Don’t let IVR fraudsters exploit COVID

Scammers and fraudsters are good at making the best of a bad situation. As the COVID-19 pandemic enters its second year, society the world over is tired, stressed, and uncertain. The “New Normal” of masking and distancing has, for many of us, begun to seem just “normal.” Despite Zoom calls, distance learning, and socially distanced outdoor walks, everyone from nine to ninety is isolated and on edge. That means that we’re all more susceptible to manipulation. If your organization operates a contact center, you’re almost certainly seeing significantly greater call volume than you were a year ago. And with increased calls come more would-be fraudsters.

Contact center call volumes will vary from industry to industry and from month to month, but the general trend is steeply upward. In the first few months of COVID in 2020, some contact centers reported an 800% increase in their average call volume. Some contact centers have hired new agents, and almost all have experienced significant changes in protocol and daily operations. While some agents have returned to offices, many contact centers remain remote. Increased call volumes and new procedures have affected companies’ bottom lines: 36% of financial institutions saw contact center fraud losses in 2020 were higher than they were two years before.

Adding new agents isn’t the only or even the most efficient way that contact center managers can respond to the great COVID crunch of 2021. A properly deployed Interactive Voice Response system can make workloads manageable for agents while keeping customers from long and frustrating minutes on hold. Still, new options for callers may correspond to new opportunities for attackers.

Step 1: Check All Angles of Attack

Imagine trying to secure your house before a vacation. If your front door has two locks, a deadbolt, and a security camera, chances are no one will be getting through. If, however, you’ve left the french doors wide open and put up all the windows before going away, you have a severe problem. Just as a chain is only as strong as its weakest link, a security system is only as effective as its most compromised component.

In some organizations, the weakest component may be education; we’ve all heard stories of major organizations hacked because employees had received deficient security training and fell victim to phishing or social engineering. Although most companies have upped their security game over the past several years, others still lag behind. And, just as importantly, some types of fraud and abuse may not be on the security radar.

Step 2: Present a Unified Front

Fraudsters often begin their efforts in an IVR; identifying them early can save a great deal of trouble later on. Why are IVRs so tempting to attackers? First, they let malicious actors figure out which accounts offer the most significant potential rewards. A burglar, if they’re competent, doesn’t break into the first house they see. Rather, they “case” their target, looking for security flaws, figuring out when the owners aren’t home, and generally learning what they need to make crime pay.

Today’s fraudsters may use different technology, but their basic strategies are similar. Suppose a fraudster obtains a bank account number, the account holder’s name, and the associated phone number from a dark web clearinghouse. How do they confirm that the account is real, that the account is active, and that the account is worth compromising? Their first step may be to call an IVR, using a spoofing program to make it seem like the call is coming from the real account holder’s phone number. What the fraudster hears when they dial in determines their next steps. If the IVR announces that the account has been closed or canceled, they can move on to the next one. But if the IVR confirms the account is active — or even lets the fake caller learn the target account’s balance — then an attack may go forward.

The next phase of the fraud won’t occur in the IVR; it’s more likely to involve phishing attacks or even social engineering of contact center agents. But wherever and however the attempt ends, it begins with a phone call. Your security decisions must reflect this.

When attacks are cross-channel, it’s vitally important that your information doesn’t get sorted, siloed, and suppressed. Hackers and fraudsters don’t stick to one angle of attack, so defending your company and your customers must be a cross-channel effort. If abnormal activity from an account means that red flags are raised in the IVR, then corresponding alerts should go up in the contact center and in any online account. The good news is that suspicious IVR behavior gives the good guys ample time to prepare: Fraudster reconnaissance of an IVR often takes place from 30 to 60 days before a more serious account takeover attempt.

Step 3: Never Stop Learning, Never Stop Teaching

Most any large institution will have training and education programs for new associates or employees, but learning needs to be an ongoing process. Innovation isn’t always a good thing: Fraudsters are always coming up with new techniques and new methods to achieve their goals, and everyone who may face them needs to be kept up to date. When a new exploit is discovered, your agents and associates need a warning. While training and education may require additional resources, it’s always cheaper to prevent a breach than to recover from one.

Education can’t stop at the walls of your organization. Your clients or customers may need guidance, especially in these confusing times. Your customers’ needs have changed over the past year, and so chances are that the scams targeted against them have changed too. The U.S. government has assembled consumer guidance about COVID scams, but every little bit helps in outsmarting fraud, so institutions should consider their own outreach plans.

Conclusion

As I write this, coronavirus vaccines are at last being distributed across the world. Chances are you already know someone who has received their shots; perhaps you’ve even received your full course of treatment. As life gradually returns to its old rhythms and the New Normal, at last, becomes the Old Abnormal, it may be tempting to let down your guard as you take off your mask. But the wiser course of action is to use this time to build a safer, stronger customer experience. There are many challenges to institutional security in 2021, but there just as many solutions.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.