Thank You for Registering!
The webinar details will be sent to your email address shortly, where you can save to your calendar. We look forward to seeing you there.
In the meantime, please check out our resources around fraud prevention and detection:
- Blog: Evaluating your Defense Strategy against Deepfakes
- Report: 2023 Voice Intelligence & Security Report
If you have any questions, please reach out to [email protected].
Launch Recap and Q&A with Pindrop CMO Mark Horne
Pindrop has just announced an evolution for Pindrop® Protect, our industry-leading anti-fraud solution now extending its protection into the IVR and finds more fraud leveraging Trace, graphic analysis technology.
Tomorrow, join Pindrop Chief Marketing Officer, Mark Horne as he talks about the new technology, and the future of graphic analytics to predict fraud. We will also open up time for Q&A.
What is Pindrop Trace?
Trace connects seemingly unrelated activities to reveal patterns that indicate fraudulent activity and provides:
- Increase accuracy, reduce false positives, and improve cross-channel fraud detection.
- A more complete view of your company’s “fraud universe”
- Fraud predictions by analyzing relationships between behaviors, accounts, other parameters
- Connections to seemingly disconnected activities across time, accounts, and activities
Protecting the IVR: Optimizing IVR Systems in The Contact Center – Part 3 of 3
Part three in our three-part series focuses on how fraud is perpetrated in automated contact center systems. In this third and final session, we will examine:
- How IVR fraud can be a predictor and indicator of existing and future fraudulent activity across channels outside of contact centers
- What key technologies some of the largest companies and contact centers on earth are leveraging for fraud
- How you can use data from various and different attack vectors to shut down fraud in your contact center
Protecting the IVR: What is IVR Fraud In The Contact Center? – Part 1 of 3
Part one in our three-part series focuses on how fraud is perpetrated in automated call center systems. In this first session, we will explore:
- Key concepts in IVR technology protecting contact centers
- How IVR systems have become a weak point in contact center security,
- How bad guys leverage automated contact center systems to mine account information
- How social engineering can happen without ever speaking to a contact center agent.
How your Contact Center & IVR are being weaponized
When it comes to fraud prevention, following the smallest breadcrumbs can lead to the biggest discoveries. At Pindrop we’ve learned how the IVR is one of those places where the breadcrumbs start. Over 61% of fraud losses originate in the IVR, as fraudsters weaponize it to commit fraud and successfully takeover accounts, with ease.
Contact centers are under significant pressure to manage calls efficiently, especially as volumes begin to rise. Customer authentication is obviously a big priority and is critical to ensuring the security of the contact center.
As a result, most call centers have to tread a fine line between managing the overall call experience, streamlining authentication processes, and making sure that average handling times remain competitive.
But, customer authentication is handled very differently if you’re using an IVR (interactive voice response) system as compared to working with live or virtual agents. But before we go further, let’s talk about what customer authentication and identification really is.
What is Customer Authentication?
Traditionally, customer authentication in call centers has involved asking the customer to provide personal information, such as their full name, date of birth, address, or answers to security questions based on personal history (like a mother’s maiden name).
However, this method can be time-consuming and is not foolproof, as such information can potentially be accessed or guessed by others. To address these challenges, many call centers are turning to more advanced and secure methods of authentication.
Technological advancements have led to the development of more sophisticated authentication tools. These include biometric verification methods, such as voice biometrics, where a customer’s unique voiceprint is used to verify their identity.
This method is not only more secure but also enhances customer experience by speeding up the authentication process. These are primarily employed in sensitive industries, such as banking, retail, healthcare, or telecommunications.
Other tools like two-factor authentication (2FA), where a customer is required to provide two different types of information for verification, and knowledge-based authentication (KBA) systems, which ask questions that only the genuine customer would know, are also widely used.
What is Customer Verification?
It’s important to understand that customer verification is different from authentication. Customer verification involves confirming specific details or information provided by the customer. For example, verifying a transaction, a change in service, or the accuracy of account information.
Verification serves as a double-check to ensure that the actions being taken or the information being provided is correct and authorized by the customer.
How customers are authenticated in IVR systems vs. authentication by agents
Interactive Voice Response (IVR) systems provide an automated way of authenticating customers before they are connected to a live agent. In IVR-based authentication, customers interact with a computerized system that guides them through a series of steps to verify their identity.
This process is typically initiated by the customer entering a personal identification number (PIN), account number, or other identifying information using the phone keypad or through voice commands.
The IVR system may also integrate more advanced authentication methods. For example, voice biometrics can be used to authenticate customers based on the unique characteristics of their voice. This method is not only secure but also user-friendly, as it requires minimal effort from the customer.
The IVR might also use two-factor authentication (2FA), where after entering a PIN or account number, the customer receives a code via SMS or email, which they must then enter into the IVR. IVR-based authentication is efficient as it reduces call handling times and frees up agents from performing routine authentication tasks.
However, it’s crucial that the IVR system is user-friendly and offers an option to quickly connect with a live agent if the customer has trouble with the automated process.
Modern IVR systems even use passive authentication methods, where they use voice biometrics to automatically authenticate a customer.
Authentication with a live agent
Agents typically begin the call by asking the customer to provide specific information to verify their identity.
This may include the customer’s name, date of birth, address, account number, or answers to predetermined security questions. In scenarios where more stringent security measures are required, agents might use knowledge-based authentication (KBA).
KBA involves asking questions that are supposedly known only to the customer, like previous transaction details or personal history questions. Agents may also use customer interaction history to ask questions related to previous service requests or account changes.
The human element in live agent authentication allows for more flexibility and problem-solving capabilities. If a customer struggles to remember a specific piece of information, the agent can use alternative questions or methods to authenticate them.
However, this method can be more time-consuming and is dependent on the skill and training of the agent to effectively and securely authenticate the customer.
Types of customer authentication
There are two main types of customer authentication methods in use today: Active and passive authentication.
Active Authentication
Active authentication involves the customer’s direct participation in the verification process. This method requires the customer to actively provide information or perform an action to prove their identity. A classic example of active authentication is the use of passwords or PINs.
This is time-consuming and takes longer, as the agent has to carefully verify the information before proceeding with the call.
Passive Authentication
Passive authentication, in contrast, verifies a customer’s identity without their active participation or often even their awareness.
This type of authentication happens in the background during a customer interaction and is designed to be non-intrusive. An example of passive authentication is voice biometrics used in contact centers.
When a customer calls in, the voice biometrics system analyzes their voice patterns (like pitch, tone, and speaking style) and compares them to a stored voiceprint. If the voice patterns match, the customer is authenticated without having to actively provide any specific information.
Pindrop makes it easy for contact centers to deploy passive voice authentication with the help of advanced voice biometrics.
Pindrop’s system passively authenticates customers by analyzing their unique voice characteristics during a phone call. This technology works in the background, seamlessly verifying a customer’s identity as they naturally speak with an agent.
The benefits of using biometric authentication
One of the most significant advantages of biometric authentication is its enhanced security. Biometric data is unique to each individual and extremely difficult to replicate or steal, unlike traditional authentication factors like passwords or security tokens, which can be forgotten, lost, guessed, or stolen.
For instance, voice biometrics in a contact center setting is based on the unique vocal characteristics of the user, making it a robust security measure against impersonation or fraud.
This level of security is particularly beneficial in industries where safeguarding sensitive information is paramount. Another key benefit is the convenience and speed it offers.
Biometric authentication typically requires a single action, like speaking or scanning a fingerprint, making the process much quicker and more user-friendly than traditional MFA methods, which often involve remembering and inputting passwords or codes.
This ease of use not only improves the customer experience but also enhances efficiency in scenarios like customer service calls, where quicker authentication can lead to reduced call times and increased overall throughput of customer queries.
More importantly, voice biometric systems are constantly learning and evolving, making them incredibly smart and reliant, especially in contact centers that receive a higher volume of calls.
How voice biometrics protects against call spoofing
One of the key strengths of voice biometrics in countering call spoofing lies in its immunity to manipulation of external identifiers like phone numbers.
Unlike Automatic Number Identification (ANI) validation, which relies on the phone number being transmitted correctly and can be spoofed, voice biometrics validates the caller based on their voiceprint – a unique identifier that cannot be easily altered or imitated.
This means that even if a fraudster successfully spoofs a phone number, they cannot mimic the voiceprint of the legitimate customer, making voice biometrics a powerful tool against identity theft and fraud.
In many contact centers however, voice biometric identification is used in tandem with ANI validation and matching. Think of it as adding another layer of security to ensure that the call originates from the customer’s account.
Even if a caller passes the ANI validation, they must still pass the voice biometric check. The system analyzes various aspects of the caller’s voice and compares them to a stored voiceprint. If the voiceprint doesn’t match, the call can be flagged for further investigation, even if the ANI was validated.
Customer Authentication: How Pindrop can help
Instead of just relying on standard authentication techniques, using Pindrop helps contact centers not only improve the speed of verification but also makes it more reliable.
Each individual’s voiceprint is as unique as a fingerprint, making it an extremely reliable form of authentication. When a customer calls in, the Pindrop system compares their voice against a stored voiceprint to verify their identity.
This process is highly secure and effectively minimizes the risk of fraudsters impersonating customers, as replicating someone’s voiceprint is exceedingly difficult.
With Pindrop, as soon as the customer speaks, their identity is verified passively and unobtrusively in the background.
This streamlined process leads to quicker call resolutions, enhancing customer satisfaction and enabling agents to focus more on addressing the customer’s needs rather than spending time on lengthy authentication procedures.
Pindrop is particularly effective in protecting against call spoofing and telephony fraud. By relying on voice biometrics, Pindrop ensures that even if a fraudster manages to spoof a caller ID, they cannot bypass the voice authentication.
And more importantly, Pindrop gives call center agents valuable insights and analytics based on voice interactions. This data can be used to improve customer service strategies, tailor services to individual needs, and better understand customer behaviors and preferences.






Increase accuracy, reduce false positives, and improve cross-channel fraud detection.
A more complete view of your company’s “fraud universe”
Fraud predictions by analyzing relationships between behaviors, accounts, other parameters
Connections to seemingly disconnected activities across time, accounts, and activities
Your expert panel


Mark Horne
Chief Marketing Officer, Pindrop






How hackers used various techniques, such as social engineering and Vishing (voice phishing) to exfiltrate customer data and shut down operations.
The impact of cybersecurity attacks on business, brand reputation and revenue.
Where businesses are most vulnerable within their IVR.
Your expert panel


Bryce McWhorter
Sr. Director, Product, Research & Engineering, Pindrop
Will Gordy
Director, Workplace Collaboration & Customer Experience, Verizon


Patrick Wiley
Partner Alliances, Pindrop
Despite the incredible leaps and bounds in the digital evolution, the phone channel is still very much a cornerstone for customers to interact with businesses. According to a Gartner’s Financial Services Operations report (December 2022), 46% of people surveyed still prefer to speak to someone on the phone in the service center.1
With customer preference for the phone channel remaining strong, the role of an Interactive Voice Response (IVR) or Interactive Virtual Agent (IVA) is paramount in providing a mechanism for authentication, self-service, and call routing.
Authenticating callers is a critical first step in the process as it opens the gate to a personalized experience, self-service capabilities, and customized routing opportunities. In order to accomplish this, organizations have an obligation to ensure that the authentication method employed provides confidence and trust that the caller actually is who they are claiming to be. A well-designed call flow, with thoughtful requirements around identification and authentication, can balance security with customer satisfaction, increase containment, and result in overall operational efficiencies.
The primary goal of any modern, robust, self-service IVR/IVA platform is to get the caller identified and authenticated as quickly as possible with the least amount of friction and the highest amount of trust. If the caller can quickly and easily authenticate, they are more likely to engage with the platform vs requesting assistance from an agent. Higher levels of trust and engagement also lead to expansion in the types of self-service transactions offered through the platform.
Choosing the appropriate authentication method is crucial as organizations must balance the needs of the contact center, regulatory requirements, the organization’s security requirements, and the customer experience. Authentication methods available for self-service IVR/IVA applications include: knowledge based authentication (KBA) questions, passwords, personal identification number (PIN), one time passcodes (OTP), biometrics, and multi-factor authentication (MFA).
Knowledge Based Authentication Questions
Knowledge based authentication (KBA) questions are the most commonly used mechanism in traditional IVR authentication as well as agent based authentication. Prompts for social security number, account number, member number, date of birth, or phone number might occur in order to identify and authenticate the caller.
KBAs are commonly used because the caller is very likely to know this information when calling into the contact center. Unfortunately, criminals also know this information, as it is widely available across the dark web as a result of phishing, social engineering, data breaches, etc.
Evidence of this assertion is supported in a recent study by Pindrop Labs in which the KBA security of four financial institutions was evaluated. Results found that fraudsters passed KBA at rates of 39%, 45%, 70%, and 83% across the four institutions. This high success rate of bad actors passing authentication processes demonstrates that fraudsters not only have a good understanding of the typical identity verification procedures used by financial institutions, they are also equipped to answer them with ease.2
Advantages:
- Use of KBA is a relatively low-cost and easy to implement method as it only requires the technology to validate the information provided by the caller
- Callers typically know the information and can easily provide it without much frustration or friction
Disadvantages:
- Presents a significant security risk as most of the information is easily accessible or guessed by fraudsters
- Data sources of the information on file may be inaccurate or outdated, leading to caller frustration
- Limited scale of what types of questions can be asked and answered in an automated IVR system due to limitations with or inability to perform speech recognition
- The value and use of KBA as the only form of authentication has been deprecated by the National Institute of Standards and Technology (NIST)3
Passwords
Traditional alphanumeric identifiers and passwords work well for online and mobile applications. The use of this method in a traditional IVR/IVA application is not often employed as it is difficult for voice recognition to correctly interpret a caller’s utterance due to the significant amount of phonetic overlap in sounds. Think “A”, “H” and “eight”, “B”, “V” and “D”, “P”, “C” and “T”, etc.
Although this technology has come a long way over the years, solutioning for unconstrained alphanumeric sequences remains a challenge.
Advantages:
- Most callers are familiar with creating and remembering simple passwords
- Password-based authentication is relatively low cost and easy to implement
Disadvantages:
- Secure passwords are complex, oftentimes unable to be spoken in recognizable words
- Increased frequency of data breaches forces consumers to change passwords regularly, making them difficult to remember
- Significant degree of phonetic overlap in sounds may impact speech recognition and lead to increased frustration and friction for callers when speaking their passwords character by character
- In DTMF based applications (no speech recognition), password entry via the keypad is extremely difficult, degrading the customer experience
PIN
Personal Identification Number (PIN) is a commonly used way to authenticate a caller in self-service IVR/IVAs, specifically within the financial vertical as most accounts have a credit/debit/atm card PIN established for transactional purposes. This is implemented by simply prompting the caller to say or enter their 4 or 6 digit PIN. There are both positive and negative impacts with PIN based authentication.
Advantages:
- PINs are more convenient than a traditional password
- PINs are typically short and easy to remember
- PINs can be more cost effective than using other forms of authentication
Disadvantages:
- Use of PINs pose a significant security risk as they are short and limited in strength, making them easier to guess or crack
- Use of a PIN alone (single-factor authentication) is limited and may not provide sufficient security when allowing someone to gain full access to an account
- PINs are also subject to the same data breach risks as KBA and Passwords and are often sold on the dark web as a package deal for monetization by criminals4
OTP
OTP as an authentication mechanism has existed for over 40 years – think hardware token generating random codes for entry into a computer application. Over time, this evolved to sending a soft token to the email address on file.
With the explosion of the use of mobile phones, SMS-based OTP quickly gained widespread use as it required only the phone and not the hardware token. Again, the primary use case for either an SMS-based or email-based OTP was centered around digital experiences. As businesses, particularly financial institutions, take action to modernize their IVR and self-service capabilities, it has become increasingly necessary to find more secure ways of verifying the identity of callers in order to allow them to transact.
OTP is sometimes offered as an option for callers to receive an SMS-based code and then provide it to the IVR/IVA application in order to service their call.
Advantages:
- Enhanced security as long as the OTP is only sent to registered mobile phone numbers or email addresses
- Provides a form of fraud mitigation as the OTP is only valid for a single session, making it difficult for hackers to gain unauthorized access using the same OTP
- Response to a numeric passcode is easier than providing a complex password in an IVR/IVA application
Disadvantages:
- User experience is cumbersome as the method requires users to switch between their IVR call and their mobile phone or email application in order to retrieve the passcode which could ultimately lead to low success rates and decreased caller engagement
- Security risk posed as hackers may gain access to a caller’s email or mobile device and intercept the OTP
- The total cost of ownership can be expensive, especially if the IVR/IVA handles significant call volumes, which could outweigh the cost savings of the tool overall
Biometrics
Biometrics offer a unique and secure way to authenticate individuals based on their physical or behavioral characteristics. Commonly used biometric technologies include: facial recognition, voice recognition, fingerprint recognition, iris recognition and behavioral biometrics.
The use of biometric technology in IVR/IVA platforms is gradually evolving as organizations seek ways to improve security without compromising caller experience. For the self-service telephony applications that do employ the use of biometrics, voice recognition is by far the most commonly implemented of the technologies.
In order to use voice biometric technology, a caller must first enroll. This requires the caller’s voice to be analyzed to create a voiceprint or a unique representation of their voice which is securely stored. The next time this person calls into the IVR/IVA, the system captures their voice and compares it to what was previously stored on the enrollment call. If there is a match, the caller can be considered authenticated and allowed to proceed with their transaction.
Advantages
- Voice biometrics is non-invasive and easy to use: the caller doesn’t have to remember a complex password, carry a specific device, or speak a particular language
- Decreased vulnerability by providing a layer of security that is very difficult for unauthorized users to access and steal
- Can be more cost-effective as it reduces the costs associated with other methods of authentication such as agent and OTP based authentication
- Provides significantly high accuracy with a low rate of false positives and false negatives
Disadvantages
- Not all callers may be able to use voice biometrics due to physical disabilities or medical conditions
- Not all contact centers have speech based IVR/IVA applications, relying solely on DTMF (key presses)
- Some callers may be uncomfortable with collection and storage of biometric data privacy concerns
Multi-Factor Authentication
The use of multi-factor authentication (MFA) in IVR/IVA platforms requires users to provide multiple forms of identification before they are granted access to information or services. Typical MFA strategies involve:
- Something the caller knows: this is often an account number, member ID, social security number, or PIN.
- Something the caller has: this is typically a mobile device that must be present in order for the caller to confirm their identity.
- Something the caller is: this refers to biometrics, which are typically voice based in an IVR/IVA environment.
One way this may be implemented in an IVR application is to first ask the caller to provide a piece of information (something they know), such as an account number. The next step in the process could be a mobile push or OTP to the mobile device on file for that account (something the caller has), and the final step might be to evaluate the caller’s voice as they provide their account number or OTP passcode (something the caller is). MFA can involve two or all three of the factors when authenticating a caller.
Advantages:
- By combining multiple forms of identification, MFA can provide a higher level of security than a single authentication method
- MFA typically meets most industry standards for compliance with regulatory requirements
- When designed properly, MFA can provide a more convenient and expedient authentication process
- MFA can reduce the cost per call by decreasing the average handle time associated with the call
Disadvantages:
- If not designed properly, MFA could add friction to callers which could negatively impact the customer experience
- Implementation of MFA often requires integration of additional hardware and software, which can increase the costs to service the call
Conclusion
Organizations must carefully assess the potential risks and benefits associated with each method of authentication when designing a modern day IVR/IVA authentication module. Balancing security, compliance, and cost, along with the user experience, is required in order to protect customer data, secure the call, and delight the customer.
As the fraud landscape continues to evolve, it is imperative that enterprises remain vigilant to implement authentication solutions that prevent fraud and maintain customer satisfaction and loyalty.5 Finally, it is critical that organizations invest in the overall design of the solution. Any methodology that is poorly designed can lead to lower customer satisfaction rates and increased cost.
3. https://pages.nist.gov/800-63-FAQ/ NIST Special Publication 80-63: Digital Identity Guidelines (March 3, 2022) Q-B07: Is the use of knowledge-based authentication permitted?
4. Pindrop, 2022 Voice Intelligence & Security Report, Gomez, Miguel, Dark Web Price Index 2020, Feb 2022,https://www.privacyaffairs.com/dark-web-price-index-2020/
5. Pindrop 2003 Voice Intelligence Report






There are multiple moving pieces to commit a crime, one fraudster may not be good at all three and thus sell or recruit other fraud groups to assist.
The security kill chain – how fraud works from reconnaissance to monetization – our data shows the kill chain can take between 10-60 days to complete, what are your early warning signs that something fraudulent is about to happen?
The complex web of fraud activity in the IVR – as seen through the lenses of graph analytics.
What can you do to arm yourself and protect against the growing scourge of IVR reconnaissance.
Your expert panel
Shawn Hall
VP, Product, Research and Engineering Pindrop
In the past 24 months, has your organization’s contact center shifted to offer more self-service options? Has your organization also experienced a significant increase in fraud attacks? Do you feel that these phenomena are somehow connected? You are not alone. Organizations across multiple industries are at a crossroads to find the perfect balance between customer experience enhancement and fraud prevention.
The COVID-19 pandemic changed the priorities and behaviors of both the organizations and their customers: call volumes increased, wait times became longer and consumer experience worsened. As a result, more self-service options became the need of the hour. 54% of financial institutions surveyed plan to increase their contact center’s self-service options in the following 12 months. This speaks to a desire for improved customer experience and a pressure to reduce operational costs, which in turn led to growing investments in self-service options via Interactive Voice Response (IVR) systems. Customers saw increased accessibility in a shorter timeframe and organizations were able to limit agent calls and lower average handle times.
However, as organizations implemented self-service enhancements and improved customer experience, they also became more vulnerable to fraud attacks. According to Forrester Consulting research commissioned by Pindrop, a survey of 259 global financial institution decision makers revealed that one of the significant impacts of COVID-19 on their business was the vulnerability of the IVR to fraudster account mining and reconnaissance.
So, how were fraudsters able to adapt so quickly? It can be explained by the familiar adage used in criminal investigations: means, motive, and opportunity. The fraudsters’ means (access to basic information via data breaches, phishing, malware, etc.) and the motive (financial gain) are common. The opportunity (exploiting the IVR for account reconnaissance), though, has proven to be a new territory for most organizations. While IVR systems enhance customer experience through “quick and easy” accessibility to account information, the self-contained and closed nature of the interactions in the IVR has also proved to be a blind spot for most organizations.
Due to the absence of human interaction, there is a lack of visibility within IVR systems that attracts fraudsters who view the IVR as a playground to exploit new self-service options.
For many organizations, approximately 70-80% of call traffic is contained in their IVR and never reaches a live agent. Our analysis of a US-based regional bank’s call traffic showed that 84% of their total calls during Q4 of 2021 was contained in the IVR. This means that only 16% of all call traffic was being actively monitored while the majority of the calls were in a blind spot with limited visibility into fraudster activity. Similarly, a community bank reported 70% of calls contained during the same timeframe. Although varying in revenue and call volume, both organizations experienced an increase in call containment and account mining within the past year and are seeing no signs of this decreasing. A wider analysis of 13 organizations, across multiple industries, showed that there is 20x more risky activity in the IVR than in the agent leg, with some type of loss occurring on 1 in 4 targeted accounts.
The enhancement of self-service options itself is not an issue. However, the ease of account accessibility combined with the lack of visibility into the IVR activity makes contact centers vulnerable. In 2020, Pindrop knew that self-service enhancements were becoming more popular and that organizations were beginning to feel the impact of fraudsters mining in their IVR. We have continued to conduct analysis and work with customers to better understand what is occurring in their various fraud management ecosystems to provide, and continuously improve upon, a solution.
Read The Case for Better Self Service Whitepaper on achieving IVR goals today!
What we know today is that fraudsters are not making one call a day or two before an attack. Most attacks occur after multiple calls (>5) have been made into the IVR and multiple days after the initial call into the IVR. Fraudsters require substantial lead time and multiple calls to perform enough reconnaissance to successfully takeover an account. They typically utilize the calls for the following:
- Confirm account status (Open, Closed, Blocked)
- Check account balances
- Verify recent transactions
- Confirm payroll schedule/direct deposit amounts
- Initiate account changes/updates
After gathering some, if not all, of this information, fraudsters typically turn to other channels to initiate a full takeover of an account. Rarely will they return to the phone channel to speak with an agent for assistance with performing a transaction. A call analysis for a regional community bank revealed that 61% of IVR related losses occurred over 11 days after the initial call in the IVR with more than 50% of the events having 5+ calls prior to the attack.
% figures represent the amount of fraud loss that occurred during each time interval after the first call was placed in the IVR by Fraudster
Often, the initial thoughts for a resolution typically revolve around wanting to assess the riskiness of a single call. Analyzing call risk helps to determine if a caller isn’t genuine, however, it does not help to identify fraud rings or determine which accounts may be the target of fraudulent behavior. The PindropⓇ Protect IVR solution assesses risk within the IVR and provides intelligence, referred to as Account Risk, that scores the likelihood of a given account being at risk of a fraud attempt, or an account takeover attack. The solution utilizes technology, such as Pindrop® Trace™, to analyze large sets of IVR activity across calls and accounts to identify complex patterns and provide an assessment of which accounts might be under surveillance by a fraudster.
Account Risk intelligence can be utilized to secure your IVR by limiting access to account information or be combined with other account details across multiple channels to allow your organization to direct focus to high exposure accounts that may require immediate action. This allows for early and increased visibility that can help drive faster detection to minimize fraud while driving better customer experience.
For one of our regional bank customers, a fraud ring was recently identified in their IVR by way of Account Risk intelligence. The fraudsters attempted attacks on 5 unique accounts. The account takeover (ATO) attempts were preceded with 9 calls into the bank’s IVR system using 1 phone number or ANI. All calls were IVR contained with the first call into the IVR occurring 7 days prior to the attacks beginning. It is important to note that the attempt occurred outside of the phone channel. Due to the increased visibility and early detection, the bank was able to secure and monitor the targeted accounts across multiple channels. Account Risk intelligence allowed the bank to be proactive and prevent a fraud loss of approximately $1.5mm (based on current available balances of all 5 targeted accounts).
Although we are on the path of returning to normalcy, for most organizations call center operations will not revert to fewer self-service options, which have already raised the bar for customer experience and reduced operational costs. We know that fraudsters want to remain hidden and exploit these self-service enhancements. To stop these fraudsters, your organization needs to monitor the IVR activity closely and immediately respond to risks before they manifest in fraud losses. PindropⓇ Protect IVR allows you to have that visibility through Account Risk intelligence to help prevent or minimize fraud while still driving better customer experience.
For more information, download the Account Risk Report or chat with one of our experts.
*Disclaimer: Except for externally cited and linked facts, all data cited in this article is based on analysis performed by Pindrop on actual customer accounts.*






Led by Pindrop’s Principal Sales Engineer, Jay Hart – our series on IVR fraud mitigation will walk you through common attacks threatening your contact center IVR and present recommendations, first-hand insights, and an anti-fraud playbook you can use to predict, identify, and mitigate fraud losses to protect your entire enterprise.
This series will focus on the practical implementation of anti-fraud strategies to specifically address fraud originating in the IVR. These live, curated presentations will provide insight, tools, and relevant discussion for contact center fraud and operations professionals concerned with protecting their data in a rapidly changing world.
How IVR fraud can be a predictor and indicator of existing and future fraudulent activity across channels outside of contact centers
What key technologies some of the largest companies and contact centers on earth are leveraging for fraud
How you can use data from various and different attack vectors to shut down fraud in your contact center.
Meet the Experts



Jay Hart
Principal, Solution Engineer, Pindrop


Dave Dalebroux
Sr. Product Marketing Manager, Market Intelligence






Led by Pindrop’s Principal Sales Engineer, Jay Hart – our series on IVR fraud mitigation will walk you through common attacks threatening your contact center IVR and present recommendations, first-hand insights, and an anti-fraud playbook you can use to predict, identify, and mitigate fraud losses to protect your entire enterprise.
This series will focus on the practical implementation of anti-fraud strategies to specifically address fraud originating in the IVR. These live, curated presentations will provide insight, tools, and relevant discussion for contact center fraud and operations professionals concerned with protecting their data in a rapidly changing world.
Key concepts in IVR technology protecting contact centers.
How IVR systems have become a weak point in contact center security.
How bad guys leverage automated contact center systems to mine account information.
How social engineering can happen without ever speaking to a contact center agent.
Your expert panel



Jay Hart
Principal, Solution Engineer, Pindrop
Fraudulent activity in the IVR has become a tool for more sophisticated fraudsters and scammers to gain sensitive data that puts contact centers and financial institutions at risk.
Fraudsters often use Interactive Voice Response (IVR) systems to mine information, which they subsequently leverage to commit fraud at various other touchpoints downstream. Forward-thinking contact centers need strategic defenses in place to prevent fraudsters from exploiting the IVR.
As fraud tactics evolve to adapt to the changing landscape in which businesses are operating, virtually and in the cloud, sophisticated technology solutions can help contact centers sustainably address fraud. Securing the IVR is an integral step in this process.
Why Does Fraud Happen in the IVR?
The IVR call experience has become feature-rich and simpler to use, allowing fraudsters to gain access to data quickly. It is not about the transaction at this level, but rather the mining of sensitive information. Because there is little visibility into the traditional IVR for many companies, fraud is on the rise, and contact centers are starting to learn how to fight it.
Fraudsters exploit the IVR to surveil accounts and to operationalize their fraud and planning tactics. These scam artists can operate covertly within the IVR once they have an account number, guessing at pin codes and answers to security questions with relative impunity. When they automate this process and generate a new pin code every ten minutes, they crack a four-digit code in an average of 21 days.
How Do Fraudsters Exploit the IVR?
One typical example of IVR fraud is referred to as “Man in the Call.”
In this scenario, a scammer buys data such as a telephone number from the dark web, and “spoofs” it to begin making calls to banks at random. Depending upon the nature of the interaction within the IVR, the fraudster learns where the owner of the phone number banks, and then uses this information to initiate fraud.
If the fraudster is greeted with a first-time “welcome” message, they can assume it is not their target’s bank. However, if they are immediately taken through a series of questions to authenticate, the fraudster can assume they’ve reached the person’s financial institution.
The fraudster will then contact the account owner, representing themselves as an agent from their FI, and attempt to have the individual authenticate their account by providing sensitive, personal information which leads to fraud at other touch points downstream.
They may also commit SMS fraud by messaging the legitimate person to notify them of fraud on their account. When the victim clicks on the link within the message, or calls the number provided by the scammer, they are routed to an illegitimate operator who puts them through authentication. If the caller provides answers, the compromise is complete.
If the caller balks at the fraudster’s request for authentication, savvy scammers will route them to an actual customer service representative at their FI, and then listen in on the conversation to complete the fraudulent act. The “man in the call” is still present on the line. This level of sophistication demonstrates how fraud can take place on a call even when a customer is working with a legitimate agent on a verified bank phone line.
How to Detect and Combat Fraud in the IVR
Detecting fraud in the IVR helps ward off fraudsters pretending to be legitimate agents. Millions of calls flow through the IVR, and far fewer of these calls ever reach an agent. Contact centers can employ strategies and best practices to operationalize intelligence from their own IVR systems.
A reimagined contact center for the modern era is one in which the IVR is protected through systematic risk scoring and call intelligence driven by AI and machine learning.
Pindrop Protect rates the level of risk for a call based on factors that include behavior spotted in the IVR. An intuitive case management tool flags calls based on a customizable risk threshold and facilitates intelligent filtering of flagged activity. AI and ML work in tandem to offer root cause analysis that enables fraud analysts to detect and protect against fraudsters operating across multiple channels and accounts.
Contact centers should not settle on a solution that can IVR fraud detection and agent leg protection. Look for an integrated strategy that deploys AI and ML to deliver on-premise and cloud-based fraud detection for both the IVR and agent legs.
Learn more about the rise of fraud in the IVR on Pindrop Pulse, and find out why IVRs and contact centers are the new vector of choice for fraudsters.
As the contactless economy evolves from necessity to preferred – the lines between fraud attacks have been blurred. Increasingly criminals have begin stitching together information from social media and professional networks to target consumers and your employees.
Staggering rises in call volumes have helped to hide network vulnerabilities originating from unmonitored customer service tools like the IVR. IVRs that are leaking data are being leveraged to develop new attacks and network threats. Organizations concerned with the reduction of fraud loss and exposure should begin looking outside of traditional network concerns and into their contact centers’ IVRs.
“The fraudster’s greatest liability is the certainty that the fraud is too clever to be detected.”
– Louis J. Freeh Former U.S. F.B.I Director
Pindrop has organized a collection of tools, assets, and other resources to aid contact center leaders in their race to optimize operational costs, improve customer experience, and improve security measures, as organizations restructure and prepare for the road ahead. You can explore the tool kit on this page linearly or choose the section you need:
- The IVR Experience – CX Essential or Network Vulnerability?
- Network Threats in an IVR: IVR Fraud Defined
- Network Threats in an IVR – What Does It Look Like?
- 3 Benefits of Fighting Fraud in The IVR- Beyond Cost Savings
- Best Practices For Employing Network Security IVR Monitoring For The IVR
- Going Forward The Future of IVR Security
The IVR Experience – CX Essential or Network Vulnerability?
Traditional Contact center IVR security solutions are employed to reduce costs surrounding fraud targeted at your contact center. However, with the evolution of fraud tactics and the expansion of the attack surface due to a focus on the phone channel as a vector, IVR security technologies are being expanded with capabilities to help identify fraud loss across channels, accounts, and time in advance of the actual occurrence.
On this page you will find a comprehensive toolkit complete with IVR security resources you can use to protect your consumer’s data inside and outside of the contact center.
The IVR Experience: CX Essential
Known IVR best practices focus on customer experience and increasing call capacity through the implementation of IVR design, conversion, and self-service tools. The capabilities these technologies add are meant to improve customer effort scores and improve value but in 2020 the IVR is now a testing ground for fraud tactics and an unmonitored channel for data validation. Though customer experience is regarded as the primary focus of IVR implementation, the focus for security and fraud professionals concerning the IVR- should be the vulnerabilities that exist within it and the opportunities it provides for future fraud loss.
The IVR Experience: Network Vulnerabilities
Criminals use the IVR to validate data, these data reconnaissance activities don’t look like account takeover or other fraudulent activities. Instead, network threats originating in the IVR and later resulting in fraud, often look like innocuous low-risk transactions or nothing at all. This is because IVR Fraud is about information mining- not your typical network threat, these “fraud anomaly” look like genuine query, this is not an intrusion but reconnaissance. Fraudsters use the IVR to gather and validate information, as you would on a search engine- turning your CRM into a free-entry amusement park for cheats. Unmonitored IVRs are security gaps that provide the perfect cover fraudsters need to test passwords, query account statuses and optimize their strategies for social engineering scams later.
Network Threats in an IVR: IVR Fraud Defined
IVR Fraud is defined as fraudulent activity or activities leading to fraudulent activity that occurs within an interactive voice response system, or IVR. Fraudsters exploit IVRs to surveil accounts and to operationalize their fraud and planning tactics.
Low monitoring rates in the IVR has allowed fraudsters to build up formidable attacks by first mining and validating customer information and then using the verified data to execute social engineering attacks against customer service agents or fraudulent activity across other channels like chat and email. Highly trained and organized, professional fraudsters can manipulate even seasoned agents into taking over accounts.
Protecting the IVR means employing software capable of leveraging all data in the call lifecycle as even the non-audio data from within an IVR, can help identify:
- Suspicious behavior that could be mining or validation
- At-risk accounts across communication channels
- High-risk callers before they are ever connected to an agent.
Network Threats in an IVR – What Does It Look Like?
Fraudsters use IVR to do surveillance on accounts to optimize their operations. Because these actions are reconnaissance in nature and most most IVRs do not permit “high risk” transactions, IVR fraud monitoring is low. Professional fraudsters know this and use automated scripts to gather, test, and augment data for future use.
Fraud Hides In-between Genuine Transactions
Fraudsters use your IVR as a search engine for your CRM. For years call centers have been developing processes focused on creating an enjoyable customer experience. As a result, IVRs have become information and feature-rich playlands that fraudsters use to target accounts and optimize their operations. The data-validation step is essential for fraudsters as good data is necessary for fraudulent transactions and activities.
With organizations focusing on better self-service for customers, contact centers will gradually evolve to allow for higher risk transactions in the IVR. As this happens, the same attacks fraudsters launch today on call center agents will become more prevalent in the IVR, and at an even greater scale due to increases in call volume.
IVR Fraud manifests in 4 ways:
- Information Mining & Leakage
When fraudsters gather, test, and augment data in your IVR, they are information mining. They need little to no information to start and using your IVR they can collect the tools and information they need to commit fraudulent transactions. - Account Surveillance
Fraudsters understand contact center technology, they come into contact with it every single day. They know IVRs are developed to be easy to use to ensure positive customer experiences and leverage this vulnerability along with the assumption that the IVR is unmonitored to verify account availability and balances. Account surveillance helps criminals determine which accounts they will attack next. - PINs & Passwords
Low risk transactions like pin changes are allowed in some IVRs. Fraudsters often use this capability to crack PINs, change them, and the use the new PIN to take over the targeted account. - Cross Channel Fraud
IVR fraud also enables fraudsters to leverage information mined from or leaked in the IVR for use across channels. Fraudsters use the ill-gotten customer information to pass through authentication procedures in other channels – online, in the call center, and in-person.
IVR fraud protection actively monitors accounts, analyzes calls, and recalculates risk to prevent these manifestations.
3 Benefits of Fighting Fraud in The IVR- Beyond Cost Savings
- An Extra Layer of Protection Before Connecting to an Agent
Customer service agents are easily socially engineered by experienced fraudsters. Leveraging fraud monitoring and identification practices within the IVR give agents a powerful tool that empowers agents to protect customer data. By assessing calls before they are connected to agents for suspicious activity, past behavior, or account
- IVR Insights Predict Fraud Outside of the Phone Channel
Protect clients can provide real-time risk updates for customer accounts, letting them know which accounts are seeing fraudulent or fraud supporting activities in real-time. Our proprietary technology combined with our AI predicts which account are most likely be attacked next – while simultaneously calculating a risk per call and caller. Machine learning ingests caller behavior- like address changes, keypresses, and metadata from the call – even if performed in the IVR to assess the likelihood of fraud.
- A Simplified Way to Identify At-Risk Accounts
Anti-fraud clients like Protect provide real-time risk updates for customer accounts, alerting teams to at-risk accounts. Protect calculates call and account risk at the beginning and at the conclusion of each call, leveraging the entire call lifecycle from connection to an IVR to the conclusion of the call.
[optin-monster slug=”s82dyfpsso3ly8pcnos0″]
Best Practices For Employing Network Security Monitoring For The IVR
The IVR is a traditionally under monitored component of the contact center ecosystem. As more efforts have gone into strengthening customer contact and security from online, chat and mobile perspective, IVR’s have not been protected to the same extent
Find A Solution Specifically Created For the IVR
To ensure your IVRs protection your should find is a solution that focuses squarely on this IVR vulnerability and shores up the defenses to increase security throughout the contact center. Specified anti-fraud solutions and procedures can analyze behavioral abnormalities in the IVR and use specialized non-audio analytics developed for the IVR environment
Correlate Account Risk to Risky Callers
Crime rings and professional fraudsters are crafty and practiced at staying under the radar. The longer they go unnoticed the more they can steal from you. For full protection, chose a solution with the ability to feed account-based risk information into your cross channel risk orchestration platform to identify cross channel risk at the account level.
Link Seemingly Unrelated Data
Fraud rings are more difficult to identify the larger and more complex than they are. The use of graphic algorithms for fraud anomaly detection simplifies their identification by analyzing commonalities that exist between callers, accounts, and behaviors across time. Graphic algorithms for fraud defense in contact centers make anti-fraud solutions more accurate, supports predictive analytics, and ultimately helps you find more indicators of potential fraud.
Mitigate Loss Real-Time
To identify and stop fraud in real-time, even from first-time callers, you need the ability to calculate risk in real-time. Real-time calculations of risk scores eliminate time lag between account compromise and fraud attempt. The eradication of these time lags means less fraud loss for your organization as perpetrators are thwarted in real-time.
Employ Predictive Analytics
The majority of detected IVR fraud is reported 30 days or more after the first call into the IVR. This implies that detecting fraud while it happens is too late in the process. In addition to correlating risky callers to accounts, you should employ predictive analytics to ascertain which accounts are likely to be compromised before it happens.
Beyond 2020 IVR Security is Network Security
The replacement of face-to-face customer service with alternate means of customer interaction has driven many, both genuine customers and fraudsters to the phone channel. Now, the contactless economy demands accessibility and multi-channel touches. Yet 60% of fraud in the phone channel touches an IVR.
Pindrop has resources you can use to secure the IVR and protect your organization against attacks across channels. Visit Pulse for curated webinars, discussions, and analyst reviews of emerging threats and solution technology.
Fraudulent activity in the IVR has become a tool for more sophisticated fraudsters and scammers to gain sensitive data that puts contact centers and financial institutions at risk.
Fraudsters often use IVR systems to mine and validate information, which they subsequently leverage to commit fraud at various other touchpoints downstream. As fraud tactics evolve to adapt to the changing landscape in which businesses are operating, sophisticated technology solutions can help contact centers proactively address fraud. Monitoring your IVR is an integral step in this process.
What is IVR Fraud, and Why Should I Focus Here?
IVR Fraud is defined as fraudulent activity or activities leading to fraudulent activity that occurs within an interactive voice response system, or IVR. Fraudsters exploit IVRs to surveil accounts and to operationalize their fraud and planning tactics.
Low monitoring rates in the IVR has allowed fraudsters to build up formidable attacks by first mining and validating customer information and then using the verified data to execute social engineering attacks against customer service agents or fraudulent activity across other channels like chat and email. Highly trained and organized, professional fraudsters can manipulate even seasoned agents into taking over accounts.
Employing software capable of leveraging all data in the call lifecycle, even the non-audio data from within an IVR, can help identify:
- Suspicious behavior that could be mining or validation
- At-risk accounts across communication channels
- High-risk callers before they are ever connected to an agent.
In practice, the experience for the customer, agent, and the leadership team of contact centers will significantly depend on the strategies and technology they adopt. Pindrop Protect, for example, is entirely passive – working in the background throughout the entire call to monitor each call and associated account event for anomalies that could lead to fraud downstream.
How to Detect and Combat Fraud in the IVR
Detecting fraud in the IVR helps ward off fraudsters pretending to be legitimate agents. Millions of calls flow through the IVR, and far fewer of these calls ever reach an agent. Contact centers can employ strategies and best practices to operationalize intelligence from their IVR systems to predict, identify, and address fraud in the phone and across other channels. .
3 Benefits of Fighting Fraud in The IVR- Beyond Cost Savings/
- An extra layer of protection before connecting to an agent
Customer service agents are easily socially engineered by experienced fraudsters. Leveraging fraud monitoring and identification practices within the IVR give agents a powerful tool that empowers agents to protect customer data. By assessing calls before they are connected to agents for suspicious activity, past behavior, or account
- IVR insights predict fraud outside of the phone channel
Protect clients can provide real-time risk updates for customer accounts, letting them know which accounts are seeing fraudulent or fraud supporting activities in real-time. Our proprietary technology combined with our AI predicts which account are most likely be attacked next – while simultaneously calculating a risk per call and caller. Machine learning ingests caller behavior- like address changes, keypresses, and metadata from the call – even if performed in the IVR to assess the likelihood of fraud.
- A simplified way to identify at-risk accounts
Anti-fraud clients like Protect provide real-time risk updates for customer accounts, alerting teams to at-risk accounts. Protect calculates call and account risk at the beginning and at the conclusion of each call, leveraging the entire call lifecycle from connection to an IVR to the conclusion of the call.
In short, leveraging call data from the full lifecycle of the call, including non-audio metadata from IVR, helps harden your organization to customer data theft, protecting your brand on the phone channel and across all others where you interact with customers.
Pindrop Protect is a multifactor anti-fraud detection service that enables fraud teams to stop fraud in real-time, predict future fraudulent activity, reduce fraud-related costs, improve efficiency & review rates, and harden the contact center to attack. Unlike other solutions, Protect works from IVR to agent identifying which calls are risky, and flagging accounts that are likely to be attacked up to 30 days before an attack can occur. Our solution is also more accurate, detecting up to 80% of phone channel fraud, even on the first attempt, and helps prevent fraud across channels, helping to secure customer data and your revenue beyond the contact center.