Call center fraud is a growing problem. In general, the security of call center operations is getting more attention. We clearly see this at RSconnect where our Active Login Manager product is often implemented in call center environments. The solution simplifies the login procedures for call center agents while keeping the infrastructure secure.
Recently we received this report on call center threats, and we would like to share some of the highlights with you. The call center research provides some valuable insights into call center security threats and how call centers play a role in fraud schemes. I highlight some key observations here.
One of the drivers behind the increase in call center fraud is the rise of chip card technology. Chips in credit cards and other cards make them more secure which complicates their use in fraud schemes. The call center is becoming a very popular fraud alternative since it provides a relatively weak backdoor to organizations.
Very often the call center is the first stop when preparing fraudulent activities. In the research, you find many examples where the criminals first make calls to the call center IVR system. Via automated IVR calls they can test and modify data (usernames, pin codes, etc.) which they acquired via other channels. For example, if someone purchased a stolen database with account information, it is easy to test these data via IVRs. IVRs often appear not to be configured for recognizing multiple sessions, long calls, and other unusual behavior.
Since he is only human, the call center agent is the perfect victim for a fraudster to provide information. Information which the criminal needs to make the next step in his fraud scheme. Or to initiate the necessary financial transactions. Fraudsters are often skilled social engineers who use emotions and their personal touch to manipulate the call center agent. In the report, a study is cited where 22% of financial institution executives believed that social engineering is a critical risk factor in their organizations. The same study suggests that 61% of all fraud is using the call center.
A simple example in the report is where the fraudster reports via a call center a problem with a phone and ask for a replacement. However, ‘the friendly customer’ also manages to have the new phone delivered to a business or holiday address. After which it is out of sight and ready for the black market.
Most of the fraud scenarios make use of the fact that call center staff use Knowledge Based Authentication (KBA) to verify a caller’s identity. Information like home addresses, zip codes, dates of birth can all be found somewhere. Or information received from an agent in call center A can be used to authenticate yourself to an agent at call center B. The same applies for the caller ID. Caller ID spoofing is nowadays a piece of cake.
And even if the call center deploys advanced technologies like audio fingerprinting to trace the real origin of a call, there are possibilities for fraud. In business environments, it is often possible just to use the company phones of the victim. Will the call center agent of a computer supplier be suspicious if a known customer – the call is traced and is made from a fixed line number in the customer corporate office – calls about an existing order for 20 laptops? The customer wants to change the delivery address and the call center agent is willing to organize this. He cannot know that although the call originates from the corporate office, it comes from an unauthorized visitor at an anonymous flex desk using a non-secured desktop telephone.
There is a substantial risk that your call center or your call center staff will be targeted by fraudsters. It is worthwhile to investigate the risks in your specific business domain and review the security measures in place. At RSconnect, we are happy to assist you in securing the voice technology in your call center.
