What contact centres need to know about consumer fraud vulnerabilities

Consumer fraud is the most high-profile fraud risk facing financial services institutions today. The figures are alarming.

In 2020, Authorised Push Payment (APP) fraud cost British consumers £479m, and in the first half of 2021 alone, losses hit the £355.3m mark – that’s a 71% increase year-on-year.

Although dedicated contact centre fraud is rare, almost every form of consumer fraud touches the contact centre at some point. So, what do security and contact centre professionals need to know before they make any security decisions?

A complex and evolving fraud landscape

The starting point is to grasp the scale of the problem by realising how sophisticated the technologies and techniques today’s fraudsters use are. Every technological advance that an organisation seizes on for competitive advantage is probably also available to, and used by, cybercriminals. The spirit of collaboration that drives workplaces is reaching into fraud as well, and co-operation between criminals is growing. And the rise of a 'brokerage' sector selling personal data on the dark web widens the commercialisation of data to fraud.

Then the pandemic occurred, layering on more complexity.

Pandemic-related changes in consumer behaviour were felt acutely in the banking and financial services sector. Most consumer fraud relies on an element of social engineering, and fraudsters are helped to achieve this by the easy availability of leaked or hacked data. At the same time, huge swathes of populations began using unfamiliar technology, and organised criminals exploited this period of transition.

Get into the fraudster’s mind

The next step is to understand how fraudsters operate, and the good news is that there’s a clear pattern to a typical consumer fraud attack to watch out for. Jamie Melling, CEO at contact centre anti-fraud specialists, Smartnumbers, outlines a three-step process:

1. Data harvesting
Fraudsters gather pieces of information that may be used for Knowledge Based Authentication (KBA) factors. A classic example of this is a mother’s maiden name. Reams of data like this are available for pennies on the dark web, and brokers harvest new data constantly.

2. Using robo-dialling software
Once fraudsters are in possession of the relevant information, they’ll often use robo-dialling software in an attempt to identify where an account is held. They may automate calls to banks' self-service Interactive Voice Response (IVR) numbers and wait to see which one responds. When they get through, they’ll carry out tasks such as checking a balance, or they’ll use brute force attacks to guess a CVV number. 

3. Waiting for the right moment
Once a sophisticated fraudster has established access, they may then wait and monitor the account to see when money comes in, to identify the best time to carry out a theft.

How are contact centres leaving themselves vulnerable?

With this background knowledge in mind, security and contact centre professionals for financial services institutions can work out where there are vulnerabilities in the contact centre.

Although dedicated contact centre fraud remains a modest percentage of total consumer fraud losses, this doesn’t give a true picture of the importance of contact centre security.

In fact, almost every form of consumer fraud either begins with the contact centre or will touch it at some point. For example, online fraud and card-based fraud journeys often begin with the fraudster requesting a new card through the bank's IVR system. Even in APP fraud, malicious actors are likely to need the contact centre, for example, to find out where an account is held.

Financial services institutions tend to respond to this situation by increasing the number of KBA challenges that need to be cleared, or by increasing the number of other security factors used. As a result, the average time taken to authenticate a caller to a bank's IVR has increased by 34 seconds resulting in huge associated costs.

The instinct is to increase security in a way that directly impacts on the customer experience, when there are technological alternatives that don’t have such an effect on customers.

Investing in a solution that identifies suspicious callers before they reach the contact centre protects the IVR from reconnaissance, saves time verifying the identity of trusted callers which improves the customer experience, and reduces the risk of being defrauded. Research by Smartnumbers reveals that spending on contact centre fraud prevention such as this yields, on average, a 400% return.

Our ecosystem thinking approach to security for financial services institutions makes it easy for you to tap into our best-of-breed security partners to create a multi-layered, fully integrated approach.

Download our whitepaper, ‘Ecosystem thinking: the fraud and risk approach that protects from every angle’ to explore how you can better secure your contact centre.

And keep an eye out for our next blog post in our fraud and risk series on the developments that are keeping financial services contact centres protected.