Large enterprises constantly extol the benefits of breaking down silos and sharing data across business units for strategic purposes. But as we all know, there’s a big difference between theory and practice. The challenges in implementing this vision range from differences in business units’ software systems and data formats, to busy executives focusing on competing priorities, to the fear that centralized processes might limit departmental flexibility. But many companies are now finding a more urgent reason to finally address segregation of data: fraud prevention.
Criminal efforts to capture and steal personal information to take over financial accounts, open new fraudulent accounts and engage in credit card fraud continue to accelerate. According to Javelin Strategy & Research, identity fraud resulted in $24 billion in combined U.S. consumer and financial institution losses in 2021, a 79% increase from 2020. Unfortunately, cross organizational fraud is escalating the steep financial cost of these efforts.
What does cross-organizational fraud look like in real life? Here’s a recent example from a financial services company. A clever fraudster performed a SIM swap on the phone of an individual who had just died, allowing him to take over the deceased person’s phone. He then visited the website of the individual’s bank and attempted to access their account. He didn’t know the password but was able to change it by requesting a one-time passcode (OTP), which was sent to the phone he now controlled. He transferred money out of the account and then, after reaching the website limit, called the call center. Because the fraudster was using a SIM swapped phone that appeared legitimate, the call center allowed him to withdraw even more money. The deceased person’s family didn’t realize that the phone had been taken over until they discovered the drained accounts weeks later.
There were certainly risk signals in this case — the SIM swap and OTP request — but the digital and call center channel fraud tools did not flag the phone as a risk, let alone share the data across channels to allow the organization to see the full picture of the suspect behavior and tie it to one user.
The authentication challenge
Confirming that customers are who they claim to be before granting them access to sensitive accounts has long posed a challenge for enterprises, as the need to prevent fraud must be considered alongside the equally valid need to provide a frictionless experience for legitimate users. Customers may take their business elsewhere if they’re forced to jump through too many hoops to prove their identity (or, conversely, if they believe the organization is not taking security seriously).
Authentication technology has made great strides in recent years, allowing many enterprises to stay one step ahead of the fraudsters. However, organizations often use these tools inconsistently — for example, incorporating mobile device analytics for digital channel access control but not for call center contacts, or using different systems for different lines of business — and these siloed systems fail to share the associated risk data across the enterprise.
Sharing risk signals
A lack of cross-channel and cross-departmental communication, and of the failure to share risk signals across channels, gives criminals more space to act — an opportunity that fraud rings are delighted to take advantage of. A company’s different divisions may all use fraud prevention tools, but if collective fraud intelligence is not being shared across the enterprise, the risk increases significantly and can lead to far more negative outcomes.
Call centers are often the weak link in risk assessment because they usually don’t have access to the risk signals observed in other channels. They’re also often the weak link in authentication, as 70% of contact centers continue to use only knowledge-based authentication methods (such as challenge questions), despite the fact that the information needed to overcome these methods is relatively easy to steal from consumers or scrape from social media. To fight cross-organizational fraud, call centers must be provided with the same fraud prevention tools that digital channels use.
Ideally, a single orchestrated fraud platform should be implemented across all channels and organizational verticals. To deliver fraud intelligence across the entire enterprise, an effective omnichannel identity management and authentication solution will incorporate a comprehensive digital identity for each user, along with IP address and geolocation attributes, global trust indicators, combining this with device reputation, consortium data, and behavioral analytics. Using tools that examine account balances, account activity, devices being used, digital behavior and so on, organizations can tie all the pieces of information together in order to identify and track anomalous behavior.
At a minimum, and regardless of the technology chosen, risk signals need to be shared broadly across the enterprise. Simply creating a database of known fraudulent numbers, for example, could be a helpful starting point.
Business leaders also need to take full advantage of the information they have access to today, both internal and third-party data — including historical data (e.g., a customer hasn’t moved in 20 years, has had the same phone for 10 years, and never swapped the SIM). Examining both the good and risk signals can enable organizations to speed access for legitimate customers, who make up the vast majority of users.
Developing a true enterprise focus
Ultimately, organizations need to be able to examine all the risk signals they are receiving from every contact point and connect them to an account and a user — and then share that information across channels and verticals.
Achieving this goal will require technology tools (particularly improvements in the call center, to allow for omnichannel risk signals), but it will also require the establishment of an enterprise focus on identity and fraud, with consistent policies and risk tolerances, and a high-level leader who oversees key aspects of fraud and security across the entire enterprise. A strong emphasis on orchestration and sharing data is needed to ensure that all business units and channels have visibility into potential connections between risk signals.
Breaking down silos isn’t just a matter of improving collaboration and innovation potential; it’s critical to the fight against increasingly sophisticated fraud attempts.