Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

Making sure customers’ voices are heard — and scammers’ voices are silenced

By Collin Davis
call-center-freepik.jpg
August 31, 2021

Computer voice interactions have come a long way. Not long ago, customer service phone systems relied on unreliable voice transcription, or touch-tone phone prompts to guide the experience. And anything but the most basic interactions always required two human beings: A caller and a customer service representative. 


Today, things have changed. People have grown accustomed to Siri, Alexa, and other “virtual assistants.” In customer service, smart voice bots with natural language understanding have significantly reduced the wait times for customers seeking assistance on support calls by handling more customer calls on their own. This reduces hold times by saving the human agents for only the most complex calls.


For all the benefits of voice, it comes with risks: Many of today’s most dangerous incursions have begun over the phone. Staggering sums of money are at risk. In May 2020, the Secret Service announced that an offshore hacker ring had defrauded Washington state residents in unemployment fraud. In January 2021, COVID-related unemployment fraud had cost California alone upwards of eleven billion dollars. It is more important than ever for businesses to secure both virtual and human agent experiences in their customer phone lines.


Vulnerabilities Exist

Account breaches are often the result of a combination of nefarious high-tech know-how and low-tech cunning. In many cases, a multi-channel attack will make a sophisticated technical attack on an IVR, then use data obtained in that process for a low-tech but dangerous social engineering attack.


Social engineering. By deploying publicly available facts and convincing lies, fraudsters can persuade contact center agents to hand over control of an account. Most contact center agents go through extensive training, but the ploys still work from time to time. By one measure, 61% of organizations faced attempted social engineering in 2020. Moreso, fraudsters are constantly innovating their fraud techniques. For example, during the height of the pandemic, cunning social engineers sometimes took over accounts by claiming to be the representatives of hospitalized patients. 


IVR fraud. The coronavirus pandemic caused a massive spike in calls to contact centers in specific industries. In some cases, there was up to an 800% spike in phone calls in the second quarter of 2020. This led to a decline in social engineering attacks. Criminals didn’t want to wait for hours as long wait times translated to fewer attacks. So, they came up with another avenue of attack: The IVR, or interactive voice response systems that many organizations employ to offer customers “self-service” options. 


Manually “mining” IVR systems to obtain or confirm a potential victim’s personally identifiable information, including PINs, dates of birth, and the final few digits of account holders’ social security numbers, takes a lot of time and busywork for scammers. To circumvent this, many criminals use sophisticated autodial technologies to mine data at scale. 


Auto dialing for personally identifiable information is strictly a machine-to-machine hack. That means that a breach can occur without a single instance of human interaction. And once hackers’ autodial systems have completed IVR reconnaissance, they may well have all the tools they need for a social engineering attack. A recent Opus Research concluded that “fraudsters treat IVRs as a font of knowledge to support their illegal activities.”


In most cases, it’s impossible to take over an account from tricking an IVR into divulging personal information. But when autodialed, an IVR gives criminals an easy way to verify stolen identity information that might have been purchased on the dark web and learn more information that can be used in the next stage of their campaigns. Most security breaches occur across multiple channels; the information gleaned via IVR might be used to reset a stolen account’s password or in a later conversation with a contact center agent who will find that the hacker has all the correct information needed to “verify” the identity that they claim. 


Authentication Matters

When fraud is successfully perpetrated, businesses and consumers may be able to claw back stolen funds or lockdown accounts, but it’s better to halt fraud while it’s still in its planning or reconnaissance stages. The reputational and financial penalties of fraud can be steep: The 2013 Target breach cost the firm more than $200 million all told, while Equifax paid more than half a billion dollars for a breach, Marriott was initially fined $124 million, and Uber spent nine figures paying for a leak. The good news is that technologies exist to counteract the latest incursion strategies. 


Automatic voice and call authentication services can flag questionable calls or detect when a fraudster makes an artificial call to engage with an IVR system. An auto dialer will usually “spoof” phone numbers, so it seems that a call is coming from a domestic number. IVR Fraud monitoring systems can flag accounts that are being ‘probed’ by multiple incoming callers, a likely attempt to mine data about that account. Flagged accounts can be put on extra alert in sensitive wire transfer or password reset requests.


Unobtrusive security software can detect spoofed calls originating overseas but appearing to come from a number associated with a local customer’s account. These security systems can also provide real-time intelligence on social engineering calls intended to reach a customer-facing contact center agent. If, for example, a call comes from a spoofed number or an unlikely device, agents can be notified that they should be on the lookout for suspicious behavior. These processes run in the background so that innocent callers won’t be inconvenienced and guilty callers won’t realize they’re being found out.


Planning for the Future

Today, roughly 1 in every 40 calls to the IVR is moderate- or high-risk. As voice grows in importance, the need for proper security integration will grow ever more apparent. Any organization handling personally identifiable information through an IVR or contact center must secure its systems and implement proper risk management protocols. If they don’t, they and their customers may well suffer severe financial and reputational damage in the years to come. The tools are available, and the benefits are clear. If your IVR is unsecured, your organization is vulnerable. Don’t end up in tomorrow’s headlines for all the wrong reasons.

KEYWORDS: call centers data breach risk management scams voice fraud

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Collindavis

Collin Davis is the CTO of Pindrop. He has a background in both Voice and Security. Davis spent the last 8 years at AWS where he ran multiple cloud services at a large scale. During his time there, he founded Alexa for Business and took it from conception to launch in order to help customers voice-enable their conference rooms, lobbies, hospital rooms, hotel rooms, and even warehouses with Alexa. 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Customer service phone call

    No more trade-offs: With AI, banks can both improve CX and enhance security

    See More
  • Person yelling in megaphone

    2 out of 3 Americans cannot distinguish AI voices from real voices

    See More
  • healthcare 2 feat

    Top 30 Voices in Healthcare Security: How Is the Industry Changing?

    See More

Related Products

See More Products
  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

  • databasehacker

    The Database Hacker's Handboo

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing