeriCall® Technology follow the process that was in place at Telco A prior to implementing VeriCall® Technology. Since the customer has not yet been successfully authenticated, calls that are labeled red by VeriCall® Technology (less than 2% of incoming calls) are treated as highly suspicious by Telco A; most honest customers do not spoof a telephone number, so the majority of these calls are normally determined to be fraudulent.
During the implementation phase, a few minor issues arose but were addressed and resolved quickly. This executive stated Next Caller is a small, extremely responsive and works to maintain a strong partnership with this client. Telco A has achieved three times the return on investment after implementing the VeriCall® Technology.
Lessons Learned
Choosing VeriCall® Technology from Next Caller had buy-in from all internal stakeholders. They have found the company to be responsive and a good strategic business partner, and the solution to be cost-effective. Compared to other solutions they considered, VeriCall® Technology is significantly less expensive to Telco A.
Telco B
Background/History
Telco B is a telecommunications Fortune 250 business. Over 98% of incoming calls to contact centers initially go through the IVR in this company.
The Telco B began experiencing an uptick in fraud in its contact centers and wanted to take action to mitigate fraud and better protect its customers’ accounts. Its biggest challenge was ANI spoofing, so it wanted to harden the IVR to prevent account takeover fraud. Telco B was using a web tool that was supposed to help identify incoming telephone numbers that were likely fraudulent, but fraud rates were rising. It examined various technology solutions available in the market that could help detect incoming calls from spoofed numbers.
Approach
In looking at competing solutions in the market, the firm’s executives saw many strong capabilities but were given pause by the price tags. Management decided that at that point in time, they didn’t really need a lot of the functionality offered by more expensive competitors; they just required reliable spoofing detection. Because the rate of fraud incidents was increasing, they also needed a solution they could implement quickly to better protect customer accounts.
As Telco B’s executives looked at Next Caller, they felt it had a very competitive solution and that the company would be a good business partner. While improving the customer experience wasn’t the primary reason they were looking for a solution, management was excited about the prospect as a side benefit of addressing their fraud challenge.
Outcomes
Prior to implementing VeriCall® Technology, Telco B was matching the incoming telephone number to an existing customer account, looking to see if there were any fraud alerts on the account, and requiring the customer to input an account PIN (personal identification number). After implementing VeriCall® Technology, for all calls determined to be green (about 70%), no PIN is required by Telco B. This frictionless verification was embraced by customers and company management alike. In addition, the use of the web tool that provided information about numbers that were likely to be fraudulent was discontinued without detriment after implementing VeriCall® Technology.
Perhaps the biggest challenge during the implementation was that there were unanticipated system integration requirements with the system Telco B uses in front of and behind the IVR.
Next Caller partnered with Telco B to address all of the issues quickly, but it delayed the overall implementation of VeriCall® Technology from two months to three months. Lessons Learned VeriCall® Technology requires minimal upkeep according to Telco B, and it requires two fewer data inputs than the system used previously. Telco B management is hopeful that Next Caller’s machine learning models will continue to improve the product’s percentage of green calls over time. Like Telco A, Telco B is very complimentary about Next Caller’s support.
Voice over Internet Protocol (VoIP) calls can be very difficult to authenticate. While such calls are sometimes riskier, the mere use of a VoIP line does not mean the call is fraudulent. The executive with Telco B states that VeriCall® Technology does a very good job with incoming calls from mobile devices and landlines, and that Next Caller is working to improve results on VoIP calls.
Similar to Telco A, Telco B has achieved a decrease in the time a caller takes to be authenticated when speaking with an agent. If authenticated in the IVR (green call), there is a reduction of over a minute of handling time, which results in significant cost reduction in the contact center. In addition, Telco B has achieved an additional 2% IVR containment rate, and management is excited that as the solution’s machine learning models continue to learn, this percentage may rise further.
Last, Telco B’s customer satisfaction ratings (measured by an independent firm) have improved over the past two years—something management takes very seriously and is proud of. A portion of that improvement is attributed to the customer experience improvement in contact centers.
Lessons Learned
VeriCall® Technology requires minimal upkeep according to Telco B, and it requires two fewer data inputs than the system used previously. Telco B management is hopeful that Next Caller’s machine learning models will continue to improve the product’s percentage of green calls over time. Like Telco A, Telco B is very complimentary about Next Caller’s support.
What’s next
The uptick in fraud in contact centers crosses over many industries; the challenges described in this case study and the benefits achieved by Telco A and B are likely relevant for any contact center in which fraudsters can derive value by taking over a customer account.
Here are some key takeaways for consideration:
While it sometimes makes sense to invest in technology solutions with capabilities not yet needed, in many cases, less is more. A product that meets your pressing needs quickly and more economically may be the best investment choice.
Improving the customer experience is essential.
Consumers’ expectations are constantly rising as they receive strong service from companies such as Amazon. Meeting the expectation of quick, painless customer service doesn’t have to be a dream; by making it a reality, companies can achieve a competitive advantage.
Speed in implementation is vital; the faster benefits are realized, the quicker the technology provides a return on investment. This is also important because IT resources are often in scarce supply and in heavy demand in FIs.
Customers expect their accounts to be protected. Companies that provide a great customer experience and strong security without adding friction can develop a competitive advantage.
Reducing the AHT of calls in contact centers can save millions of dollars annually in large companies. Reducing the use of authentication tools, such as KBA and OTPs, reduces friction to improve the customer experience but also cuts back the time spent authenticating callers, thus improving operational efficiency.
Related research + insights
Access expert research, detailed guides, and practical resources on voice security to strengthen your contact center’s defenses.
Proves that happy employees are the key to happy customers
The Challenge
Before Pindrop, UCBI used traditional customer verification methods, including knowledge-based authentication, asking seven to ten questions. Pindrop’s data shows that fraudsters tend to pass such questions with success more than half of the time, whereas the actual person forgets the correct answers 20- 40% of the time.
The Solution
After reviewing the market of the phone channel authentication products, UCBI chose to further discussions with Pindrop based on two factors:
The peer-to-peer existing customer referrals from the executive teams network in the Financial Services space
Pindrop’s emphasis on voice security which helped UCBI overcome existing phone infrastructure challenges due to size, complexity, and acquisitions over time
Within the first month into the Pindrop relationship, UCBI experienced significant results
The overall average handle time (AHT) decreased by 29 seconds. By previously low-to-average performing agents, this improvement reached on average a whole minute. Considering their annual volume of 406,640 calls handled, that meant a reduction of roughly 197,000 Minutes in total handle time. The average speed of answering customer questions improved by 1 Minute and 11 Seconds. Abandoned calls went down by more than 7%.
Higher Call Efficiency
The increase in agent efficiency led to a 14% increase in calls handled.
Customer Satisfaction
The post-call customer satisfaction score improved by more than 5%.
Improved Call Handling
UCBI improved its efficiency with the average number of calls handled per agent increasing by almost 50% for the time period observed.
Positive Team Feedback
UCBI started receiving great feedback from its call center team members, with almost three quarters of those expressing high satisfaction.
“I don’t know what you’ve changed, but I love it! Not only is your team answering the phone much faster now, but not having to answer all those questions is a relief. Thank you!”
Happy, distinct voices in harmony
It was clear that happy call center agents were a big factor in the customer experience improvement — as reflected in two distinct voice categories:
1. Voice of the Agent
It was clear that call center agents were a significant factor in improving the customer experience. One agent voiced the ease of the product not adding more security measures, while also noting the time it saved them in not having to do a 7-step verification process. Another said it allowed them to efficiently serve more customers and improve upon hold times, leading to happier customers. Customers are more comfortable answering questions, and the number of fraudsters getting past the verification process has decreased.
2. Voice of the Customer
By facilitating agents’ productivity and ease in their work, customers, in turn, expressed gratitude for the change in the process. Not only was the team able to answer phone calls faster, but not having to put customers through too many hoops of questions to answer was also a relief.
What’s next for UCBI?
UCBI plans to stay alert and active within the Pindrop Quarterly Client Forum calls—sharing up-to-date, real-time information on the arms race of innovation of phone fraud and social engineering techniques threatening the security and positive customer experience that all banking customers should expect. UCBI will also continue treating its customers with the utmost respect and the precise attention they deserve.
Related research + insights
Access expert research, detailed guides, and practical resources on voice security to strengthen your contact center’s defenses.
Trailblazing the customer experience and protection in insurance
The Challenge – Insurance
Prior to 2015, account takeover (ATO) fraud prevention was not something the Company was directly focused on. Fraud investigations were focused on more “traditional” insurance fraud, such as application misrepresentation and false claims.
However, in 2015, the Company and several others in the insurance industry experienced a significant contact center based ATO “whaling” attack by fraudsters. “Whaling”, which is “phishing” with a higher profile of targets, entailed impersonating multiple, high profile clients of the Company, including members of the Company’s Board of Directors.
This event was an eye opener and made the Company realize that fraud prevention needed to become a central focus. At that point, authentication methods were unsophisticated, often just consisting of asking callers for basic personal information such as date of birth and social security number, customer service representatives were not trained on how to detect fraud red flags and there were virtually no fraud controls or technologies implemented. This environment coupled with the continuously evolving tactics of fraudsters were making the Company more and more prone to breaches.
The Solution – Positive Impact with Pindrop
As a response to this increasing risk, a small fraud team was established in 2015, initially focusing on call center activity as the Company didn’t have a strong online capability yet at that time. One of the first actions that the Company’s newly formed Fraud Team took was to scan the market for potential technology solutions. Pindrop was introduced to the Company through a partner and following a successful trial period, the formal relationship began in late 2016 with Pindrop’s anti-fraud solution. Rolling out Pindrop’s anti-fraud solution was the first move to protect customers that was not manual.
The initial goal of the effort was to stop as much fraud as possible. The immediate results were great; the return on investment was significant and some serious fraud attempts were stopped. In 2017 alone, Pindrop’s anti-fraud solution detected over 250 fraudulent calls, an increase of almost 400% from prior year, and more than $40 million in customer account value was protected from fraudsters.
Improving the customer experience while gathering new data
Since December 2019, the Company has realized significant benefits from Enhanced Authentication, including:
Operational cost savings of $1.2 million, more than double our initial goal of $500 thousand
$38 million in customer assets protected from fraudulent attempts
$1.6 million in fraudulent disbursement attempts stopped
With Pindrop as a key partner, the Company set out to implement a brand new authentication technology ecosystem, dubbed “Enhanced Authentication” or “EA”. The main goals were improving security to stop fraudsters while simultaneously enhancing the experience for legitimate customers by reducing friction and reducing or eliminating the time CSRs had to spend manually authenticating callers.
The three key features of the effort were identity proofing utilizing a phone ownership verification service and both threat detection and multi-factor authentication utilizing Pindrop’s authentication solution. The Company’s longer-term strategy also included enhancing digital capabilities and enabling more self-service opportunities in the interactive voice response (IVR).
Even in just the pilot stage of this Enhanced Authentication effort, the Company was able to achieve an average authentication rate of over 80% for enrolled callers. It also helped the Company gather intelligence about the activity occurring in the IVR that they previously had no visibility into.
Targeting the optimal customers experience
In 2015, the Company relied solely on traditional knowledge-based authentication based on questions generated from a wider base of personal information. Pindrop’s data shows that fraudsters tend to pass such questions with success more than half of the time whereas the true person forgets the correct answers 20-40% of the time. Furthermore, instances such as not knowing your policy number meant no service were leading to a terrible customer experience.
Starting in 2016, the Company developed and began implementing a more holistic fraud prevention, identity proofing and authentication strategy. When it came time to select vendors to support that strategy, the success of the anti-fraud solution already in place and the mutual trust between the Company and Pindrop led to the relationship extending into the authentication space – formally live in 2019.
Future outlook
The Company’s next goals with Enhanced Authentication include improving efficacy by increasing the percentage of their customers who claim an ID to the same level as its peers in the banking industry, and deploying Enhanced Authentication to both additional call centers and additional personas. The Pindrop relationship has been a key contributor to the great benefits the Company has realized thus far and those benefits are only expected to increase as the Company deploys and enhances EA further.
The Company’s long-term vision entails creating full profiles for every customer and building relationships based on that profile, allowing the Company to target the optimal customer experience based on customer preferences with an omni-channel focus, including the digital channels while providing best-in-class security.
How did Pindrop help the company?
Pindrop has been an integral part of the Company’s pioneering efforts in the insurance industry at a point in time when technology was not widely used to assess risk or identity proof and authenticate customers. More importantly, Pindrop has enabled the Company to prevent millions of dollars in fraud, provide industry-leading security, and optimize the customer experience.
1. IVR Adapted Technologies Identify Fraudsters Real-Time Pindrop Protect provides multiple layers of security and protection for the call center. Protect combines 5 technology engines into one platform which analyze risk across time and accounts to determine if an incoming caller exhibits anomalies that indicate high-risk or suspicious behavior, activities, fraud or fraudulent reconnaissance.
2. Passive, Multi-factor Authentication Pindrop Passport eliminates or significantly reduces traditional authentication methods and the unwanted customer friction they bring, replacing them with a multi-factor authentication solution. Passport improves overall customer experience and hardens the call center to attacks. Authentication, utilizing the Deep Voice(TM) Biometrics, happens in the background, reducing call handle times, saving operational costs, and increasing agent efficiency.
Related research + insights
Access expert research, detailed guides, and practical resources on voice security to strengthen your contact center’s defenses.
Saving 8.5 Million minutes in handle time and cutting ATO losses by account in half
The Challenge
Before Pindrop, FNBO had nothing in place to detect phone fraud through the IVR (interactive voice response) or even into the call. Their approach was reactive rather than proactive. They used traditional authentication, including “out-of-wallet” questions. Pindrop’s data shows that fraudsters tend to pass such questions with success more than half of the time, whereas the actual person forgets the correct answers 20-40% of the time.
FNBO relied heavily on one-time passwords (OTPs), even with genuine customers. The OTPs were hurting the customer experience and adding two minutes to the average handle time (AHT) while still getting beaten by fraudsters.
The Solution
Within the first year of the Pindrop relationship, FNBO experienced significant results: 4,000- 5,000 fraudulent calls a month bypass the call center agents and go directly to the fraud team. That relieved significant pressure on the Agents as they no longer needed to be fraud experts.
The OTP usage decreased by 75%, and overall, AHT decreased by 30 seconds. Considering their annual volume of 17 Million calls, that meant a reduction of 8.5 Million Minutes in total handle time.
Even though FNBO did not consider having an ATO problem before working with Pindrop, their ATO recognition rate increased by 59%. Their total ATO losses decreased by 16%, and the average ATO loss by account decreased by 47%.
Creating a personalized + secure customer experience
FNBO plans to create a more personalized experience for their customers who call the contact center utilizing Pindrop’s passive authentication solution for maximum identity assurance with minimal customer effort.
Another priority is expanding customer options by adding “voice” in their IVR to expand self-service options for their customers with the help of Pindrop to provide security and identity for another improved customer experience.
IVR Adapted Technologies
Identify fraudsters in real-time
Passive multi-factor authentication
Flawless IVR Call Risk Model
IVR adapted technologies identify fraudsters in real-time
For the IVR, Pindrop Protect uses multifactor analytics developed specifically for the IVR environment and runs in every call background. Protect combines 5 technology engines into one platform, which analyzes risk across time and accounts to determine if an incoming caller exhibits anomalies that indicate high-risk or suspicious behavior, activities, fraud or fraudulent reconnaissance.
“Pindrop performed 34% better for us than what we projected in fraud loss cuts.”
STEVE FURLONG, DIRECTOR OF FRAUD MANAGEMENT
Passive, multi-factor authentication
Pindrop Passport eliminates or significantly reduces traditional authentication methods and the unwanted customer friction they bring, replacing them with a multi-factor authentication solution. Passport improves overall customer experience and hardens the call center to attacks.
Authentication happens in the background, reducing call handle times, saving operational costs, and increasing agent efficiency.
What’s next
FNBO plans to improve account monitoring by leveraging Pindrop as a central investigation tool verifying suspected ATO and fraudulent applications through any other systems leveraging account risk.
As FNBO expands its business lines, it intends to use Pindrop for call risk and account risk intelligence on phone lines in addition to their toll-free numbers.
About FNBO
First National Bank Omaha (FNBO) is a subsidiary of First National of Nebraska. It is the largest privately held bank subsidiary in the United States. First National of Nebraska has grown to nearly 5,000 employees with locations in seven states and $24 billion in assets. First National Bank of Omaha has been ranked “Highest in Customer Satisfaction with Retail Banking in the Midwest” by J.D. Power, named a MONEY Best Bank in the Midwest, and rated one of Forbes Best Banks in America.
Related research + insights
Access expert research, detailed guides, and practical resources on voice security to strengthen your contact center’s defenses.
In today’s digital era, where automation reigns supreme, there remains a significant segment of customers who prefer personal interactions over automated services. Gartner reports that 46% of individuals prefer speaking to a real person in the service center, while only 14% opt for email communication.
Discover the delicate balancing act that businesses face as they navigate the fine line between meeting their customers’ desire for human connection and mitigating the risks associated with fraud in contact centers. In our final session of the VIRS webinar series, our experts will dive into the intricate dynamics of this challenge.
Related research + insights
Access expert research, detailed guides, and practical resources on voice security to strengthen your contact center’s defenses.
Resurgence of Fraud in Contact Centers: Latest Tactics and Vulnerabilities
Fraud is surging back in contact centers. In 2022 as the pandemic era government payouts dried up and economic uncertainty took hold, fraudsters started to return to their familiar hunting grounds; socially engineering contact center agents. Only this time they are armed with people’s personal data acquired from dark web data breaches and smishing attempts. As a result, the fraud call rate is up by 40% in 2022 and the trend is expected to continue in 2023.
Related research + insights
Access expert research, detailed guides, and practical resources on voice security to strengthen your contact center’s defenses.
The 2024 Security Landscape: Your Guide to Modern Fraud Prevention
From data breaches to deepfakes, the current state of cybersecurity and the impact of generative AI on fraud activities has had massive implications on businesses and consumers. Join Pindrop leaders for an exclusive webinar as we dive into Pindrop’s latest findings detailed in our annual Voice Intelligence and Security report, covering the evolving fraud and security trends and solutions in contact centers.
Related research + insights
Access expert research, detailed guides, and practical resources on voice security to strengthen your contact center’s defenses.
From Detection to Prevention: Advanced Strategies to Prevent Contact Center Fraud in 2024
In 2023, data breaches reached an all time high of 3,2051, 78% higher than the previous year. Leveraging generative AI technology, fraudsters are employing advanced tactics, including bots and deepfakes, and exploiting vulnerabilities in outdated systems. In the face of rising contact center fraud, it’s crucial to implement robust and modern fraud prevention strategies.
Watch Pindrop fraud & authentication experts for a comprehensive webinar where we dug into essential fraud-fighting techniques that can protect your contact center from becoming a fraudster’s playground.
Related research + insights
Access expert research, detailed guides, and practical resources on voice security to strengthen your contact center’s defenses.
Join ethical hacker Samy Kamkar and Pindrop VP Amit Gupta in an exclusive live Q&A session to discuss the rise of cyber fraud, the impact of deepfakes and evolving security trends, followed by a discussion with Yves Boudreau on how cyber fraud affects businesses.
Learn about cyber fraud and security trends with Samy Kamkar and Amit Gupta in a live Q&A.
Find out how fraud impacts businesses through a fireside chat with Amit Gupta and Yves Boudreau.
Discover how to strengthen your company’s fraud security measures from this webinar.
Meet the Experts:
Amit Gupta
VP Product Management, Research, and Engineering
Yves Boudreau
Head of Customer Engineering, Google Cloud
Samy Kamkar
Security Researcher and Co-Founder, Openpath Security
As daunting as these numbers are, we expect them to keep growing as we enter the digital age of banking. Financial institutions need to be prepared to handle the ever-changing fraud attacks while maintaining a seamless customer experience. The question is: How can you provide excellent customer service and improve security?
Learn how banking fraud investigation, detection, and prevention work below.
What exactly is banking fraud detection?
Banking fraud detection refers to a comprehensive set of techniques and technologies designed to help protect a bank’s most critical assets: customer information, financial resources, and secure systems. At its core, fraud detection aims to identify suspicious activities and potential fraud attempts in real-time, ensuring that any threat is promptly flagged for investigation.
This process involves analyzing vast amounts of transaction data, monitoring for unusual patterns, and leveraging advanced tools like artificial intelligence and machine learning to outsmart increasingly sophisticated bad actors. Fraud detection works with prevention strategies, forming a robust defense to help protect financial institutions from devastating breaches that would impact their customers.
Types of banking fraud
Banking fraud can be categorized into two main areas: account takeover methods and general banking fraud. Understanding both is essential for effectively detecting and helping prevent fraudulent activities in financial institutions.
Account takeover methods
Account takeover (ATO) refers to a fraudster gaining unauthorized access to a customer’s account, often by exploiting weak points in security systems. These methods include:
Phishing attacks: Fraudsters send deceptive emails, texts, or calls pretending to be from legitimate sources, tricking customers into revealing sensitive information like passwords or account numbers.
Credential stuffing: Cybercriminals use stolen login credentials from data breaches to gain access to multiple accounts where users have reused passwords.
Session hijacking: Attackers intercept active banking sessions by stealing session tokens, allowing them to take over the user’s account while bypassing login processes.
Social engineering: Fraudsters manipulate victims into providing sensitive information or performing actions that compromise account security, such as clicking on malicious links or transferring funds.
Password spraying: Fraudsters attempt to access multiple accounts by trying commonly used passwords across a broad set of usernames, attempting to avoid detection by keeping the number of attempts per account low.
General banking fraud
While account takeover methods focus on compromising user accounts, general banking fraud involves broader tactics to exploit weaknesses in banking processes or systems. Some of the most prevalent types include:
Fraudulent documents: Criminals use falsified documents, such as fake IDs or altered financial records, to open bank accounts, apply for loans, or execute unauthorized transactions.
Check fraud: This type of fraud includes altering, forging, or counterfeiting checks to withdraw money from a victim’s account illicitly.
Money laundering: Fraudsters attempt to “clean” illegally obtained funds by passing them through legitimate financial systems to disguise their origin, often using unwitting banks to facilitate the process.
Authorized push payments: In this type of scam, fraudsters trick victims into willingly authorizing payments to fraudulent accounts, often through fake business requests or impersonating trusted contacts.
Real-time payment fraud: Fraudsters exploit instant payment systems, making it difficult for banks to detect or reverse transactions before the funds are transferred and withdrawn.
Wire fraud: Criminals use fraudulent information to convince individuals or businesses to wire money to fraudulent accounts, often by impersonating trusted contacts or institutions.
Bill discounting fraud: Companies submit fake or inflated invoices to banks to receive financing, deceiving financial institutions into providing credit based on fraudulent claims.
By understanding both account takeover methods and general banking fraud, financial institutions can implement comprehensive strategies to combat these evolving threats.
What typically happens when a bank receives a fraudulent claim?
Banks often take several steps to resolve the issue when a customer reports fraudulent activity. First, they attempt to verify whether the transaction is legitimate by checking details like location, time, and spending patterns. The bank then investigates, typically resolving the claim within 10 business days, and may notify federal authorities if large-scale fraud is detected. Suspicious Activity Reports (SARs) are typically filed for more complex money laundering or organized crime cases.
How do banks detect fraud?
Banks typically use a range of tools and technologies to detect fraud. These methods include:
Rule-based systems: Earlier fraud detection systems relied on fixed rules, such as transaction limits or location mismatches, but these can be easily bypassed by sophisticated fraudsters.
Machine learning: Modern banks use machine learning to analyze vast amounts of data and recognize unusual patterns. This system can learn and adapt over time, often improving its ability to detect financial crimes.
Telecommunications monitoring: Tools like multifactor authentication (MFA) and secure messaging help alert both banks and customers to suspicious activity.
Predictive analytics: Banks can preemptively flag transactions that don’t fit typical customer behavior by predicting behavior patterns.
Together, these tools help equip banks with the ability to stay one step ahead of fraudsters, helping identify threats in real-time and minimize the impact of fraudulent activity on their customers.
What are the biggest challenges of banking fraud detection and prevention?
Though these challenges vary, they can be broken down into four main categories:
Money laundering
Stolen money needs to be “cleaned” through money laundering. This process occurs when bad actors pass the currency through legitimate channels to have it verified by trusted sources.
Laundered funds are often broken into smaller amounts or routed through multiple accounts to avoid detection, making it difficult for banks to track. Criminals might also exploit offshore accounts or digital currencies to further obscure the money’s origin. This makes money laundering a tough problem for financial institutions, as they must continually adapt their detection methods to stay ahead of increasingly sophisticated tactics.
Account protection
Bad actors can steal login information, card information, or the card itself of a customer, resulting in an account takeover (ATO). The fraudster then uses the account as their own, which can include card-not-present (CNP) fraud, lost/stolen fraud, counterfeit fraud, and digital funds transfers.
The Identity Theft Resource Center tracked 2,116 data compromises in the first three quarters of 2023, which broke the all-time high of 1,862 total compromises in 2021. Customer information is usually stolen by phishing or hacking. Multifactor authentication can help financial institutions defend against this.
Customer onboarding
Information can be lost, misunderstood (or, even worse), stolen during customer onboarding at banks. There are regulations in place to try and help with security, like KYC (Know Your Customer) or AML (Anti-Money Laundering) that are designed to ensure customer identity is properly confirmed.
Financial institutions have found millions of fake accounts in the past. This can be especially prevalent for institutions that offer potential customers a cash incentive to sign up.
Credential theft
It’s important for banks to identify suspicious activity when it occurs on customer accounts. Banks will review currency, amounts spent, categories, or merchant names to try and prevent fraudulent credit card activity.
Tips to detect banking fraud
Follow the tips below to help prevent bad actors from accessing digital banking information:
Brush up on your AI
Considering the volume of transactions flowing through banks today, it’s important to leverage artificial intelligence to monitor and flag concerning activities.
Invest in the best AI solutions you can afford to help catch fraud before it spirals out of control. This is particularly important in combating identity theft and bank fraud detection.
Cultivating a culture of integrity and honesty within your organization is essential.
Review transactions regularly
Stay on top of your customers’ online account activities. For high-risk customers, conduct reviews at least weekly; for lower-risk customers, a monthly check may do the trick. This practice can help you catch suspicious transactions early.
Remember, AI can play a pivotal role in identifying patterns that might otherwise go unnoticed, helping to reduce financial losses and criminal activity.
Educate your customers
One of the best ways to prevent account takeovers is customer education. Tell customers what risks they’re facing, what they should be looking out for, and how to interact safely with their online banking system.
Make them aware of what kinds of phishing emails they may encounter. Alert them to what information a bank should or should not ask for over text message, and from whom the message should be sent. Another great tip is to instruct customers that, when in doubt, call your bank directly to clarify.
Invest in comprehensive security tools
How are you supposed to fight fraud rings who make this their full time job if you don’t have the best toolset? Are you contacting your customers with secure financial messaging services?
Consider using third-party tools to strengthen security. Technology has evolved beyond 2FA with tools. Device fingerprinting, voice authentication, multifactor analysis, and biometric security are becoming increasingly commonplace. Just ask NIST, the leading voice in security best practices.
[maxbutton id=”3″ url=”https://www.pindrop.com/request-a-demo” text=”Schedule your Demo” ]
Arm your customers with a fraud prevention checklist
Equipping your customers with the knowledge and tools to detect fraud is a proactive way to reduce risks. Use this checklist to help guide them:
Step 1: Update customer contact information often
Remind your customers of the importance of keeping their contact information up-to-date. Encourage them to review and update their phone numbers, email addresses, and mailing addresses at least once a year or whenever they change their information. Let them know that accurate contact details help ensure they receive important alerts regarding their accounts, especially in case of suspicious activity. Offer easy online forms or in-app features so they can make updates quickly.
Step 2: Make sure your customers always use strong passwords
Customers should make unique versions of their passwords that they haven’t used in the past. Advise them against replacing “O”s with “0”s or “I”s with “1”s or other common substitutions. Tell them to make the password longer when possible, too, as this makes it more difficult for hackers to bypass. Finally, consider recommending a password manager to keep security locked down.
Make sure customers know that hackers can access their accounts faster if they use the same password or similar variations.
Step 3: Encourage mobile alerts
Advise your customers to opt into mobile alerts for transactions. Explain that these alerts can notify them immediately of any account activity, allowing them to quickly recognize unauthorized transactions. Suggest that they set up alerts for large transactions, changes to account settings, and new device logins. Encourage them to respond promptly to any alerts they receive to mitigate potential fraud.
Step 4: Remind customers to update their devices
Stress the importance of keeping devices secure. Remind customers to use strong passwords or biometric security features to lock their devices. Encourage them to regularly update their operating systems and applications, as these updates often include important security patches. Additionally, suggest they install reputable antivirus software to help protect against malware and viruses that can compromise their banking information.
Step 5: Familiarize customers with red flags
Customers should never click on suspicious links from unknown email addresses. Confirm the email address isn’t a slight variation of someone they know or an institution they trust.
Help your customers become more vigilant by educating them about common signs of fraud. Encourage them to be cautious of unsolicited emails, texts, or phone calls requesting personal information.
Advise them to double-check the sender’s email address and look for any discrepancies. Emphasize the importance of never clicking on suspicious links or downloading attachments from unknown sources. Remind them that they should never share personal information, such as passwords or account numbers.
Step 6: Advise customers on knowing what third-party accounts have their login information
Instruct your customers to regularly review which third-party apps and services have access to their banking information. They should be aware of what data these apps can access and understand the potential risks involved. Advise them to revoke access to any applications they no longer use or that seem untrustworthy. Remind them that sharing banking login information can increase their risk of falling victim to fraud, so they should be discerning about what information they share and with whom.
Banking fraud in the future
How will bad actors update their tactics in the coming years? The future of banking fraud is evolving rapidly. Here are a few bank fraud trends to watch out for:
AI-driven fraud: Fraudsters use AI to automate attacks and bypass security measures. Banks will need to counter this with even more advanced machine-learning algorithms.
Synthetic IDs + deepfakes: Fraudsters are getting better at creating realistic synthetic identities. Deepfake technology adds another layer of risk for identity verification.
Fraud-as-a-service: Bad actors are now available for service on the dark web. Criminals now offer fraud techniques for sale on the dark web, including step-by-step tutorials on executing complex fraud schemes.
Improved social engineering: CEO fraud and other advanced social engineering attacks are becoming more frequent. Fraudsters impersonate executives or trusted entities to extract sensitive information.
To stay ahead, banks must constantly upgrade their defenses with cutting-edge fraud detection tools and strong partnerships with security-focused companies, including trusted telecommunications partners who prioritize security and offer advanced solutions like voice authentication.
Better protect your bank with fraud detection and multifactor authentication
In today’s fast-moving digital landscape, fraud detection tools are essential for any financial institution. Pindrop offers an industry-leading fraud detection solution for banks and financial institutions, using multifactor analysis and voice authentication to better protect your contact center and customer interactions. By leveraging Pindrop’s advanced technology, your bank can better reduce fraud losses, improve customer trust, and outsmart fraudsters.
[maxbutton id=”1″ url=”https://www.pindrop.com/request-a-demo” text=”Request a Demo” ]
Advanced voice authentication and fraud detection in your Five9 contact center
In close partnership with Five9, we’re committed to helping our customers quickly and easily authenticate inbound calls, drive automation in the IVA, and detect fraud. Today, Pindrop and Five9 enable our customers to achieve those goals by providing multiple, pre-built integration points. Keep reading for more on our voice authentication solution, fraud detection software, and our customers’ success stories.
How it works: The Five9 + Pindrop® integration details
In any partner integration, Pindrop® Technologies capture a copy of an inbound call and run a thorough analysis. The Pindrop solution’s analysis of an inbound call is predicated upon a deep, carrier-style integration where the solution ingests the call audio, metadata, keystroke presses, and other signaling. This allows our technology to perform a true, multifactor analysis of the inbound caller’s voice, device, behavior, network, risk, and liveness—all of which helps you determine if the caller is a genuine consumer or a fraudster.
Call capture architecture: Five9 + Pindrop
The diagram below showcases the powerful architecture behind the Five9 + Pindrop technology integration.
With this integration, Five9 administrators can route calls to the Pindrop solution in real-time. Instead of creating a ticket with a carrier and waiting for that request to be processed, Five9 admins can set up real-time call routing in their Numbers Inventory—a change that takes immediate effect.
2. Pre-built tasks for simple implementation
Pindrop and Five9’s IVA team also collaborated closely to produce multiple, pre-built tasks for the Studio7 library. This enables no-code, drag-and-drop API invocation for Pindrop and Five9 customers to make the process of implementing or changing functionality in the Five9 IVA faster and easier.
3. Easy-to-use agent UI
A first of its kind for Pindrop, we constructed a pre-built agent user interface, delivered through the Five9 agent desktop as a connector, as a means of easily implementing Pindrop intelligence and policy-driven instructions to Five9 agents in a clear, intuitive way.
The result of this is a thorough, end-to-end integration which allows Five9 and Pindrop customers to quickly and easily implement our mutually beneficial solutions with limited resource requirements from their own teams.
4. Supportive resources for self-guided implementation
To make the process even easier, we also co-authored a detailed user guide which provides clear, step-by-step instructions to guide a contact center administrator through the process of implementing Pindrop solutions in their Five9 environment.
Real-world success
As of late 2024, Pindrop and Five9 mutually support 15 customers across the Financial Services and Healthcare industries, with many more coming soon. Some of the largest banks, credit unions, insurance companies, and healthcare providers in North America rely on our integration points to service their customers and stop fraud. On January 15th, come hear directly from the Vice President of Michigan State University Federal Credit Union’s Call Center, Colleen Pitmon, about how much success they’ve had with their combined Five9 and Pindrop deployment. Registration details here.
Ongoing collaboration and future development
Not content to rest upon what’s already been built, the Five9 and Pindrop product teams maintain a close, working relationship to monitor our existing integration points as well as build new ones that will service future use cases. Our Five9 agent UI has already undergone improvements, including an agent feedback button, SSO login support, and more. The online task library in Studio 7 will continue to grow as demand increases for additional, pre-built resources. And recently, our teams have begun to collaborate to solve for outbound voice authentication, a feature request from many of our customers.
Have a call center challenge that you’d like to see Pindrop technologies and Five9 solve together? We’d like to hear about it. Request a demo today.
On October 22nd, the nonpartisan group RepresentUs released a public service announcement (PSA) on YouTube, addressing the potential misuse of AI deepfakes in the 2024 election. The PSA warns that malicious actors could use deepfake technology to spread election misinformation on when, where, and how to vote, posing a significant threat to the democratic process.
The PSA features Chris Rock, Amy Schumer, Laura Dern, Orlando Bloom, Jonathan Scott, Michael Douglas, and Rosario Dawson. With the exception of Rosario Dawson and Jonathan Scott, the appearances of these public figures were deepfakes, created to emphasize the deceptive power of AI technology. The PSA encourages Americans to stay vigilant, recognize signs of manipulated media, and ensure they are accurately informed ahead of Election Day.
Given the mix of genuine and synthetic speech, this PSA presented an ideal opportunity to demonstrate the capabilities of Pindrop® Pulse™ Inspect in distinguishing between human and synthetic voices. Our technology can play a crucial role in helping protect election integrity by supporting audiences and organizations in distinguishing between authentic and manipulated media.
Analyzing the Public Service Announcement with Pindrop® Pulse™ Inspect
To start, we ran the PSA through Pindrop® Pulse™ Inspect software to analyze potential deepfake artifacts. Pulse Inspect works by breaking down audio content into segments, analyzing every four seconds of speech, and scoring each segment based on its authenticity:
Score > 60: AI-generated or other synthetic speech detected
Score < 40: No AI-generated or other synthetic speech detected
Scores between 40 and 60: Inconclusive segments, often due to limited spoken content or background noise interference
This initial pass provided a strong overview of synthetic versus human speech throughout the PSA. The four-second segments allowed us to identify precise points in the video where synthetic or human speech was present, making it clear how well our technology highlights the boundaries between authentic and manipulated media.
Breaking Down the Video for Multi-Speaker Analysis
Since many segments featured multiple speakers with mixed human and synthetic voices, we diarized the video to log the start and end times for each speaker, the table below shows the segmented timestamps.
Start Time
End Time
Speaker Label
0:00
0:03.50
Michael Douglas
0:03.51
0:05.29
Jonathan Scott
0:05.80
0:07.25
Rosario Dawson
0:07.29
0:08.96
Chris Rock
0:08.97
0:10.19
Michael Douglas
0:10.25
0:14.04
Jonathan Scott
0:14.14
0:15.41
Laura Dern
0:15.58
0:16.48
Amy Schumer
0:16.52
0:19.25
Jonathan Scott
0:19.35
0:20.90
Amy Schumer
0:21.15
0:26.51
Chris Rock
0:27
0:30.93
Rosario Dawson
0:31.21
0:35.70
Orlando Bloom
0:35.79
0:38.80
Laura Dern
0:39
0:44.55
Rosario Dawson
0:44.66
0:46.06
Laura Dern
0:46.13
0:48.30
Jonathan Scott
0:48.42
0:50.49
Amy Schumer
0:50.54
0:54.06
Rosario Dawson
0:54.12
0:56.99
Orlando Bloom
0:57.06
1:00.15
Jonathan Scott
1:00.22
1:01.79
Amy Schumer
1:01.83
1:03.40
Laura Dern
1:03.50
1:05.74
Rosario Dawson
1:05.85
1:09.69
Michael Douglas
1:15.56
1:19.28
Amy Schumer (Actor)
1:21.52
1:23.13
Laura Dern (Actor)
1:24.16
1:26.29
Jonathan Scott
1:26.49
1:31.70
Rosario Dawson
This speaker diarization enabled us to isolate and analyze each segment individually. For example, here are six clips of Rosario Dawson, all accurately identified as not synthetic—even the first clip, which contains only one second of audio with just 0.68 seconds of speech! By segmenting the PSA at this level, we achieved higher precision in detecting synthetic content while reliably confirming human voices.
Tracing the Source of Deepfake Speech
Lastly, an additional benefit of diarizing and segmenting speakers was that we could stitch together all speech from a single speaker. This provided longer, continuous audio samples for our models to analyze, increasing our technology’s ability to detect markers of synthetic content. With this approach, our deepfake detection models had significantly more speech data to work with.
With the speaker-separated audio files prepared, we leveraged our Source Tracing feature to identify the probable origin of the deepfakes. Source Tracing is our advanced tool designed to pinpoint the AI engine used to generate synthetic audio, helping us understand the technology behind a given deepfake. After analysis, we identified ElevenLabs as the most likely generator for these deepfakes, with PlayHT as a close alternative. This level of insight is essential for media and cybersecurity teams working to trace and counteract the spread of malicious AI-generated content.
Election Integrity: Key Takeaways
This PSA not only serves as a reminder of how convincing deepfakes have become, but also highlights the role of tools like Pindrop®Pulse™ Inspect in identifying and mitigating the spread of manipulated media to prevent election manipulation. Our technology is already in use by organizations committed to protecting public trust and preventing the spread of misinformation. As deepfake technology advances, so must our efforts to safeguard truth and transparency in the information we consume.
The power of Pindrop® Solutions in Genesys Cloud CX
It’s time to protect your business with technological solutions designed to help detect fraud, authenticate callers, and spot deepfakes.
Genesys Cloud CX™ empowers over 8,000 organizations with over 1.5 million agents across more than 100 countries to enhance loyalty and business outcomes by delivering exceptional experiences for both customers and employees. Genesys customers can leverage Pindrop® Technologies to combine audio, voice, metadata analysis and deep learning AI with a proprietary fraud risk database—enabling friction-free authentication and fraud detection across the phone channel.
As a Premium App Partner in the Genesys AppFoundryⓇ, we’ve dedicated extensive development resources to ensure that Genesys CloudTM customers can seamlessly and easily integrate our advanced voice security solutions. With our new AudioHook integration for Genesys Cloud VoiceTM, alongside the option to use PindropⓇ Solutions with Bring Your Own Carrier (BYOC), we provide flexible, cutting-edge security solutions tailored to diverse business needs. This integration opens a vast global market, enabling Genesys customers to leverage PindropⓇ Solutions to help secure and streamline their contact center operations.
Deepfakes are a rising fraud threat for contact centers. That’s why it’s imperative to deploy a comprehensive solution that can detect fraud at various points in the contact center experience, authenticate callers, and analyze audio for synthetic voice. Pindrop Solutions offer this–all within your existing Genesys Cloud environment.
Our offerings
If you already use Genesys Cloud to manage your contact center experience, you can add Pindrop Solutions with ease. Here’s an overview of our solutions:
Legacy authentication systems are time-consuming for your agents and customers. With cutting-edge multi-factor authentication that can passively authenticate in the IVR or at the agent, you can fortify your contact center with more effective, seamless safety measures.
Why Pindrop?
Pindrop Solutions are industry-leading voice security tools with proven results. From fraud detection to spotting deepfakes to authenticating callers, our technology is helping stop fraudsters in their tracks. With our partnership with Genesys, you can implement these tools seamlessly–bringing important, thorough call analysis to your agents’ screens.
To learn more about our product integration and solutions, request a demo with a member of our team.
White Paper
$23B in losses.1 That’s the impact of retail fraud.
How protected are you? Read the white paper and learn about fraud trends and how PindropⓇ can help secure your business.
1 NRF survey on Cost of Retail Returns 2022
Fraud rates are high in retail, with fraudsters stealing 3.6% of all e-commerce revenue in 20222
The Concession Abuse as a Service (CAaaS) ecosystem includes 2K+ “service providers”3who are adept at abusing returns
Fraudsters have specific targets, with detailed returns and abuse profiles for the top 250 merchants3
2 Developing a Framework for Understanding and Measuring E-commerce Losses in Retailing, 2023 3 Research from Arizona State University
Here’swhat to expect
Learn more about the organized world of retail fraud and discover ways to prevent losses at your call centers.
Discover the financial impact of retail fraud, its prevalence in contact centers, and the results of better fraud detection at a large retailer.
Better understand Concession Abuse as a Service (CAaaS) and the tactics of the 2,251 “service providers” who are adept at abusing returns.4 Read about their social engineering tactics—and why call centers are particularly vulnerable. 4Research from Arizona State University
With voice, device, and behavior analysis, and real-time risk assessments for each call, our solution resulted in 22% more fraud detected and a 58% lower false positive rate.
Related research + insights
Access expert research, detailed guides, and practical resources on voice security to strengthen your contact center’s defenses.
Advanced Strategies to Prevent Contact Center Fraud in 2024
In 2023, data breaches reached an all time high of 3,2051, 78% higher than the previous year. Leveraging generative AI technology, fraudsters are employing advanced tactics, including bots and deepfakes, and exploiting vulnerabilities in outdated systems. In the face of rising contact center fraud, it’s crucial to implement robust and modern fraud prevention strategies.
Liveness Detection: Ensure that your interactions are with genuine humans, not sophisticated bots or recorded messages.
Multi-Factor Fraud Prevention and Authentication: Pair liveness detection with device recognition, behavior analysis, and more to increase your fraud detection capabilities.
Early Risk Detection: Address potential fraud threats before they escalate.
Negative Voice Matching: Identify fraudsters when tactics are used to change or mask the calling phone number.
Continuous Fraud Detection: Automate your comprehensive fraud risk profiles and increase the accuracy of fraud prediction.
Don’t miss this opportunity to enhance your fraud protection strategies and safeguard your organization!
Pindrop’s recent webinar was hosted by Shawn Hall, VP of Product, Research, and Engineering at Pindrop and Ketuman Sardesai, Head of Market Strategy and Intelligence at Pindrop. With a focus on Pindrop’s 2024 Voice Intelligence and Security Report, the webinar covered important questions affecting the industry—and aimed to help you create a strategy to better detect fraud in the future.
How many data breaches occurred in 2023? Data breaches in 2023, as analyzed in Pindrop’s recent Voice Intelligence and Security report, were 78% higher than the previous year, and over 353 million victims were targeted in 2023. Outdated and old-school technologies are also depleting consumers’ trust. The report explains that passwords are the most used but are the least trusted in security measures. With consumer uncertainty, 93% expect strong security measures in the future.
What can you do to combat fraud and improve customer trust? You need multi-factor authentication to build trust. You also need technology to fight new generative AI, such as deepfakes. Five to six years ago, it took a fraudster three to six months to switch tactics. “Now, they switch things up weekly. It’s nearly impossible to catch fraud without robust technology to see and identify it before it happens,” says Shawn Hall on the webinar.
Does fraud vary by industry? Pindrop’s new Voice and Security Intelligence report projects that, by the end of 2024, more than 1 in every 730 calls into call centers will be fraudulent. The current rates vary by vertical, with retailers experiencing the highest fraud rate at 1 in every 264 calls. According to an analysis by PindropⓇ Labs, 1 in 99 calls at a large U.S. retailer are fraudulent. Shawn says, “In recent years, 2020-2021, the fraud call rate dropped significantly as fraudsters targeted PPP loans and government stimulus money. This took some focus off call centers, but the volume quickly returned to contact centers once those funds dried up and has significantly increased in the past 2 years.”
What are fraudsters’ top strategies for gaining access through the IVR? Some top fraud strategies, according to Shawn, include:
Password resets
Account/information reconnaissance
Changing account information
Account takeover
Quick access for wiring funds
The contact center accounts for 62% of all fraud instances, and Shawn thinks this will increase to 70% in 2024. Shawn says, “Fraudsters are leveraging IVRs as a person would utilize a Google search engine to learn more information about account details and also understand an organization’s security framework, which puts them at a great risk without the proper security measures.”
What can companies do to protect themselves in the IVR? Companies have been trying to put more proactive measures in the IVR, hoping it will drive more customers away and lead them to other self-service technologies and mobile apps. “The problem is these new technologies are equally accessible to fraudsters,” says Shawn. He explains that the key is only to allow sensitive information to be available to low-risk customers and to leverage technology to help determine that through a risk score. This element will enable customers to get routed to self-service only when low risk. The higher the risk score, the more likely the caller would be routed to a specialized contact center agent to handle the call and request.
How do you know if you’re interacting with a real person or a deepfake? Quiet reconnaissance is happening in the call center to learn security patterns through synthetic voice. “Account takeover is the big thing they are utilizing here,” says Shawn. Many fraudsters contact customers directly, dupe them, get them to give up information, and capture their voice in the process. Once they have the voice, they can use text-to-speech to access accounts. One example is how tough it was to spot the difference in the Joe Biden deepfake in the primary, which told voters not to vote in New Hampshire. Fraudsters are capitalizing on various channels to take over accounts and gain information as well.
What trends do you expect to see in 2024? “We’ll have the 3,000 range and maybe get above 4,000 breaches this year. Large financial organizations see more like 1 in 500 calls, and retailers see 1 in every 50,” Shawn predicts for 2024. Some customers are already seeing this today. Companies want to expand self-service and into other areas, but how can fraud occurrences not increase with the emergence of deep AI and deepfakes?Shawn foresees that intercepting one-time passwords will continue. Also, “we’ll likely see an increase in 2024 and 2025, and customers need the right tools before implementing self-service,” warns Shawn. “They also need tech that can flag high-risk calls,” he continues.The growth is due to fraudsters’ ability to adapt very quickly. Shawn says, “We’re also too reactive to something happening before controls are implemented. You need to take proactive measures.” It takes good technology moving at the same speed to detect fraud.
How can we trust voice authentication in today’s market? “Voice can be a trusted authentication solution with today’s technology, but the technology has to be able to identify liveness so that the voice can be trusted,” says Shawn. Pindrop’s new product Pulse was tested with 12 current Pindrop customers, and all returned saying it worked in identifying deepfake attacks in call centers, including zero-day attacks. Technology has to be multifactor to tell you if it’s a live or not-live voice.
How does Pindrop detect familial fraud situations? Familial fraud generally refers to deceptive practices carried out by family members against one another, often for financial gain. One example could be inheritance fraud, where a family member forges a will, manipulates an elderly relative to change their will, or hides assets to receive a larger share. It could also be investment fraud, where a family member might convince relatives to invest in fraudulent schemes or take money intended for legitimate investments.“This one can take a lot of work to catch,” says Shawn. However, the power of utilizing the Passport and Protect products together is very helpful. Shawn explains that if the organization has an enrolled Passport profile for the caller and the Protect risk score, this information can be used to determine if a voice is a mismatch to the profile. Additionally, as organizations provide negative feedback into the Protect risk engines, a negative voice profile will be created and compared to all subsequent calls. Familial fraud happens frequently in the insurance sector, but also happens within many other verticals as well, so it’s essential to have these technologies in place to prevent it from happening in the future, according to Shawn.
What should financial institutions be concerned with in the future? Shawn says fraud detection and multi-factor authentication are mission-critical in financial sectors. There’s a lot of cross-pollination, especially in this sector. People don’t bank with just one bank. When you’re exposed, you’re exposed across many institutions, no matter the size of the organization.
Final thoughts on rising trends in fraud and implementing security in 2024
As technology grows, fraudsters may strive to make their schemes as believable as possible. Innovative companies are now implementing proactive technologies to better catch these fraudsters. Early adopters are getting ahead of the curve. Being proactive reduces the likelihood that you have to take the losses in the future. For most customers, fraud can go from a nuisance to a malicious problem.
Request a demo to see how Pindrop technology can help you protect your brand from fraud and build better customer relationships in the future.
Robocalls, as defined by Tech Target are “automated telephone calls that deliver a recorded message,” often using caller ID spoofing to deceive recipients. Caller ID spoofing allows fraudsters to manipulate the caller ID information, making it appear as though the call is coming from a familiar or trusted number. This increases the likelihood that the recipient will answer the call, as they might believe it is from a legitimate source, such as a known contact or a reputable organization. Despite the U.S. Federal Communications Commission (FCC) taking measures to prevent unsolicited robocalls, they have become more prevalent—showing up as the FCC’s top consumer complaint and a top consumer protection priority.
According to National Consumer Law Center data, Americans receive over 33 million scam robocalls daily and more than 50 billion annually. Additionally, the volume of robotexts has surged, with over 160 billion spam texts received in 2023. And it’s more than just an annoyance. In 2022, Time Magazine reported that around 68 million Americans lost over $29 billion to scam callers.
How does robocalling work?
Robocalls are typically initiated using an autodialer, a software application that automatically dials large numbers of phone numbers from a database. The numbers can be generated sequentially or obtained from lists purchased or scraped from various sources.
Answering just one spam call is a signal to scammers that you are willing to pick up the phone. So they’ll keep calling you, sometimes from different phone numbers, to get you to answer again–often utilizing different schemes, too.
8 common types of robocalls
Robocalls come in many forms, each with a specific goal or target audience. Here are eight common types:
1. Debt collection robocalls
These calls typically attempt to collect payment for unpaid debts. They might be legitimate calls from debt collection agencies or fraudulent attempts to extract money by pretending to be a debt collector.
2. Phishing scams
Phishing robocalls aim to steal personal information such as Social Security numbers, bank account details, or credit card information. These calls often claim to be from reputable organizations like banks or government agencies to trick recipients into divulging sensitive information. Phone scams can be worse in call centers. Be sure to read Pindrop’s article on how phone scams work and how call centers can better protect themselves in the future.
3. Healthcare robocalls
These robocalls offer health insurance plans, medical devices, or prescription medications. While some may be legitimate, many scams attempt to steal personal information or sell fraudulent products.
4. Political robocalls
Common during election seasons, these calls are used by political campaigns to inform voters about candidates, solicit donations, or encourage voter turnout. These calls are generally legal. But they are illegal and considered scams when it’s not someone’s voice. With the advancement in generative AI, replicating voices has become significantly easier and more realistic. Technologies like deep learning and neural networks have made it possible to create highly accurate voice clones that can mimic the tone, pitch, and cadence of a person’s voice. One example of when this occurred is how tough it was for voters to spot the difference in the Joe Biden deepfake in the primary telling voters not to vote in New Hampshire.
5. Charity robocalls
Charity robocalls solicit donations for various causes. While many are from legitimate charities, scammers also use these calls to steal money by pretending to be from well-known organizations.
6. Loan scams
These robocalls offer loans with attractive terms to entice recipients. The goal is often to collect personal and financial information or upfront fees and never provide loan services.
7. Foreign robocalls
These calls come from international numbers and can involve a variety of scams, including fake lottery winnings or threats from foreign governments. These calls often aim to extract money or personal information from recipients.
8. Tech support scams
These robocalls claim to be from tech support teams of major companies, alleging that the recipient’s computer is infected with a virus or has some other problem. The scam involves persuading the victim to pay for unnecessary services or to give remote access to their computer.
How to identify robocalls
Stonebridge Business Partners lists how to recognize robocalls and discusses Pindrop’s Top 40 scam campaigns from 2016, which included Google/business listing scams, loan-related scams, free vacation calls, political campaign calls, local map verification calls, and “lowering your electricity bill” calls. It also cites within this article that the Federal Trade Commission (“FTC”) released the following list of red flags to help consumers recognize a phone scam:
If the caller says, you’ve been specially selected for the offer.
They tell you you’ll get a free bonus if you buy their product.
The caller informs you that you’ve won one of five valuable prizes.
How to stop robocalls
Authorities like the FCC and FTC have implemented the STIR/SHAKEN protocol to verify caller IDs and reduce spoofing. It’s a key authentication mandated on June 30, 2021, to ensure that all US service providers (CSPs) are authenticated for branded calling. They also enforce regulations to curb illegal robocalling activities, such as imposing fines on violators and working with service providers to block suspicious calls.
Set up call spam filters
For individuals, using call-blocking apps and reporting robocalls to the FTC can help mitigate the impact of these unwanted calls.
Put your name on the Do Not Call Registry
The national Do Not Call list protects landline and wireless phone numbers. You can register your numbers on the national Do Not Call list at no cost by calling 1-888-382-1222 (voice) or 1-866-290-4236 (TTY) from the phone number you wish to register. You can also register at donotcall.gov.
Report the number to the FTC and block it
Reporting unwanted calls to authorities and being cautious about sharing personal information can also help avoid robocalls.
How to stop robocalls on Android
The FCC’s website provides consumer tips for stopping unwanted robocalls as well as a printable version to stop unwanted texts as well. It’s also important to know device-specific measures. If you have an Android phone, you can use the built-in call-blocking features under settings and enable the spam calls feature. There are also call-blocking apps, such as Hiya, TrueCaller, and Nomorobo. Carrier-specific services include AT&T Call Protect, Verizon’s Call Filter, and the T-Mobile Scam Shield.
How to stop robocalls on iPhone
If you are on an iPhone, you can also go to settings and enable “Silence Unknown Callers.” Use “Do Not Disturb” to only allow calls from your contacts. Apps that help with call blocking on iPhones include RoboKiller, Hiya, and TrueCaller, which can identify and block spam calls. The same carrier-specific settings also apply.
What to do if you get a robocall
The first measure is to avoid answering or engaging and report the call. By reporting the call to the FCC at donotcall.gov or the FCC, you are doing your part to identify potentially fraudulent callers. You can also block the call directly on an Android or iPhone by clicking the number and blocking that caller in the future.
Potential risks of answering robocalls
Your voice may be stolen
Scammers may record your voice for unauthorized transactions or identity verification purposes.
Malware attacks
Some robocalls may contain links or prompts that, if followed, can lead to malware being installed on your phone.
Identity theft
Providing any personal information can lead to identity theft. Scammers often try to trick you into revealing sensitive information.
Risk of fiscal loss
Engaging with scam calls can result in financial loss through fraudulent transactions or by providing credit card information.
Spam calls vs. Robocalls – What’s the difference?
Spam calls include any unwanted calls, typically unsolicited marketing or sales calls. Robocalls are automated calls that deliver a pre-recorded message, which can be for marketing, information dissemination, or scams.
According to Robokiller, scammers typically defraud older Americans out of more significant amounts of money. The median loss for people 70-79 was $800 and jumped to $1,500 for those 80 and over. The scams that take these considerable amounts of money from seniors over 80 are calls regarding prizes, sweepstakes, and lottery scams.
Conclusion
Robocalls are persistent, but you can significantly reduce their impact using the right tools and strategies. Use call-blocking features and apps, report suspicious calls, and be cautious about sharing personal information over the phone.
Fraudsters have a new tool for gaining entry into contact centers and extracting private data: voice deepfake technology. Discover data-driven solutions to protect your business and customers from advanced fraud techniques.
Contact center fraud has grown 60% in the last two years with rising data breaches, ID thefts, account reconnaissance, and now Generative AI.
Financial institutions continue to see the highest number of fraud attempts, but fraud in the e-commerce sector is growing rapidly.
Deepfakes are already in contact centers. Fraudsters are testing the waters and learning to scale their attacks.
The average contact center authentication process has increased from 30 to 46 seconds (+53%) from 2020 to 2023, resulting in higher costs and lower customer satisfaction ratings.
What’s in the Report
Learn how to navigate the emerging threats in voice security’s evolving landscape and equip your business with robust tools to combat fraudsters and authenticate your customers effectively.
Fraud continues to rise as data breaches and ID thefts show no sign of abating. Dive into Pindrop’s annual contact center fraud research to get to the root of the problem and figure out the best way to protect your brand, consumers and business.
Deepfakes are not new, but they have become particularly treacherous due to advancements in Generative AI. Fraudsters are becoming more equipped to createat creating deepfakes. If not stopped, this could balloon into a $5 billion problem. Read this report to find out how.
Fraud rates in e-commerceEcommerce are 3x more than in financial services and are forecasted to grow by 166% in 2024. Contact centers are at the epicenter of this fraud spike. Find out what you can do to protect yourself and your customers.
Fraud and authentication are two sides of the same coin. While fraud has spiked in the last two years, authentication has become more expensive, costlier, and time-consumingtime consuming. Read this report to discover how you can balance both these challenges effectively.
Related research + insights
Access expert research, detailed guides, and practical resources on voice security to strengthen your contact center’s defenses.
Paul Carpenter, a New Orleans Street magician, wanted to be famous for fork bending. Instead, he made national headlines on CNN when he got wrapped up in a political scandal involving a fake President Joe Biden robocall sent to more than 20,000 New Hampshire residents urging Democrats not to vote in last month’s primary.
The video and ease with the magician who made it raise concern about the threat of deepfakes and the volume they could be created by anyone in the future. Here are the highlights from the interview and what you should know to protect your company from deepfakes.
Deepfakes can now be made quickly and easily
Carpenter didn’t know how the deepfake he was making would be used. “I’m a magician and a hypnotist. I’m not in the political realm, so I just got thrown into this thing,” says Carpenter. He says he was playing around with AI apps, getting paid a few hundred bucks here and there to make fake recordings. According to text messages shared with CNN, one of those paying was a political operative named Steve Kramer, employed by the Democratic presidential candidate Dean Phillips. Kramer admitted to CNN that he was behind the robocall, and the Phillips campaign cut ties with him, saying they had nothing to do with it.
But this deepfake raised immediate concern over the power of AI from the White House. The call was fake and not recorded by the president or intended for election watchers. For Carpenter, it took 5-10 minutes tops to create it. “I was like, no problem. Send me a script. I will send you a recording, and send me some money,” says Carpenter.
The fake Joe Biden deepfake was distributed within 24-48 hours
The call was also distributed just 24-48 hours before the New Hampshire primary, with little time to stop the intent of the call. Therefore, it could have swayed some people from voting, and it is worrisome to think about when an election is upcoming. When everyone is connected to their devices, it’s hard to intercept fraud in real time. The ability to inject these generative AI into that ecosystem leads some to projects we could be in for something dramatic.
How Pindrop® Pulse works to detect deepfakes
Deepfake expert and Co-Founder and CEO of Pindrop Vijay Balasubramaniyan says there’s no shortage of often free apps that can do it. He’s held various engineering and research roles within Google, Siemens, IBM Research, and Intel before co-creating Pindrop.
“It only requires three seconds of your audio, and you can clone someone’s voice,” says Vijay Balasubramaniyan. At Pindrop, we are testing how quickly you can create an AI voice while leveraging AI to stop it in real time. It’s one of the only companies in today’s market with a product, Pindrop® Pulse, to detect deepfakes, including those zero-day attacks and unseen models, at over 90% accuracy and 99% for previously seen deepfake models. The video featured on CNN of fake Joe Biden took only five minutes of President Biden speaking at any particular event, and that’s what it took to create a clone of his voice.
Pindrop® Pulse is different from the competition
Pulse sets itself apart through real-time liveness detection, continuous assessment, resilience, zero-day attack coverage, and explainability. The explainability part is key as it provides analysis along with results so you can learn from the data in the future to protect your business further. It also provides a liveness score and a reason code with every assessment without dependency on enrolling the speaker’s voice.
Every call is atomically analyzed using fakeprintingTM technology. Last but not least, it’s all fully integrated within the cloud-native capability, eliminating the need for new APIs or system changes.
What your company can do to protect against deepfakes
Pindrop could detect the robocall of fake President Biden’s voice and that it was faked and track down the exact AI company that made it. In today’s environment, AI software detects whether a voice is AI-generated.
It’s only with technology that you could know that it was a deepfake. “You cannot expect a human to do this. You need technology to fight technology, so you need good AI to fight bad AI,” says Vijay Balasubramaniyan. Like magic tricks, AI recordings may not always appear to be what they seem.
Watch the whole segment on CNN to see how easy it is to create a deepfake audio file and how Pindrop® Pulse can help in the future. You’ll see that by adding a voice, these platforms allow you to type whatever you’d like it to say and be able to produce that within minutes. For businesses, it could be as simple as: “I would like to buy a new pair of shoes, but they should be pink,” says Vijay Balasubramaniyan, making it problematic for many businesses to catch fraud going forward. Be sure you plan to detect fraud and protect teams and your company from these mistakes that can happen quickly.
Biometric authentication was once the most robust security measure. It used hard-to-impersonate biological traits like fingerprints to verify identity. However, nowadays, biometric authentication is not all secure. Fraudsters can bypass the authentication with 3D-printed masks, fake fingerprints, and eye replicas.
Biometric liveness detection helps seal the vulnerability of traditional biometric authentication. This security algorithm uses biometric data coupled with physiological responses like blinking to catch fraudsters.
What is Biometric Liveness Detection?
Biometric liveness detection verifies whether a biometric sample is from a live human. This security system has one principal purpose — it prevents the use of fake biometrics to impersonate or commit fraud.
Biometric liveness detection uses several cues to establish liveness; these include physiological responses like blinking and smiling. Moreover, this security system can use other cues like voice and skin texture to catch fraudsters.
Like any security system, biometric liveness detection can be used across various sectors. Airports, financial institutions, and insurance providers can use it to enhance security. Moreover, border control and e-commerce facilities can use biometric liveness.
How Liveness Detection Works and Prevents Fraud
Biometric liveness detection uses a combination of technologies to unequivocally verify that the biometric data being presented originates from a live human being. Some of these technologies include:
1. Motion Analysis
Motion analysis is one of the technologies used in biometric liveness detection. This security algorithm analyzes various natural movements to establish liveness. For instance, in facial recognition, biometric liveness technology checks for various facial movements.
These include blinking, smiling, or nodding the head. The advanced security measure can also use eye trackers to observe gaze direction. Images or videos used in impersonation cannot replicate these facial movements.
2. 3D Depth Sensing
3D depth sensing is another technology used in biometric liveness detection. 3D depth sensing uses technologies like time-of-flight cameras and laser scanners to determine whether a face is alive.
In particular, the 3D depth sensing technology uses facial shape to determine liveness. Moreover, 3D depth sensing can use the distance between the eyes and nose or lip curvature to establish if an individual is alive.
3. Texture Analysis
Texture analysis is another method used to verify the liveliness of individuals. In this technique, a biometric system scrutinizes the unique patterns of an iris, face scan, or fingerprint. The patterns includefingerprint ridges valleys and iris crypts.
The characteristics mentioned above are inherent to a living person and absent in impersonation replicas. The biometric liveness detection system compares the results with expected properties to establish liveness.
4. Challenge-Response Tests
Some biometric liveness detection systems incorporate challenge responses to check for liveness. In this approach, the system prompts the user to perform specific requests that require real-time human reactions.
For instance, during facial verification, the biometric security systems might ask the subject to blink. Moreover, these advanced security algorithms can request an individual to nod or smile. Non-human entities cannot outmaneuver random requests.
Besides the actions, a biometric liveness detection system can request an answer to a question. The biometric detection systems use voice authentication to ascertain if the voice is from a live person.
5. Machine Learning
Machine learning is another technology that plays a pivotal role in biometric liveness. Security experts train ML models to spot signs of liveness in biometric samples. Some cuesmachine learning uses to authenticate a live sample include:
Blinking
Eyebrow movements
Pulse rate
Skin elasticity
Skin temperature
Voice
For instance, in facial detection, ML algorithms use color, texture, or blinking to determine liveness. Likewise, in the case of fingerprints, ML systems can analyze things like ridge quality and sweat pores to assess if a sample is live.
Machine learning algorithms can combine various authentication modalities to thwart spoofing. Advanced models can use voice, fingerprint, iris, and facial detection to cut the chances of impersonations.
Types of Liveness Detection
Typically, biometric systems use two types of liveness detection — passive and active. Each type of liveness detection uses a different approach to catch fraudsters. The following is an overview of how each liveness detection method operates:
Passive Liveness Detection
Passive liveness detection determines liveness without prompting any action from the subject. These biometric systems use AI to look for common signs of biometric spoofing, including photos, videos, or masks.
Besides, passive liveness detection systems can check for signs of liveness to authenticate biometrics. For instance, the biometric system can use skin texture to verify if a sample is live. In addition to texture, passive liveness detection checks for liveness using the following aspects:
Color. Passive liveness detection compares the subject’s color to a reference to spot inconsistencies.
Depth. Besides color, passive liveness detection can assess the contours of the eyes, mouth, and nose to establish liveness.
Motion. Passive liveness detection systems can monitor natural facial motion patterns. These motion patterns occur when breathing, blinking, or talking.
Active Liveness Detection
Unlike passive detection, active liveness detection prompts users to perform specific actions during identity verification. In particular, the system issues random instructions to make it harder for fraudsters to bypass.
Some of the most common requests used in active liveness detection include:
Blinking. An active liveness detection system instructs users to blink when prompted. Afterward, the biometric system monitors for real-time eye movement to confirm liveness.
Facial gestures. Besides blinking, an active biometric system can prompt users to smile or nod during verification. Again, the biometric system monitors real-time facial expressions to verify liveness.
Voice commands. Sometimes, the active liveness biometric systems can ask the user to say specific phrases. Afterward, the system analyzes the voice inflections to ascertain if the voice is natural.
The Benefits of Liveness Detection for Contact Centers
Biometric liveness detection can be used across multiple industries. However, this security advancement has proven more valuable in contact center security. It ensures that only live and authorized individuals have access to sensitive customer information.
Apart from preventing unauthorized access, biometric liveness detection can offer the following benefits:
1. Reduced Risk of Data Breaches
Data breaches are rampant in contact centers using less sophisticated security measures. The breaches occur when fraudsters impersonate legitimate customers. In that event, agents disclose sensitive information unknowingly.
Biometric liveness detection can help eliminate these data breaches. The security algorithms use advanced authentication modalities like voice commands to stop impersonation. With this security system, contact centers can keep violations to a minimum.
2. Secured Self-Service
Self-service is a growing trend in customer support. This model allows customers to resolve issues independently, leading to shorter wait times and improved satisfaction. Furthermore, self-service frees up the hands of support staff.
Biometric liveness helps make self-service more secure. The algorithms verify the liveliness of users, ensuring that only authorized people get access to a customer account. This advanced security protects customers from fraudulent activities.
3. Lower Operational Costs
Investing in biometric liveness detection can help reduce a contact center’s running costs in many ways. For one, biometric liveness, especially voice authentication, reduces the need for manual identity validation. The automatic verification minimizes the need for live agents to verify identity.
Furthermore, biometric liveness reduces operational costs by blocking fraudulent activities. With the reduced exposure to fraud, entities won’t spend on reputation repair, compensation, and legal expenses.
4. Improved Customer Trust
Biometric liveness doesn’t just keep fraudsters off a contact center. This security measure can also help foster customer trust. The standard assures customers that a service provider treats their data with the utmost care.
As a result, the customers will trust the organization with their sensitive information. Moreover, biometric liveness reduces data breaches, an issue that could erode trust. Beyond trust, biometric liveness enhances loyalty, reduces churn, and boosts reputation.
5. Improved Compliance
Biometric liveness detection is a valuable tool in compliance. It enables contact centers to adhere to strict industry regulations set by various authorities like theData Protection Act.
This advanced security measure helps verify the identity of clients before disclosing sensitive information. As a result, it protects support agents from revealing private information to impersonators.
The enhanced compliance doesn’t just save organizations from costly fines and legal expenses. It also helps the entities maintain a positive public image, which is crucial in the competitive business sphere.
6. Expedited Customer Verification
Biometric liveness does not only provide a higher level of security, but it also expedites the verification process. The algorithms used in this security technology can verify liveness in just a few seconds.
The expedited customer verification comes along with many benefits. It eliminates cumbersome and time-consuming knowledge-based questions, helping save time. Support agents can use the saved time on other profit-making business processes.
Use Pindrop to Improve Contact Center Security
Enhancing call center security doesn’t end after acquainting with disruptive security measures. But, you require the support of a service provider with a deep understanding of the intricate security requirements in this domain.
Our company, Pindrop, is one such partner in matters of contact center security. We use voice to fortify the authentication process so you keep fraudulent access bay.
Request a demo to learn how we can help improve your contact center security.
Every year since 2003, October has been recognized as Cyber Security Awareness Month (CSAM). In honor of this year’s CSAM, we wanted to cover the three top fraud types and what you can do when they happen. Fraud can occur when you least expect it and is changing so quickly that it’s essential to stay current and continue to evolve your protection and prevention strategy. This trend is anticipated to continue, especially when fraud was up 40% this past year.
So what are the top fraud types, and how can you safeguard your business and customers if and when they happen? New data shows that the Federal Trade Commission received 2.8 million fraud reports from consumers in 2021, a 70% increase over the previous year, leading to more than $5.8 million in losses. The most commonly reported category once again was the imposter scam, where a fraudster represents themself as someone else to extract money or personal information from a victim. But fraud attacks can also be carried out by someone affiliated with the victim. Here are the top three instances of fraud defined:
When these common types of fraud occur, there are a few steps you can take to quickly mitigate damaging results to your brand, security posture, and operations. For instance, Pindrop’s anti-fraud voice detection stopped $146 million in fraudulent transactions for PSCU, a credit union company. Here are the steps you can apply to your business to detect and protect against fraud.
Step 1 – Bet on the cloud
Having APIs built for flexible access allows security systems to work in your favor. The cloud can then work to authenticate callers and obtain fraud behavior feedback for faster detection.
Step 2 – Have Multiple Authentication and Risk Signals
Implementing a multifactor authentication within your contact center allows you to offer faster, more secure, and personalized customer service. Include it within your system or process so that it is utilized within a device, behavior, voice, risk, and network for one seamless flow. This allows for secure and simple self-service options for agents and customers to handle real-time authentication.
Step 3 – Empower your Fraud Detection Process with Custom Attributes
Custom attributes utilize data tags to enhance data integration between call center systems and solutions with customizable details. Analysts can conduct more impactful and thorough fraud investigations by enabling custom tags.
Step 4 – Leverage the Collaboration of Authentication and Detection Processes
Ensure you leverage a platform for effective identity management for users, roles, and permissions to support transparent and accessible collaboration, especially for customer-facing applications. Consulting services should also be available to catch real-time fraud and maintain organizational efficiency. Lastly, it’s important to include developer resources such as API specifications.
In today’s digital age, the ever-present threat of cybersecurity breaches looms over businesses, reminding us of the need for robust security measures. One recent incident that has grabbed headlines and drawn attention to these vulnerabilities is the September 2023 data breach at MGM Resorts International. In this blog post, we will delve into the details of this breach and explore how Pindrop’s innovative technology solutions could have played a pivotal role in preventing this significant security incident.
The September 2023 MGM Resorts Data Breach
The September 2023 breach at MGM Resorts International sent shockwaves throughout the industry as it exposed sensitive information about countless guests. This breach resulted in the unauthorized disclosure of personal data, including names, addresses, phone numbers, passport information, and more. The incident serves as a stark reminder of the cybersecurity challenges faced by businesses today, particularly in industries like hospitality, where safeguarding customer data is paramount.
But how did a simple phone call cause all this harm?
The group of attackers known as Scattered Spider specializes in social engineering. Particularly, they use Vishing (voice phishing), a technique that involves gaining unauthorized access through convincing phone calls, much like phishing for emails. In this specific scenario, the cybercriminals employed Vishing to manipulate MGM Resorts International’s IT team into resetting Okta passwords. This seemingly innocuous action granted the attackers parallel access to the victim employee’s computer, paving the way for data exfiltration.
While the MGM breach primarily involved data stored on a server, Pindrop’s technology could have added an additional layer of security through voice recognition,caller ID intelligence and behavioral pattern analysis.
Could Pindrop have helped prevent this attack?
Indeed, Pindrop is a multi-factor platform that helps protect against a wide spectrum of attacks, including Vishing. Specifically for Vishing, Pindrop offers solutions like spoofing detection based on the phone number, voice authentication, and liveness detection. These features could have been instrumental in rejecting the impostor’s voice, detecting repeat fraudsters, or identifying indicators of manipulations in the victim’s voice, such as deepfake or replay attacks.
This type of attack, as seen in the MGM breach, is remarkably similar to the threats Pindrop has successfully thwarted for over a decade. While Pindrop’s historical focus has been on financial institutions, the technology’s adaptability makes it relevant and effective across various sectors, including hospitality.
Voice Biometricsand Liveness Detection: Pindrop’s voice biometric solutions allow businesses to verify the identity of callers by analyzing their unique vocal characteristics. Had MGM Resorts International implemented voice biometrics in addition to audio liveness detection, unauthorized access to guest accounts could have been significantly more challenging for cybercriminals.
Fraud Detection: Pindrop’s technology also includes fraud detection capabilities that analyze voice, caller behavior and call metadata to identify suspicious patterns. This could have helped detect unusual activity on the compromised server, potentially alerting MGM’s security team to the breach sooner.
Multi-Factor Authentication: Implementing multi-factor authentication (MFA) with voice recognition could have made it substantially more difficult for cybercriminals to gain access to the cloud server where guest data was stored.
Preventing future breaches
The MGM Resorts International breach serves as a stark reminder of the importance of proactive cybersecurity measures. In today’s interconnected world, businesses must constantly evolve their security strategies to stay one step ahead of cyber threats.
Pindrop’s technology solutions offer a promising avenue for businesses to bolster their cybersecurity defenses, particularly in industries that handle vast amounts of customer data, such as hospitality. By incorporating voice biometrics, fraud detection, and MFA, organizations can significantly reduce their vulnerability to data breaches and enhance customer trust.
What you can do next
In addition to fraudsters’ use of more creative and organized tactics, recent advancements in AI technology have allowed fraudsters to gain access to confidential information using AI-generated voice deepfakes at an unprecedented rate. As we’ve seen, the MGM Resorts International breach is just one example of the evolving threat landscape.
The question is, how prepared is your organization to defend against these ever-more sophisticated attacks? Are you ready to fortify your business against deepfake threats?
**On Demand Webinar: Pindrop leaders Amit Gupta and Elie Khoury dive into the threat of deepfakes and how to protect your business and customers from future attacks.
WEBINAR
The Delicate Balance of CX and Fraud Detection
In today’s digital era, where automation reigns supreme, there remains a significant segment of customers who prefer personal interactions over automated services. Gartner reports that 46% of individuals prefer speaking to a real person in the service center, while only 14% opt for email communication.
Discover the delicate balancing act that businesses face as they navigate the fine line between meeting their customers’ desire for human connection and mitigating the risks associated with fraud in contact centers. In our final session of the VIRS webinar series, our experts will dive into the intricate dynamics of this challenge.
Your expert panel
Bryce McWhorter
Senior Director of Contact Center Authentication, Pindrop
Tara Garnett
Senior Product Manager, Pindrop
ON-DEMAND WEBINAR
Pindrop® Solutions and Amazon Connect: Better Together
Secure your Amazon Connect contact center with Pindrop® Solutions
Pindrop, a leader in contact center fraud detection, partners with Amazon Connect to enhance security and customer experience in cloud-based contact centers. Watch this session to learn how this collaboration helps enterprises adopt flexible, cost-effective cloud solutions, reduce authentication friction, detect fraud more effectively, and prepare for potential account takeovers.
Challenges faced as the industry moves to the cloud
Benefits of using Pindrop® Solutions with Amazon Connect
How Pindrop® Solutions integrate with Amazon Connect
Your expert panel
Amy L. Reyes R.
Solutions Engineer, Pindrop
Bennett Borofka
Partner Solutions Architect, Amazon Web Services
October 2021 Data Report: Measuring S/S Attestations against VeriCall® Technology’s ANI Validation
Summary of Key Findings
Next Caller, a Pindrop® Company, reviewed the analyses conducted of SIP Header information by its VeriCall® Technology of approximately 109.5 million telephone calls from April 2021 through September 2021, finding that:
A significant majority (64%-76% each month) of calls had no attestation by a carrier;
Approximately 48.4 million calls without an attestation were scored “Green” and indicated for step-down authentication by VeriCall Technology;
Nearly 300,000 calls with an Attestation C were scored “Green” and indicated for step-down authentication by VeriCall Technology;
Over 117,000 calls with an Attestation A still posed a spoofing risk and were scored “Red” by VeriCall Technology.
VeriCall Technology and STIR/SHAKEN Attestations
Next Caller’s team of data scientists and telephony experts regularly tests the accuracy of VeriCall Technology scores. The validation performed uses machine learning, lab testing, and client feedback.
Each carrier has the ability to define which calls receive Attestation A, B, or C. Next Caller studies carrier-specific attestations to develop insights that can factor into our risk analysis. VeriCall Technology can leverage this proprietary analysis in its scoring model.
Implementing STIR/SHAKEN does not have to be a complex and dynamic challenge. At Next Caller, we have experience working with carriers to increase full attestation header availability in order to deliver insights to our customers. We can help your organization leverage the information delivered within each carrier attestation.
Next Caller has analyzed the metadata of over 2.2 billion calls for our enterprise customers.
Beginning on June 30, 2021, the FCC mandated that voice service providers implement STIR/SHAKEN requirements, including the issuance of Attestations to telephone calls that originate on their network. In April 2020, several months prior to that implementation deadline, Next Caller, a Pindrop® Company, started tracking the attestation data that was being delivered by certain carriers to our customers. Next Caller analyzed attestation data to assess whether STIR/SHAKEN attestations provided useful insights beyond the enterprise-grade call risk scoring engine provided by VeriCall® Technology (“VeriCall”), an API-based ANI Validation and Spoof Detection service.
Using approximately six (6) months of attestation data from approximately 35 million calls that had also been processed by VeriCall Technology, Next Caller created a preliminary case study to share some of our observations, including:
From April 2021 through September 2021, Next Caller reviewed the analyses conducted of SIP Header information by its VeriCall Technology of approximately 109.5 million telephone calls from over 500 originating carriers, including major voice service providers. Interestingly, one of Next Caller’s first observations was that, despite FCC mandates, a significant majority (64%-76%) of these calls had no attestation by a carrier at all.
Figure 1 below shows that the rate of availability grew from approximately 24% in April (pre-mandated implementation) to about 36% as of the June 30th implementation deadline; however, through September 30th, the rate of Attestations delivered remained only at approximately 36%. This plateau is concerning, and could be a signal that wide-scale and meaningful implementation of STIR/SHAKEN Attestations is still a long way off. Meanwhile, approximately 48.4 million calls that were missing an Attestation were scored “Green” and indicated for step-down authentication by VeriCall Technology.
Attestation (In)Efficacy
One of the goals of implementing STIR/SHAKEN standards is to help voice service providers identify calls with spoofed caller ID information.1 It is not necessarily intended to stabilize or secure authentication in the contact center. The Attestation framework is limited in its ability to assess call risk or provide meaningful guidance needed for the multitude of call types that reach a contact center. Are all Attestation A calls safe to ANI Match? Are all Attestation C calls too risky to authenticate without an agent? These questions are important when considering how to create a passive, secure, and customer-friendly authentication process for your customers. Unfortunately, the STIR/SHAKEN data that we reviewed did not provide clear answers. 1FCC (June 30, 2021). STIR/SHAKEN Broadly Implemented Starting Today” [Press Release]. https://docs.fcc.gov/public/attachments/DOC-373714A1.pdf.
STIR/SHAKEN Attestations and VeriCall Risk Scores
In order to help our customers augment and underpin the value of STIR/SHAKEN attestations, Next Caller has explored the relationship between Attestation ratings and VeriCall risk scoring. By identifying correlations, our team can design a cooperative system that leverages the two differing methodologies and help strengthen the ANI Validation process overall for our customers.
Let’s consider what we’d expect to find when we compare attestations to VeriCall risk scores. Because both scoring systems aim to assess whether a call came from the device that owned the phone number, it could be expected that Attestation A calls would also be VeriCall Green scored calls. Likewise, Attestation C calls would be expected to correlate to VeriCall Red scored calls.
However, our analysis uncovered some surprising results:
Attestation A
During the 6 month period, over 117,000 calls with a SIP Header that contained an Attestation A (which indicates that the caller ID was verified by the originating provider) still posed a spoofing risk. In other words, the carriers “signed” calls with Attestations A were indicated “Red” by VeriCall Technology because the call originated from a device that may not own the number showing on the caller ID. Calls can be scored Red for a variety of reasons, but commonly the designation is given to spoofed calls, or when a number has been recently ported.2
Our finding that some spoofed calls were delivered with an Attestation A raises concern about the efficacy of using STIR/SHAKEN attestations alone to authenticate in an ANI match process. Despite the presence of calls scored Red in the Attestation A group, the statistical variance between the two was relatively low when compared to the relationship between Attestation C calls and VeriCall scoring.
Attestation C
Similarly, the prediction that Attestation C calls would closely align with VeriCall Red scored calls did not hold true. We observed that Attestation C calls received a disproportionately wider range of VeriCall scores compared to the variation observed between VeriCall scores and Attestation A calls.
Our comparison of Attestation C calls to VeriCall scores in Figure 2 below revealed more volatile month to month discrepancies. Nearly 300,000 calls with a SIP Header that contained an Attestation C were authenticated “Green” by VeriCall Technology. Without VeriCall Technology, those calls may not have presented an opportunity for passive step-down authentication.
2Spoofing allows the caller to change the number shown on a caller ID. Criminals use spoofing to trick a business into assuming the call is coming from an existing customer. Number porting can allow a criminal to transfer an existing phone number to a different provider as part of an attempt to impersonate their victim or gain access to their information.
Conclusion
At this early stage of implementation, only a fraction of SIP Headers contain Attestations. Of those that are available, the information is likely not yet informative enough for a contact center’s call authentication process. These shortfalls may be attributable to the early phase of STIR/SHAKEN implementation and/or to the fact that the framework was not necessarily created as an authentication solution for contact centers. VeriCall Technology, on the other hand, uses a methodology that recognizes the nuances in call metadata to help determine risk and address the variety and complexity of factors associated with enterprise call traffic authentication.
Next Caller will continue to monitor Attestation data and communicate our observations in order to help address STIR/SHAKEN issues, answer questions, and assess implications of contact centers looking to meaningfully leverage STIR/SHAKEN Attestations in their call authentication process.
[Webinar] STIR/SHAKEN and the Contact Center
Listen to Our Experts Talk About Call Spoofing, RoboCalling, and How to Optimize CX & Security.
Watch the Webinar
There was a point in time where knowledge-based authentication (KBA) questions were an effective form of identification. But that time is gone. It’s likely that more personal information about each and every one of us is available on the web than any time before in history, and the growing amount of cybersecurity incidents each year isn’t helping. Pindrop’s data shows that fraudsters tend to pass such questions with success more than half of the time whereas the true person forgets the correct answers one third of the time.
KBA on the outs
Even though the security questions in KBA appear to be personalized, there are only so many questions a system can use, and for fraudsters it often only takes a Google search to crack the KBA code. Information from hacked databases is available for hackers to purchase, making it easier to undermine dynamic KBA strategies. Phishing attacks allow third parties to gain access to individual accounts and detailed user information, making security questions practically useless.
How can KBA still be useful for authentication?
However, there is still a significant familiarity between customers and KBA. Therefore, deploying a KBA solution shows your customers that you are serious about protecting their identity and raises their confidence in your business so it’s a great first step to build a better, long-term relationship with them.
While establishing KBA, the reliability of the source of the data is directly related to the level of security the authentication provides. Sources like existing account information or trusted third-party sources should be utilized to get to dynamic, non-traditional data and to generate unique questions.
KBA questions should aim at a balance between convenience and security. Asking a question that is too complex can create painful obstacles for customers to access their data hence negatively affect the customer journey. But a question that is too simple can be an invitation to fraudsters. Therefore, it is important to explain the security features to the customer and include reasonable and unique questions.
The difficulty of KBA-challenges should match the value of the credentials they protect. Individuals and organizations providing higher-value targets, who will be subject to reconnaissance prior to the attack, must boost their KBA challenges.
Multi-factor authentication (MFA) protocols require two or more identifiers from users before granting access. Businesses of all sizes are beginning to adopt complex rules for authenticating specific devices and are implementing single sign-on to streamline access without compromising data security. In such an authentication protocol, KBA may still be used safely — not as a primary verification tool but as a secondary one. Companies with robust user data protected by strong encryption can draw from their own information to create dynamic KBA queries. Fraudsters may still be able to gain access to this data, but it requires more work than looking up public records or obtaining aggregated information.
In systems designed to operate on a contextual basis, KBA is useful to fall back on when users can’t meet the requirements for other forms of authentication. Using KBA along with patterns of the user’s behavioral actions in the authentication process would allow for termination of sessions or denial of access should unusual behaviors be detected.
KBA can satisfy the “something you know” requirement and doesn’t have to be limited to security questions. The combination of graphical passwords with something you are (fingerprint), or something you have (smart card) strengthens usability and authentication security.
In summary, it may be premature to fully cancel KBA but necessary to recognize that KBA’s role has been relegated from the featured authentication tool to a complementary method. Do not solely count on KBA but do not totally forget about it, either.
Fans of the board game turned cult classic film Clue, or Cluedo as it is known in other parts of the world, know it is a crime-solving game where participants use clues to determine the suspect, location, and weapon to solve the case that brings back fond memories of tracking down bad guys. In the game, knowing only what room the crime took place in isn’t enough to net a victory, only having the location, weapon, and suspect allows you to win the game. It’s a simple game, with a powerful message, to get the facts straight.
Account Risk is Pindrop’s latest intelligence offering from its fraud detection solution Pindrop® Protect. Pindrop now adds another dimension to fraud detection intelligence and can provide not only a risk score on inbound calls in real-time with call risk but also a score on accounts that show signs of risks, not just from the contact center, but can incorporate intelligence from around the organization to provide another vector of fraud detection intelligence.
Today, Protect customers can use call risk scores in real-time to make determinations about the risk the caller might present. By adding account scores that get updated over time, artificial intelligence assesses possible connections to previous fraudulent attempts, as well as cross-channel account activity patterns, fraud practitioners will be able to use intelligence from their own systems to help determine if a fraudster is preparing for an attack.
Using both call and account risk helps monitor the channel they use and whom they are targeting as well. This allows Pindrop to clue in its customers on accounts that show signs of fraud surveillance, in addition to what calls may be risky.
One-Time Passwords (OTPs) were created to help enhance security, as they can protect you from an identity theft attack. OTPs can take the form of automatically generated numbers that are sent to your cell phone or specific text/word strings that the user needs to recite in order to capture their voice sample. OTPs are often used for the purpose of account login, identity verification, device verification, or password recovery. However, the protection OTPs once offered has diminished and users today can be easily deceived. Through deception, a fraudster can steal your personal data to gain access to your bank accounts and other valuable data.
Fraudsters can use various platforms including social media, phone calls, and online chat applications to target their victims to mistakenly reveal personal information. Fraudsters can use various schemes to induce the victims to share their OTPs, such as encouraging the victim to join a contest or telling the victim that s/he has won a prize¹. They can impersonate government or bank officials, technical support staff, or the victim’s friends to access personal details and accounts. For example, a fraudster can call the victim, pretending to be a telecom technician, and tell the victim that their account was compromised by a hacker. After that, the fraudster can instruct the victim to download an application for the telecom company to conduct investigations. This way the fraudster can remotely access the victim’s computer, and ask the victim for bank login details and an OTP, claiming to check if the victim’s account had been compromised. If the victim provides these details, the fraudster can transfer the money in her account to another count.
Here are some key reasons why OTPs might not provide the best security to use for authentication:
Increase in Average Handle Time (AHT): Customers may have long waits to receive OTPs depending on their phone signal strength or may not have instant access to their cell phone. This will increase the AHT and create a bad customer experience, especially for genuine callers. This is definitely a problem with significant financial consequences any company would want to avoid. A couple of years ago, Forbes reported that businesses lost $75 Billion due to poor customer service.²
Increase in Cost: To provide a customer with an OTP, companies have to pay a certain amount per SMS-based OTP. Depending on the customers’ cell phone carrier, they may encounter bad signals and delay the delivery of the OTP. If customers have to request an OTP multiple times, the companies’ costs will only grow. Additionally, the increase in costs might also include headcount. If OTPs are adding handle time to every call, will that require more employees?
SimJacking: Based on the most recent Facebook breach³, we know that almost half a billion phone numbers and their corresponding Facebook accounts were exposed. The leak of phone numbers could potentially make a huge number of users prone to SIM swap-type fraud. In addition to a list of these numbers, fraudsters can also buy digital files packed with personal data and account details sourced from mass online data breaches and cyberattacks, to open an account in their victim’s name⁴. If fraudsters, combined with other details, potentially accessed separately through either social engineering or online searches, could gather enough information to pass security questions at the respective mobile network operator, they could theoretically register a new SIM. The victim’s SIM could also get deregistered, and the answers to security questions changed to new information no longer matching the victim’s, allowing the fraudsters to take over the victim’s account and eliminate the victim’s attempts at correcting the situation.
Diminished Impact on Security: Over time, fraudsters adapted and found ways to beat OTPs. Simple, quick turnarounds such as calling the bank pretending to be the victim and getting the bank to send the OTP followed by a call to the victim, pretending to be the bank and asking the victim to read back the code on the text message, are low tech.
Added Friction: OTPs add an additional layer of identity verification and authentication burden on the consumers. The extra time required to process the OTP and the additional work the consumer needs to do diverts the focus of the conversation and delays the resolution of the consumer’s issue. This friction could result in lower Net Promoter Scores and reduced customer satisfaction.
Today, many companies are still using OTPs for authentication purposes and those who use them could face higher costs and unhappy customers. Therefore, the importance of having an authentication technology based on credentials and risk criteria extracted from a call clearly stands out – especially if such decisions are automated and governed through a flexible policy engine aimed to build trust for genuine callers. There are other ways to establish trust in a customer interaction without creating the additional cost and friction of OTPs. For example, you can use spoof detection techniques to determine whether an incoming call is spoofed or not and whether you can trust the call. For further security and identity verification, you could deploy multi-factor, risk-based authentication processes that allow you to leverage other factors like certain behaviors, voice, and device.
This webinar examines the ways in which Verizon and Pindrop are working together to create solutions that provide tremendous benefits to their customers.
Scale and address issues in capacity during call spikes
Adapt to changes in operating structures and fraudster modus operandi
Minimize fraud costs while ensuring a frictionless customer experience
Thoroughly protect customer data without negatively impacting call metrics
Join us for a look at the integration of Pindrop into the Verizon IPCC platform and how this allows for the rapid deployment of Pindrop’s technologies for Verizon’s contact center customers. In this webinar, we discuss how Pindrop and Verizon are committed to supporting customers as they adapt and change to account for current events.
Meet the Experts
Tony Lutz
Customer Experience Advisor, Verizon
Dave Albers
Solutions Engineer, Pindrop
What is Graph Analysis For Fraud Detection?
Graph analysis Is the process of analyzing data stored in graph format. Graphs are mathematical structures that represent relationships between various objects and when modeled are visualized with nodes and edges like the image above.
Nodes for the purpose of fraud detection would be the accounts, calls, transactions, and other data points- while edges would be the links, relationships, or connections between the nodes.
Without the popularized visualizations, graph analysis is still extremely useful for fraud detection. Legacy methods of data storage are not designed to analyze complex relationships between data points. Relationships can not be searched in a table and the “fixed schema” of tabular relational models and databases is not as flexible as graphs. Graph databases place the same value on relationships (edges) as it does data points (nodes) – making relationships discoverable. Thus graph analysis is not only the next evolutionary step in data storage and analysis but the next logical step in fraud detection, mitigation, and prevention.
What is Link Analysis?
When considering the application of graph analytics for fraud detection in call centers, operationally the “edges” or relationships, links, and connections associated to each node are analyzed to identify valuable patterns that can predict when and where fraud may occur. Link analysis is used to evaluate the connections between “nodes” or data points. These data points like accounts, calls, behaviors, devices, time, transactions, and phone numbers, as noted above, traditionally live in formats that make the discovery, modeling, and otherwise analysis of relationships simultaneously more complex and less useful.
What is Graph Analysis for Fraud Detection in Contact Centers?
Fraud detection for contact centers consists of the tools, software, and processes related to the detection of fraud entering or “touching” the contact center.
[optin-monster slug=”veowvgbyv2iwn47twt5u”]
Why is the Application of Graph Analysis For Fraud Detection in The Contact Center Important?
As the world adjusts to a contactless society, contact centers have been experiencing soaring call volumes as consumers replace face-to face interactions with voice-to-voice. With this surge has come rising fraud activities across channels; new and unprecedented challenges in ensuring customer satisfaction and security.
Though extremely valuable for uncovering patterns that indicate fraud across vast and seemingly unrelated datasets, graph analysis has been slow to reach the contact center until Pindrop Protect ® with Trace Technology.
What is Pindrop® Protect With Trace Technology?
Pindrop Trace technology is our patent-pending analytics engine that powers Protect’s account risk scoring. By measuring call risk over time and identifying what accounts are being accessed by those high risk calls is the first step in creating an account risk score. Other factors like online activity or failed login attempts can be added to increase the accuracy and predictive capability of account risk. Account risk scoring enables identification of the most complicated fraud scams, and predicting cross-channel fraud up to 60 days before it takes place.
Pindrop Trace technology uses graph analysis to process large sets of data across calls and accounts to identify complex patterns of call risk and account risk. enabling you to prevent more fraud, sooner, and reduce fraud losses.
Siloed data leaves unfound clues that could have been used to stop fraud before it happens. Connect all of your data with Pindrop Trace. This patent-pending analytics engine powers Protect’s account risk scoring, identifying the most complicated fraud scams, and predicting cross-channel fraud up to 60 days before it takes place.
Benefits of PindropⓇ Trace
Get a complete picture of fraud across the company by connecting all of your data and stitching together sparse/disparate data that may indicate fraud is happening.
Identify and prevent even the most complicated fraud scams up to 60 days in advance of fraud with account risk scores powered by Pindrop Trace.
Improve analysis by adding your own additional data from other systems (weblogs etc.) into Pindrop Trace.
Remove analyst noise, reduce false positives and improve false-negative detection
Reduce overall fraud costs.
How Does Pindrop Protect With Trace Technology Work?
Pindrop Protect is the only anti-fraud solution that extends anti-fraud protection into the IVR using specially adapted non-audio technologies and graph analytics for contact center fraud detection.
Pindrop Trace® technology correlates account activities across calls and analyzes relationships between seemingly unrelated data points to identify patterns that indicate fraudulent activity and predict fraud loss. Pindrop Trace® technology processes a comprehensive set of data inputs including detailed call and historical information, existing patented Pindrop risk engines, the extensive Pindrop Intelligence Network (PIN), and other enterprise data.
Why Pindrop Trace, Graph Analytics for Fraud Detection in the Contact Center
Pindrop Protect With Trace Technology connects all of your data, so you have the most comprehensive view of potentially fraudulent activity across all touchpoints, enabling you to prevent more fraud and reduce fraud losses.
“No single layer of fraud prevention or authentication is enough to keep determined fraudsters out of enterprise systems.” – Gartner,The Five Layers of Fraud Prevention and Using Them to Beat Malware April 2011
Gartner Outlined 5 Layers of Fraud Prevention
Gartner recommends a 5 layered approach to fraud detection. The basic layer focuses on the user (caller, customer) while a more sophisticated approach focuses on the correlation between account and user in a cross-channel environment. Like Protect ® with Trace, according to Gartner, the most sophisticated approach uses a link analysis of relationships between “entities” or database elements to identify organized crime.
Though extremely valuable for uncovering patterns that indicate fraud across vast and seemingly unrelated datasets, graph analysis has been slow to reach the contact center. Now with soaring call volumes, rising fraud activities across channels, and unprecedented challenges in ensuring customer satisfaction while emphasizing their security, both physical and data related.
Pindrop’s closest competitor provides an IVR behavior and metadata tracking solution that correlates caller and account to alert for future monitoring. However, the competitor’s solution cannot extend across channels and does not include graph analytics.
TL;DR: Pindrop has just released Pindrop Protect with Trace technology the only anti-fraud solution that extends anti-fraud protection into the IVR using specially adapted non-audio technologies and graphic analysis for contact center fraud prediction.
To learn more about Trace technology and graph analysis for fraud detection in contact centers visit our solutions page.
Fraud costs don’t start in your finance department. They start in your IVR. 60% of fraud begins in or touches it and while you are aware of the media reported mega-breaches that have plagued companies and consumers both, have you considered your contact center’s place in the journey from data capture to fraudulent transaction and account takeover? Fraudsters stalk contact center IVRs using them as search engines for your CRM to validate customer data. They then use that validated customer data to social engineer your agents or commit fraud across other channels. Pindrop is turning the tables on fraudsters by creating a playbook to stop them.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. ― Sun Tzu, The Art of War
To help support contact center leaders in the arms race for customer data, Pindrop has assembled a curated collection of assets, research, and tools to help you bolster your defenses.
Fraudulent activities like fake transactions and false information updates or activities supporting the eventual takeover of an account like data reconnaissance or social engineering – are all types of contact center fraud. Contact center fraud, therefore, is any fraud related activity occurring in or originating from the contact center – or more simply, your company’s phone channel.
The victims of contact center fraud are often considered to be the customer themselves and of course the business. With common costs including chargebacks and other remediation efforts like card re-issuance fees; in addition to the actual monetary loss. But these are only a fraction of the victims and impacts of contact center fraud.
We discuss the real victims of contact center fraud below:
Who Are The Victims of Contact Center Fraud: Your Customers
Your customers come to mind as the first and most obvious victims of contact center fraud. Fraudsters are scraping your ivr to validate their information for nefarious use after-all, but what about their dependents, friends and family, and your most at-risk customers?
How Contact Center Fraud Impacts Elders and The Disabled
Elder fraud is heinous and unfortunately, it is increasing. The seniors that patronize your business are being targeted through information harvesting schemes online and via the phone channel. These phishing scams result in fraud reconnaissance activities in your IVR to validate the data and hone processes for account takeover. Contact center fraud specifically impacts elders due to their incapability of remediation.
How Contact Center Fraud Impacts Children and Families
Not often viewed as a casualty in the fraud fight, the identity of children, both of account owners and those that are actual clients is specifically at risk. Like the elderly, the credit histories of children are rarely monitored and as such are easy targets for cybercriminals and professional fraudsters. Uniquely the threat to children often includes the usage of leaked or stolen lifetime data like social security numbers, the compromise of which can cause identity on-going complications.
Who Are The Victims of Contact Center Fraud: Employees
How Contact Center Fraud Impacts: The Fraud Team
A fraud team’s capacity is often regarded as an obvious result of increased contact center fraud activity – but the costs concerning operations like time lost on false positives, complex fraud ring investigations, and increased fraud activity causes backlogs that put stress on what may be an already understaffed fraud team.
How Contact Center Fraud Impacts: The CX Team
Costs associated with churn like recruiting and training spends can be the result of anti-fraud systems that provide no support for your frontline, requiring investigations and inferences on the part of the agent.
Who Are The Victims of Contact Center Fraud: Your Business
Operations Costs
Operations costs associated with finding and fighting fraud are often over-looked. Costs associated with decreased analyst capacity but increased fraud can devour entire week’s worth of man-hours for an entire team, wasted on the remediation of one account takeover.
If your business is targeted by an organized crime ring, there could be as many as 10 professional fraudsters working simultaneously to defraud one organization. In this scenario, as many as 100 accounts would be controlled by fraudsters, resulting in 1600 hours of remediation.
16 Hours Per Compromised Account x 100 Compromised Accounts = 1600 Work Hours To Remediate
1600 hours of remediation is 40 analysts worth of work for an entire week. A week’s worth of wasted costs and productivity causes backlog and can result in more fraud losses and related remediation costs, ranging from several thousand per account, higher if the fraudster had been targeting the institution with reconnaissance activities.
Brand and Reputation Costs
1 in 3 consumers will abandon a brand after a negative experience like ATO, and over 90% will abandon their chosen retailer after 3 bad experiences. As we have necessarily shifted to a contactless economy- the phone channel is replacing face-to-face customer service and consumers overwhelmingly want to keep human interaction as an element when resolving an issue or otherwise interacting with corporations and organizations.
Your IT Security
A spike in fraud attacks may mean a network intrusion, exposed servers, or a third party breach. Additionally, leaky IVRs may allow for the validation of employee data that can be used for network intrusion and unauthorized access. The threat of contact center fraud effectively expands your attack surface as IVRs and the voice channel as a whole increasingly becomes a vector of choice in the contactless era. Additionally, as dark web data finds itself into the contact center, should your employees use the same passwords across their personal accounts and your network, data validation in the IVR could potentially open new challenges that don’t target the consumer and instead focus on your company’s internal data.
What Kinds of Fraud Targets Contact Centers?
Fraudsters don’t rely on luck; they do their homework. They use multiple sources like purchased data, harvested from corporate breaches, and sold on the dark web and leaked data scraped from servers and unsecured pages to develop profiles on the organizations they target. They study how contact centers operate, the relevant policies for their endeavors, and have access to petabytes of personal data on their customers like name, DOBs, SSN, drivers license numbers, and more. They come prepared to answer security questions and have practiced strategies to bypass your security, authenticate into account, and get out before anyone notices.
Account Takeover Is The Goal
The goal of contact center fraud is account takeover. Account takeover allows for additional low-risk reconnaissance and the creation of additional synthetic identities. To accomplish this, fraudsters leave the dark web armed with “fresh data” and use it to target your contact center in a variety of ways.
Social Engineering in Contact Centers
Professional fraudsters understand human psychology, it is a part of their jobs. In the contact center when they interact with your agents they use this psychology knowledge along with distraction, empathy, trust-building, vishing, and basically harassing the agent into allowing access to the account.
Call Spoofing in Contact Centers
ANI spoofing allows bad actors to imitate a customer number to bypass IVR controls. Automatic Number Identification spoofing is a deliberate action that allows access to your frontline agents and enables social engineering.
Account Reconnaissance in Contact Center IVRs
Before ever attempting interaction with an agent, bad actors validate consumer information in the IVR. 60% of fraud originates in our at some point touches the IVR.
Man in the Middle, The Customer Assisted-Attack
Assisted by ANI Spoofing to the customer instead of your call center initially, consumers are duped into believing that they are interacting with a genuine agent as the fraudster literally plays the middle man live – calling into the bank with the customers spoofed number and giving your agent the correct answers directly from your customer.
Dark Web Data & Contact Center Fraud
Cross-channel fraud can be assisted by unidentified breaches or leaks which provide data for sellers and buyers on the dark web. Fresh and often guaranteed to be verified – bad actors simply bypass controls using a mix of spoofing technology and perfectly genuine data.
Fraud Tactics – Evolving in a contactless society
In early March, governments across the world began warning consumers of a sudden uptick in scams most likely driven by current and assumed-future conditions. Phishing scams that would evolve into fraudulent activity across banking, financial services, insurance, and other verticals. The fraudsters would adapt their social engineering appeals to reflect current events and play on anxieties too. Taking many standard techniques and simply adding a dose of the newsfeed.
Social Engineering Tactics – Changes Since The Contactless Shift
The Urgent Request The Fraudster calls and says all my other banks are closing and I won’t have access to any money so we need to transfer money asap. They will make it sound like an urgent request, “we can’t wait” in hopes your agents will skip some steps to make the transfer happen.
The Philanthrope: The Fraudster calls pretending to be a client and says they need to access money quickly so they can donate to various COVID-19 related cures, treatments, clinical drugs, etc., and need to make a transfer to another account. Always rushing agents on the phone to act quickly.
International Traveler: The Fraudster calls telling the agent that they are stuck outside of the U.S. and need money ASAP so they can get back in. Again, playing on all the hysteria of being stranded overseas, away from family, to make it sound hectic and dire.
Elder Abuse: TheFraudster calls organizations pretending to be the caregiver of an elderly person who has become ill and needs help. These con-artists then phish for information on the actual client while on the phone with your agents. Then, they empty the elderly person’s account, or they call in again to see if they can phish for more information.
Traditional Phishing: Fraudsters using social engineering to garner information from your call center agents for future fraudulent. Strong authentication and anti-fraud protections will be crucial here.
The Racketeer Favorite Tactic: Man in the middle
The Wolf Favorite Tactic: IVR Reconnaissance
Mr. Roboto Favorite Tactic: ANI Spoofing
Crash Override Favorite Tactic: Dark Web Data
The Good Samaritan Favorite Tactic: Social Engineering
The journey of a fraudster begins with stolen or otherwise ill-gotten customer data and ends with significant costs to your organization. As fraudsters move from theft to validation and ultimately use that stolen data for fraudulent purchases, they may touch your phone channel hundreds of times. Fraudsters use IVRs for reconnaissance activities, validating transactions, balances, and performing other tasks deemed as “low-risk”. But these low-risk activities translate to future fraudulent activity. Activity that takes place across channels like your online chat, email, and again through your phone channel- in the form of socially engineered agents. Watch our webinar, understand the journey, and build a comprehensive defense.
The Fraudster Toolkit: Fraudsters use tools just like you do to help them optimize their performance. So we developed resources to help you build solid defenses. Below are the most popular tools fraudsters are using to cost you money, time, and customers – with links to show you how to stop it.
The Wire Cutters: Social Engineering One of the core components of contact center fraud, but almost impossible to detect consistently without technology. Learn More – Webinar on demand
The Circular Saw: Voice Distortion Many fraudsters alter their voice to bypass any voice biometric technology trying to create noise, or even as simple as using a higher or lower-pitched voice to more closely imitate their victim when talking to a contact center.
The Framing Hammer: Fraud Bible As a possible legend or myth, the fraudster playbook known as the fraud bible read Pindrop’s position on the dark web trophy.
The Tape Measure: Data on Target Victim Data reconnaissance and data dealing can mean big business for fraudsters, learn more about their techniques here, and how they supplement their own data with your IVR.
The Shovel: Account Mining Fraudsters use a company’s own tools against them. Learn first hand how fraudsters use the IVR to verify stolen data and use automated dialers to dial account numbers and PINs.
The Handyman: Artificial Intelligence AI is changing the world rapidly, including fraud. AI now has provided the ability to look and sounds like anyone else. If someone has a long youtube video of themself, that would be enough to replicate their voice and allow the fraudster to communicate as the victim to employees and contact center.
How to Detect Contact Center Fraud: Current Solutions for Contact Center Security
IVR Authentication As Fraud Prevention
It’s a bad idea. IVR authentication has it’s benefits, verifying supposedly genuine customers prior to the call’s connection to an agent. Pre-ring authentication lowers AHT, increases agent capacity, and improves CX but simple voiceprint to blacklist matching is not sufficient for fraud defense.
Real-Time Fraud Detection For Contact Centers
Real-time fraud detection used to be the gold standard of technological limits concerning anti-fraud solutions. However, fraudsters spend weeks attacking your IVR, validating data, honing processes, and even testing your fraud controls. The actual transaction and loss do not occur typically for another 30-60 days.
Graph Analysis for Fraud Detection in Contact Centers
Graph analysis has many applications. Capable of visualizing and analyzing extremely large data sets across any number of data points to reveal relationships between what seems to be unrelated activities. These relationships translate to patterns that may be indicative of fraudulent activity.
You can harness the power of your IVR in the form of predictive analytics. Learn more about preventing fraud in the IVR and learn how you can harness data from your phone channel to harden your entire contact center to attack.
On a quiet Friday afternoon a family member of mine, who will remain anonymous for my own protection, received an email from a man from Australia claiming to be a long lost brother. Since her father had recently passed away, a new familial connection can seem like a very pleasant prospect. The moment I heard this, my disbelief began immediately. In my line of work, unexpected good news from the internet usually means fraud is about to happen. I wanted to believe but my background in fraudster tactics working knowledge background in fraud prevention previous experience wouldn’t let me. I have seen too many examples or fraudsters taking advantage of psychological manipulation as part of their arsenal. Since the pandemic, news reports are telling of increased romance scams and others that use love as part of the deception. The act of saying that you love someone can even become addicting.
That is where the psychology of fraud comes into play. As human beings, we can be manipulated to trust an individual, whom we have no business trusting. Dr. Robert B. Cialdini wrote a book called Influence: The Psychology of Persuasion, in which he speaks about factors involved in creating trust where social proof and consistency can build trust with almost anyone. Their simple but effective technique is based on showing credibility by knowing things about you most wouldn’t. Just knowing a name, two random facts about a person might be enough to create a false sense of trust with someone new. In short, with most people, their heart simply overrules their heads.
Even people who know how scams work still fall for it. Why? Because we are human. We are tempted by people saying nice things about us, tempted when people can provide a lot of money for no effort, and sometimes you can convince yourself just long enough to give in to the temptation. That is when they have you in their grips. One estimate suggests our older adults lose as much as $36.5 billion a year to financial abuse. But assessments like that are “grossly underestimated,” according to a 2016 study by New York’s Office of Children and Family Services. We are only seeing the tip of the iceberg when it comes to the actual devastation this criminal industry is causing; the body of it is being buried under the silence of unreported incidents. The underreporting cause? Embarrassment. Nobody likes to admit they’ve been duped, let alone duped out of a large sum of money. Victim shame can silence many that have been defrauded.
So, does my family have a long lost brother? Or is this a wild coincidence that no one knew about this person until recently, and anyone who could corroborate the story is no longer alive? Do I believe? I want to believe, but my job won’t let me.
Is my mystery guest who he claims? or will I get a call where he either is in trouble and needs our help with bail, or a family member of “ours” died and left everything to us, all that is due is the processing fee? Check back for a follow-up post as more unfolds.
Fraud was never fun – its costs for corporations can climb high when you consider the personnel, re-issuance, and other remediation costs incurred on the operational side in addition to customer attrition and brand damage. As the world adjusts to an incurable disease and devises ways to stay connected – voice interaction with customers has spiked and fell and so has fraud rates. As more consumers are staying home and dealing with economic uncertainty and heightened stress-levels, fraudsters and fraud rings are stepping up their targeting of consumer information via the phone channel.
Though the targeting of consumers may not be of particular interest to you, if you are concerned with the verification of consumers; the prevention of their information being harvested from your phone channel; the threat of malevolent access to their accounts, you may find this post of particular interest. Today, we will look at how consumer-focused vishing attacks impact your contact center and are costing you money.
“Contact centers are impacted by vishers operationally and financially.”
What is Vishing, and How Does It Impact Corporations?
Vishing is a form of phishing that occurs in the phone channel. Instead of hackers sending bogus emails with malicious links to your employees to access systems, vishers leverage the phone channel inside and outside of the contact center, posing as genuine callers or entities to trick the consumer or customer service agents to provide them with bits of information they can later use to defraud.
Compromised customer records and vished information threaten your corporation’s security posture inside and outside of the phone channel. The information that fraudsters gather helps to strengthen profiles that, once complete, allow fraudsters and fraud rings to bypass legacy security measures like KBAs. Contact centers are impacted by vishers operationally and financially. The time lost handling these calls, account takeovers they result in, and brand damage you incur as your customers are compromised, violated, and inconvenienced is what costs you money.
How Vishing Costs You Money
Since about 75% of fraud complaints to the FTC involve contact with consumers by phone, when you think of vishing – you think of consumers receiving calls. But phishing activities are also occurring via the phone channel, inside your contact center.
IVR Vishing
Professional fraudsters leverage IVRs to perform data reconnaissance. Testing your IVR using guessed passwords, and advancing strategies by validating details like account balances using information they gathered on the phone with consumers, inside the IVR itself, or from your contact center agents. The IVR is also a home for fraud rings. With low or no monitoring present, teams of fraudsters call simultaneously, slowly building consumer profiles until they finally gain access and cause monetary loss. Fraud reconnaissance is a necessary step in but is completely separate from an actual fraudulent withdrawal which may happen months after reconnaissance often 30 or more days later.
Agent Vishing
Contact center agents are also susceptible to vishing, though we commonly refer to this as social engineering. Fraudsters bypass KBAs 20% of the time, and even if they don’t, they are still often able to mine information from even the most seasoned agents. Using psychological tricks and leveraging any uncertainty or anxiety from the news headlines, these fraudsters too often act in organized crime rings and leverage the IVR.
These crime rings have multiple parties strike your contact center at once, without visibility at the account level or some way of monitoring data reconnaissance – contact center fraud leaders cannot adequately address vishing’s impact.
In short, vishing impacts your contact center via consumer-focused attacks designed to socially engineer and mine data from those contact center resources. You can address vishing, data reconnaissance, and fraud ring activity with risk-based authentication and anti-fraud strategies.
Pindrop has curated comprehensive tools and resources on verifying customers quickly, safely, and seamlessly; preventing malevolent access to accounts leveraging risk-based anti-fraud solutions.
The cloud offers a lot of great functionality for contact centers, from slashing operational costs to reducing the burden on staff. However, despite its many benefits, many contact center companies are still wary of the cloud. Digital transformation can feel like a huge undertaking with all of the technology and operational changes companies must go through, and many companies are satisfied with their current infrastructure.
The good news is that no matter where you are in your digital transformation journey — whether you’ve sworn off the cloud forever or you’re the cloud’s biggest evangelist — you can still use Pindrop’s technology to ensure protection against fraudsters. While Pindrop’s technology is based in the cloud, you don’t have to move your entire infrastructure over to the cloud to use it, or have even made the move to the cloud yet at all.
With Pindrop’s Tap to Cloud solution, a contact center can be completely on-prem and still leverage the benefits of Pindrop’s technology. Tap to Cloud is an on-prem appliance that securely connects the client’s on-prem application into the cloud for Pindrop’s systems to analyze, with very minimal effort to the contact center team. It can offer increased flexibility for contact centers no matter where they are in their digital transformation journey. Additionally, the appliance is not connected to LAN or other boxes, so you don’t have to sacrifice any amount of security just because it is on-prem.
Historically, any type of on-prem call center deployment or project is long, typically taking 6-9 months to complete. However, Tap to Cloud has a light footprint that allows us to implement it much more quickly. In fact, we recently had a customer deploy the solution who was able to have it up and running in just 60 days. With very little time and effort, any contact center can now utilize the power of Pindrop’s anti-fraud and authentication solutions.
If you are looking for a solution for your contact center to detect and prevent fraud but aren’t ready to make the move to the cloud, Pindrop’s Tap to Cloud solution can help. Our team will make things easy, working with you to determine your needs and goals, and implement our solution quickly and seamlessly. Contact us today to learn more.
Wouldn’t it be great if when you called into your bank, needing to ask one simple question, that you didn’t have to jump through hoops answering questions about your favorite teacher, first pet or name of your best friend? Not only is it time-consuming, but the answers to these questions can change or be forgotten. It’s quite possible that others could answer these questions about you and gain access to your account. With Pindrop, your voice replaces your security questions, powering a frictionless, seamless experience. Pindrop exists to help contact centers accurately, easily and securely identify their customers.
The idea for Pindrop came to CEO and Co-Founder Vijay Balasubramaniyan after he tried to purchase a custom made suit in India. That night, he received a call from someone claiming to be a representative from his bank needing to verify a transaction. Vijay and the caller went back and forth with Vijay asking the caller to provide details on the transaction they were calling about and the supposed bank representative requiring Vijay to verify his identity by sharing his social security number so they could share more details. After growing increasingly frustrated and confused by the call, Vijay hung up.
Fast forward two days when Vijay went to pick up his suit, the tailor had stopped their work because the transaction did not go through. On his flight back to the United States, he became increasingly frustrated – how could something so simple as identity and security for voice not exist? That concept became the crux of his PhD thesis and eventually Pindrop.
Today, Pindrop consists of more than 200 researchers, marketers, engineers and designers working toward the same goal of providing security, identity and trust for voice interactions. When financial institutions, credit card providers, insurance companies, and retailers receive calls in their call centers, they need absolute certainty that the call is coming from their customer, and not a fraudster who could, in theory, know all of the answers to a customer’s security questions like “who is your favorite teacher?”. Fraudulent calls occur at a rate of 1 in every 1,000 calls, and detecting fraudsters can feel like searching for a needle in a needlestack. However, fraudulent calls are a serious problem, costing businesses more than $10B every year.
Pindrop works with eight of the 10 largest banks and five of the seven largest insurance companies in the United States. And when one of their call centers receives an incoming call, Pindrop uses a wide variety of systems to evaluate whether a call is risky. This includes detecting if one voice is attempting to access multiple accounts, the speed at which a caller dials or enters information on their keypad, a caller’s location, device type and more. If the call is flagged as risky, Pindrop’s systems alert the call system agent, who is then able to take additional measures to evaluate and authenticate the caller’s identity. The company’s innovative technology can not only be used to detect fraudsters, but also to help consumers have a better experience on the phone with seamless authentication.
Call centers are just the start for Pindrop, whose mission is to protect voice interactions. The new wave of voice interaction is happening at more and more touchpoints in our personal lives. With voice-activated personal and home assistants like Alexa and Siri, doorbells or security systems, and connected cars, voice can power a more personalized, frictionless and secure future. It has the power to determine security, identity and trust, and Pindrop wants to be at the center of all voice interactions. We are just getting started.
Some attackers have taken to using a new phone bot for the Discord chat and voice app to send large numbers of harassing and nuisance calls to individual victims, retailers, and even law enforcement agencies.
Known as Phonecord, the bot is being used in a number of different ways. But unlike most other phone-based campaigns, the attackers behind these aren’t out to make money off their calls. Instead, they’re using the calls as a way to harass and annoy their targets. Analysts at Flashpoint have been tracking these campaigns recently, and say that the actors behind them are taking advantage of Discord’s ease of use and Phonecord’s features to go after a variety of targets.
“Although telephone bots in and of themselves are nothing new, Phonecord is relatively unique because it utilizes the social and communication application Discord, which enables users to make international calls directly and easily from the app’s voice chat functionality. And because those seeking to use the Phonecord bot have the option to pay for the service in Bitcoin, most users remain relatively anonymous,” David Shear of Flashpoint said in a post analyzing the campaigns.
“While Discord has long been popular among the gaming community, the app’s ease of use and ability to withstand distributed denial-of-service (DDoS) attacks has given rise to its heavy usage among cyber threat actor communities.”
Shear said the actors using Phonecord have targeted both the FBI and the UK’s National Crime Agency and also have used the bot to pull pranks, such as having dozens of pizzas delivered to a victim’s house. Phone bots have been around for many years, and have been used for any number of different things. Some are used for robocalls and others are used for phone fraud schemes. There’s even an anti-bot bot called Jolly Roger that is designed to combat other phone bots by putting them into a black hole of nonsensical conversations.
The campaigns that Flashpoint has been following probably will keep going, Shear said.
“Flashpoint analysts assess with high confidence that threat actors will likely continue to use the Phonecord bot to carry out harassment campaigns against various individuals and organizations unless the administrators of the service institute additional controls and countermeasures,” he said. Image: Dan Wiedbruck, CC By-nd license.
The FCC is warning consumers, as well as marketers, that robotexts sent by autodialers to mobile phones are illegal and the commission says it will be cracking down on the practice.
Robotexts are the younger cousin of the robocalls that have been plaguing consumers and businesses for a long time. Whereas robocalls typically are made by autodialers and may have a real person or a recording on the other end, robotexts are sent out en masse by autodialers and usually are delivering ad messages or sometimes phishing links. The texting issue is a much newer problem than robocalls, but the FCC is telling consumers and marketers both that the law and the commission treat robotexts the same way as calls.
“The FCC has stated that the restrictions on making autodialed calls to cell phones encompass both voice calls and texts. Accordingly, text messages sent to cell phones using any automatic telephone dialing system are subject to the Telephone Consumer Protection Act of 1991,” the commission said in an advisory.
“The FCC’s corresponding rules6 restrict the use of prerecorded-voice calls and automatic telephone dialing systems, including those that deliver robotexts.7 The FCC’s Enforcement Bureau will rigorously enforce the important consumer protections in the TCPA and our corresponding rules.”
Aside from the annoyance factor, the main problem with robotexts is that they often cost recipients money. Depending upon their cell plan, many consumers are charged for texts they receive. The FCC said that unless consumers have given prior written consent, almost all commercial robotexts are illegal. The exceptions are texts from nonprofits and some health-care related messages. The sender is responsible for being able to prove that it has prior consent for sending the texts.
“Those contending that they have prior express consent to make robotexts to mobile devices have the burden of proving that they obtained such consent. This includes text messages from text messaging apps and Internet-to-phone text messaging where the technology meets the statutory definition of an autodialer. The fact that a consumer’s wireless number is in the contact list of another person’s wireless phone does not, by itself, demonstrate consent to receive robotexts,” the FCC advisory says.
LAS VEGAS–One of the difficulties in protecting against phone fraud scams is actually detecting them. Technology certainly helps, but in a lot of cases, it’s up to the potential victim on the other end of the line to figure it out for himself.
That has turned out to be a fairly high hurdle for a variety of reasons, one of which is that many people aren’t all that good at recognizing the subtle differences in speech, discourse patterns, and syntax that can signal a problem. Phone scammers count on this and work hard to exploit it by using conversational tricks and tactics to push victims to the place they want them to go. A key part of this plan is to make the story they’re telling–whether it’s about unpaid taxes or money transfers or a Nigerian prince–sound like it requires urgent action on the part of the victim.
Judith Tabron of Hofstra University has studied various phone scams and the ways that the scammers use language tricks to dupe victims, and found that the urgency is a vital part of their game.
“The scammers are trying to pull you into a current emergency. That’s part of the goal. They’re not telling you a story, it’s a malformed story,” Tabron said during a talk at the Black Hat conference here Thursday.
“It’s probably the toughest thing to recognize in the moment, though. It’s a violation of the narrative structure that we’re expecting.”
Constructing that malformed story takes work, though, and one of the building blocks is the use of polar tag questions. Those are questions along the lines of: Turn off the TV, ok? It’s the kind of question that people essentially never say no to, and phone scammers rely on that, Tabron said. Noticing the use of repeated polar tag questions can help victims identify scam calls, she said.
“If you can notice those, it’s helpful. If they’re ending every conversational turn with a polar tag question, there’s a reason for that,” she said. “It’s a test.”
The scammer wants to get the victim to start agreeing with the questions so he can establish a rapport and move on to the next step of the scam, which is extracting whatever money he’s after. Getting that money is the ultimate goal, and the use of coercive language to intimidate the victim is often a part of the play, too.
“Not all phone scams have coercive language in them, but a lot of them do,” Tabron said. “There’s a lot of bullying that goes on in the wire transfer scams. A lot of, Do this or you’re fired.”
But Tabron said just telling potential victims to be wary about these calls doesn’t necessarily help very much. Detecting fraudulent behavior is a more viable solution.
“Telling people to be hyper-vigilant doesn’t work. You have to tell people what to look for,” she said.
A security researcher has discovered a method that would have enabled fraudsters to steal thousands of dollars from Facebook, Microsoft, and Google by linking premium-rate numbers to various accounts as part of the two-step verification process.
Arne Swinnen discovered the issue several months ago after looking at the way that several of these companies’s services set up their two-step verification procedures. Facebook uses two-step verification for some of its services, including Instagram, and Google and Microsoft also employ it for some of their user accounts. Swinnen realized that the companies made a mistake in not checking to see whether the numbers that users supply as contact points are legitimate.
“They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP,” Swinnen said in a post explaining the bug. “Microsoft was exceptionally vulnerable to mass exploitation by supporting virtually unlimited concurrent calls to one premium number.”
For services such as Instagram and Gmail, users can associate a phone number with their accounts. In the case of Instagram, users can find other people by their phone number, and when a user adds a number, Instagram will send a text to verify the number. If the user never enters the code included in the text, Instagram will eventually call the number. Swinnen noticed that Instagram’s robocallers would call any number supplied, including premium-rate numbers.
“One attacker could thus steal 1 GBP per 30 minutes.”
“As a PoC, 60 additional calls were made in an automated fashion with Burp Intruder, each with 30 seconds throttle in between. This concluded the theft of one symbolic pound over the course of 17 minutes,” Swinnen said.
“One attacker could thus steal 1 GBP per 30 minutes, or 48 GBP/day, 1.440 GBP/month or 17.280/year with one [instagram account, premium number] pair. However, a dedicated attacker could easily setup and manage 100 of these pairs, increasing these numbers by a factor 100: 4.800 GBP/day, 144.000 GBP/month or 1.728.000 GBP/year.”
Swinnen said that the same number could be linked to any number of different Instagram accounts, upping the amount of money that an attacker could steal. Facebook, which owns Instagram, patched the issue and paid Swinnen a $2,000 bug bounty for the submission.
Google and Microsoft had similar issues, although with different systems. Google will use a mobile phone as a part of its two-step verification system, and will sometimes place a phone call to a number to give the user a six-digit token for authentication.
“Entering a premium number here would result in a phone call from Google, but the number would be blocked after a few attempts when no valid token is entered. However luckily, eurocall24.com supported forwarding the call to a SIP server (“Callcentre”) and consuming them with a SIP client (Blink in this case) so I could actually hear the message out loud,” Swinnen said.
Once he got past the registration process, Swinnen was able to set up a system that would execute logins and generate the phone calls.
“First, the call destination for the premium number on eurocall24.com was modified to a standard ‘conference service’, so I wouldn’t be bothered by it anymore. Then, a selenium script to login with username & password to the 2FA-protected account was recorded with the Firefox IDE plugin & exported to alogin.py python script. Last but not least, a second quick & dirty python script loop.py was designed to execute the former one every 6 minutes and executed. Two hours and 17+1 (enrollment) calls later, the symbolic Euro was mine again.”
Microsoft’s problem was with its Office 365 service, specifically with free trials. By prepending or appending zeroes or random digits to premium-rate numbers entered as part of the trial registration process, Swinnen could cause Microsoft’s system to call the numbers many times over.
“On top of this, Microsoft allowed concurrent calls to the same premium number. Eurocall24.com limits the number of concurrent calls from one source address to one of its premium numbers to 10, so a PoC was performed where 2*10 concurrent calls were made within less than one minute, yielding a little more than 1 EUR profit,” Swinnen said.
Both Google and Microsoft put mitigations in place to address the problems, and Microsoft paid Swinnen a $500 bounty. Google didn’t award a bounty.
The first step in protecting against phone scams is understanding how they work. In this series of blog posts, we’re breaking down some of the newest and most popular phone scams circulating among businesses and consumers. **For more information on how phone fraud affects banks, register for our upcoming webinar, “Bank Fraud Goes Low Tech”
The Scam
Imagine that you’re a customer service agent at a banking call center. You receive a call from someone who sounds a bit like a chipmunk. You talk to so many people every day that it’s nothing too out of the ordinary. Before you can start helping the customer, you must verify her identity. You ask for the customer’s mother’s maiden name.
“My father was married three times, so can I have three guesses?” replies the customer.
“Of course,” you reply with a smile. She gets it on the third guess – It was Smith.
After that, the customer, who tells you she is recently married, just needs help with a few quick account changes: mailing address and email address. She checks on the account balance and ends the call. You wish all of your calls were this easy.
Here’s What Really Happened
A month later, the newlywed’s account is cleared of money. It turns out, she wasn’t a newlywed after all. She hadn’t changed her address or her email. Instead, the person you spoke to on the phone was an attacker, performing the first steps in an account takeover. After changing the contact information on the account, the attacker got into the customer’s online banking and changed her passwords and PIN numbers. It wasn’t long before the attacker began to steal funds from the account.
It’s called Account Takeover Fraud, but it actually combines several popular scam techniques:
Voice Distortion – Attackers have many tools for changing the way their voice sounds over the phone. They may be trying to impersonate someone of the opposite gender, or simply attempting to avoid voice biometric security measures. Less sophisticated attackers sometimes go overboard on this technique and end up sounding like Darth Vadar or a chipmunk.
Social Engineering –Think of social engineering as old-fashioned trickery. Attackers use psychological manipulation to con people into divulging sensitive information. In this scam, the attackers acted friendly, and jokingly asked for extra guesses on the Knowledge Based Authentication (KBA) questions.
Reconnaissance – Checking an account balance for a customer may seem like a low-risk activity. But this is exactly the type of information that an attacker can use in later interactions to prove their fake identity. Pindrop research shows that only 1 in 5 phone fraud attempts is a request to transfer money. Banks that recognize these early reconnaissance steps in an account takeover can often stop the attack months ahead of time.
Account Takeover Fraud in the News
In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud – Home Depot was quick to assure customers and banks that no debit card PIN data was compromised in the break-in. Nevertheless, multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts. Account Takeovers Can Be Predicted – Apart from collecting publicly available information about the victim, generally posted on social networking websites, cybercriminals resort to contacting call centers in order to find something that would help in their nefarious activities. Time to Hang Up: Phone Fraud Soars 30% – Phone scammers typically like to work across sectors in multi-stage attacks. This could involve calling a consumer to phish them for bank account details and/or card numbers; then using those details to call their financial institution to pass identity checks and thus effect a complete account takeover. **For more information on how phone fraud affects banks, register for our upcoming webinar, “Bank Fraud Goes Low Tech”
Written by Hassan A. Kingravi
In this blog post, I will show an example of how utilizing the mathematical structure of an algorithm can highlight interesting visual features in data.
Kernel Support Vector Machines
One of the most common machine learning tasks is the classification problem. Informally, the problem can be stated as follows: given a set of data, and a preselected collection of categories, can we decide which category each data point belongs to while minimizing assignment errors? There are a myriad of methods to achieve this, on every kind of domain imaginable: classification algorithms exist that operate on audio data, images, graphs representing social networks, time series such as stock market data, and so on [1]. Typically, in each case, the original data is mapped to a vector space, resulting in an array of numbers of a fixed dimension: these numbers are typically known as features, and this step is usually called feature extraction.
The picture below shows a simple example of classification on feature data: given data in two dimensions, if the red points and blue points represent different categories, the classification problem effectively boils down to drawing a boundary separating the two sets of points.