How Call Centers are the Weakest Links in Authentication Chain

As companies increase their cybersecurity defenses, fraudsters are now targeting call centers with easily obtained and plentiful personally identifying information and they are sharing it too.

A report from TRUSTID confirms that call center professionals are being inundated with social engineering attempts from fraudsters looking to takeover customer accounts.

The results spotlighted six insights:

1. Call centers are now the vector of choice for criminal attacks. This year 51% of respondents from the financial services industry and 32% of all respondents recognized the phone channel as the primary source of ATO attacks. “Fraudsters increasingly recognize it as the weakest link in an organization’s attack surface,” the report emphasized.

2. Virtualized calls pose the greatest ATO threat. Across all industries, respondents recognized much more criminal activity coming through virtualized calls (40%) than spoofed calls (32%). Criminals are increasingly turning to web-based calling services (Skype), Google Project Fi (routed through T-Mobile or U.S. Cellular), or a business PBX as the biggest threat vector to call centers today. “The calls are authentic, unique and legitimate.”

3. Customer experience and fraud prevention expected to improve in tandem. Despite the shifting threat landscape and concurrent pressure to deliver the best customer experience possible, 76% of call center leaders felt they could prevent ATO without obstructing their customers’ experience. Call report survey data also suggested eagerness for change with 46% ‘very’ or ‘somewhat’ dissatisfied with their current caller authentication method(s), a 50% increase since 2018.

4. Pre-answer authentication emerged as preferred choice. There is growing interest in pre-answer authentication approaches to speed the verification process – with respondents increasingly recognizing speed as essential to delivering the best customer experience possible.

5. Easy customer enrollment tops requirements. Three priorities emerged: easy user enrollment, if callers refuse to sign up for a new authentication approach then the technology can’t deliver any benefit; improved fraud detection, 91% of respondents rated this as a high priority; and authentication accuracy: respondents will only consider new technologies that can authenticate legitimate callers.

6. Plans for true multi-factor authentication doubled. The percentage of respondents not knowing their organization’s plans for MFA dropped from 36% to 27%, indicating more organizations formalizing plans to reduce their dependence on a single-factor knowledge-based authentication approach. Respondents planning to replace KBA with an MFA approach based on new technologies more than doubled from 8% to 17%.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.