Optimizing authentication and preventing fraud are hot topics in the industry. Knowledge Based Authentication (KBA) has been the approach for most centers until now; however, it is terribly flawed and vulnerable. Much of that information has been compromised and can be obtained through the dark web and social engineering. So it’s time to build and execute a strategy now, before you incur unnecessary costs and put innocent customers through the ringer.
Start by thinking of things like Account Number and Social Security Number as Identity only; these are not paths to authentication or verification in today’s data-compromised world. They are vulnerable to theft and not enough to authenticate and trust that customers are who they say they are. Similarly, date of birth, mother’s maiden name, address, and other “knowledge” are relatively easy for fraudsters to secure. And all those other questions about phone passwords (that are often forgotten), recent activities, and favorites just make everyone want to scream. Accept these realities as you build a strategy that is customer-friendly and protects your company at the same time.
Your strategy should address various activities that might raise a flag. For example, companies experiencing fraud can have many calls to the IVR, or see very long calls. Repeat callers may also fish around with multiple agents to get info, because the bad guys know agents want to help customers! Watch for lots of calls coming in from a single ANI or Caller ID. Beware of bad guys trying different paths into an account; track activity across voice, web, mobile, and chat.
Never use an internal number as an indicator of a valid call. Fraudsters call individuals outside the contact center (e.g., IT, HR) and then say, “I’m sorry, I am in the wrong place. Please transfer me to the call center…” Shut down this alternate path and capture information about the attempt.
Contact history needs to capture suspicious activity in a CRM or similar application. Use business rules to assess the data and route suspicious callers to the appropriate staff and pop clear warning signs at agent desktops.
As another defense, any kind of change in contact information should trigger follow up with the customer. For example, a change of address, phone, or email triggers communication to both the old and new address. Use of more timely communications can help engage the customer more quickly and stop a fraudulent scenario from developing.
We can’t forget new customers. They can pose a different challenge as there is not contact history or records to match. As noted above, the phone number and carrier information is still useful in indicating the caller is legitimate (e.g., the phone number is engaged, the SIM card is valid), even when they can’t be matched in a customer database.
While the focus of these efforts tends to be on inbound calls, outbound calls play a role, too. Some centers need to make outbound calls, and others turn inbound into outbound to address risk concerns or long queues. They may call customers at the number on file when concerned about large value or high risk transactions. The bad news is that this does not guarantee success, as bad guys have ways to divert calls. Moreover, legitimate customers receiving such calls may be suspicious and not want to provide authenticating information. Rather, they want to authenticate the caller! So your best bet is to make inbound work well.
All these scenarios point to the importance of building a strategy with the right kinds of technology, as well as people and process changes. Many companies conduct a Proof of Value (PoV) to determine whether or not a proposed change delivers enough value to justify the cost. With cloud solution options, PoV may look favorable based on ease of implementation, low start-up costs, and attractive exit options if you don’t reap adequate benefits.
Vendor research and market data shows this problem is growing and expensive. The problem will also continue to evolve, so companies must adapt to the latest tactics fraudsters try. Engaging a specialist that lives in this world is probably the strongest defense a center can have.
Don’t wait until you have a bad situation with fraud, or long handle times and frustrated customers and representatives. Proactively pursue a plan to optimize your authentication and fraud prevention.