COVID-Era Phone Fraud Demands Omnichannel Response


The contact center is an essential part of any business that requires one: Both human agents and electronic IVR systems play key roles in establishing customer trust, enhancing customer convenience and solving customer problems.

Over the past year, the world’s contact centers have conquered overwhelming challenges. In the first month of the coronavirus pandemic, some industries received triple their average weekly calls even as they struggled to transition to remote work and decentralized offices. Those first weeks of chaos would, in retrospect, seem almost quiet: Some businesses saw 800% of their normal call volume in the three succeeding months.

While contact center managers and agents deserve a break, it hasn’t arrived yet. As I write, the United Kingdom has reimposed lockdowns that may remain in place until March; in the United States, cities and states are introducing more rigorous limits on social and professional gatherings. Chances are, call volume will increase once again. And while the vast majority of calls received will be innocuous, not every caller is an innocent. In a time of vast call volumes, how can contact centers balance efficiency and security?

While 2020 set records, call volume may not be the most important metric to consider. Although last year saw a spike in total calls, criminal and fraudulent call volume has been increasing every year over the past decade. In 2013-2014, about one in every 2,900 calls was fraudulent. In 2017-2018, one in every 638 calls was suspicious. In five years, fraudulent call volume grew 350%.

New Variations on Old Tricks

Scammers and fraudsters are creative; they change their tactics and approaches as the world changes around them. Although the coronavirus has not inspired any genuinely original scams, fraudsters have created new variations on their tried-and-untrue tricks. For example, concern about when and how stimulus payments arrive in Americans’ bank accounts offer fraudsters ways to exploit stressed and unwary victims. Similarly, a dubious text message from an unknown number looks more convincing when states are mass-texting COVID news to residents.

Fraudsters love making their lies seem urgent: They send robocalls and emails pretending to be police, or they claim to be the IRS and threaten audits and lawsuits. In a time of worldwide stress and uncertainty, fraudsters are lucky. If everyone is tired and worried and fearing the worst, lies become more believable. And, if a single account a person controls is compromised, chances are that fraudsters will use the information they’ve stolen to crack more accounts and gain greater control.

Cross-Channel Security

Device proliferation has made multitasking easy. We can check our credit card statements on our laptop while we’re on hold on a phone call with our bank; we can trade stocks with a phone app while we’re sitting in front of the TV. In the contemporary world, we’re rarely doing just one thing with one tool at a time. Fraudsters and hackers are equally adept at juggling tasks, and they can exploit a small gap in one system to open a huge hole in another. True security is, by definition, holistic and omnichannel.

In an omnichannel attack, contact centers may not be obvious targets, but they’re vital nonetheless. Suppose a Dark Web fraudster obtains a customer’s name, phone number, date of birth and address, but doesn’t have direct knowledge of their intended victim’s bank. The fraudster can use what they already have in an IVR attack.

How? First, the fraudster makes phone calls to random major banks, using the phone spoofing technology to make it seem like the call is coming from the victim. Many IVRs are programmed to run “welcome back” messages when they receive calls from a customer’s phone. If the fraudster gets one of these messages, they’ve learned that their target holds an account at the bank. From there, the fraudster can pose as the bank and send a spoofed text message to their victim. The text will include a link to a fake website that will harvest further information. Alternatively, the fraudster can call their victim and pose as a customer service representative. If the customer declines to give information, the fraudster may transfer the customer to the legitimate bank IVR, but stay on the line to eavesdrop key data.

In the attack outlined above, no single broken element permits the exploit. Rather, the attacker pieces together the information they need from multiple sources. A street mugging or a bank robbery is an event. Account takeover or identity theft, by contrast, is a process.

Actions to Take

If fraud is committed across channels, it follows that a single approach to fraud will not be enough to eliminate it. To defeat fraud in the age of coronavirus, you need to be as proactive and wide-ranging as your opponents are. The IVR, the contact center agents, and even your customers all have roles to play.

IVR security technology has improved by leaps and bounds in the past several years, but many contact centers have been slow to implement the latest and greatest advances. An in-house blacklist of suspicious or confirmed fraudulent phone numbers is no longer sufficient for business and consumer protection. Today’s best-in-class IVR security infrastructure will include a blacklist, but that’s only the beginning. Carrier data can signal if a phone number is spoofed or originating from an unlikely location, while voiceprinting can stop audio deepfakes. With machine learning, even seemingly minor details, like how long it takes for a caller to respond to an IVR prompt, can raise red flags. Because IVR data mining often occurs about one and two months before an account takeover, good IVR security can alert stakeholders of potential problems months in advance.

Not every call to your company will end at the IVR, and so your contact center agents and fraud teams must have the tools they need to identify fraud. Although training your agents to treat every call as potentially fraudulent is a bad idea, they must know the hallmarks of fraudulent behavior, and be kept up-to-date on newly popular scams, like those related to coronavirus relief and to stimulus. Because modern fraudsters rely on cross-channel attacks, it’s important to break down information silos that keep your agents and fraud team from key data. Agents should be notified when there have been alerts attached to the accounts of customers they’re talking to.

A secure IVR and empowered agents go a long way toward beating fraud, but your customers or clients must also do their part to keep themselves safe. The good news is that the general public is more informed than it has ever been: Identity theft and data fraud are familiar concepts, and the vast majority of fraud attempts fail. Still, just one small slip can have huge consequences, so businesses should continue to educate the people they serve. Most people know that their bank won’t ask them for any personal information in an email, but thousands still fall for phishing attacks every year. Informing your customers is good for their safety and for your bottom line. It’s a true win-win.


The coronavirus pandemic will end in the next several months. The end of COVID will mean the end of pandemic-themed scams, but fraudsters will not be taking post-vaccination vacations. They’ll be busy identifying new opportunities for abuse in the “next normal.” Whether your contact center is currently remote or already back in the office, now is a good time to invest in omnichannel security. Your company will be more efficient, more reliable and more profitable. You’ll increase customer trust and reduce client turnover. Quite frankly, the only ones unhappy with your investment will be fraudsters.

Mark Horne is the Chief Marketing Officer at Pindrop. He has led high-performing organizations across the B2B cloud, software and technology landscape. Mark has a B.S. in Marketing and Entrepreneurship at Northeastern University in Boston, an MBA from Georgia State, and is an Executive Scholar at Kellogg School of Management.