If there’s one thing I’ve learnt when researching and writing about contact centre fraud, it’s that fraudsters succeed by being more adaptable and agile than those trying to prevent them.
In other words, change in fraud tactics is constant and rapid. Scams have lifecycles and come and go based on effectiveness and how fast they can be locked down. However, like ‘whack-a-mole’, there is also a seemingly endless supply of new opportunities for fraudsters to exploit.
For instance, when I last wrote about fraud in financial services, a major concern was the impact of open banking and the potential exposure of customer data to others outside the traditional banking ecosystem. EU mandated countermeasures also appeared to compromise the goal of effortless customer experiences. The fear was, in the context of e-commerce, that revenues would be compromised by customers walking away in frustration at the point of purchase if asked to reverify their identity.
Fast forward to today and we see how the pandemic and lockdown have offered fraudsters their next goldrush. More than 6,000 cases of Covid-related fraud and cyber crime were recorded by the UK’s police forces during the pandemic. Action Fraud says £34.5m has been stolen since March 2020. Meanwhile, the National Crime Agency estimates that just one in five fraud cases are typically reported to police.
City of London Police, which coordinates efforts to combat fraud, reported e-commerce fraud was 42% higher over the pandemic than the preceding year, as criminals took advantage of the fact many physical stores were forced to close. Which? research estimated three in five customers received scam delivery messages during that time.
UK Finance reported financial frauds against UK bank customers increased by two-thirds in the first half of 2020. According to the industry body UK Finance, British banks paid out £147m in 2020 reimbursing losses caused by “authorised” scams, where customers unwittingly make payments from their accounts to criminals.
As Ashley Hart, head of fraud at British bank TSB remarked: “Fraudsters are used to creating a false sense of emergency. These days people are more likely to be panicked and act irrationally”.
This false sense of emergency was all too easy to generate given what happened during the pandemic.
Customer service challenges
Banks became one of the sectors whose live service channels rapidly became overwhelmed. Customers needed to negotiate payment holidays for everything from loans to mortgages. Others needed fresh loans to get by, especially organisations wanting to access the many forms of support offered by the government, which were then administered by the banks.
Anxious and vulnerable customers gravitated to and overwhelmed the phone channel, which also suffered from significant understaffing caused by COVID and the logistics of unexpected homeworking.
Extraordinary queuing times became the norm. Fraudsters intent on social engineering their way past a harassed or inexperienced service agent faced the same time-wasting queues as everyone else.
As a result, the number of fraud attempts on agents actually shrank by over 25% during 2020. (Pindrop Labs). This was the result of fraudsters investing in more targeted, higher yielding approaches, since now they had fewer opportunities to cut through. They did this through a mix of manual and automated IVR data gathering and validation, enriched with data scraped from social accounts. This was then used to pre-screen and filter out low balance accounts and ensure the remaining identities were accurate and complete. All of this helped improve hit and success rates.
Of course, there were also easier low hanging fruit to pluck. The forecasted cost to the taxpayer of bounce back loans caused by inadequate fraud protections and likely non-repayment is currently £26bn. Extended universal credit incurred an estimated fraud of £1.5bn.
Scams are omnichannel and multimodal
To better understand how fraudsters operate, here’s a snapshot of their workflow (which has remained constant despite the change in tactics mentioned earlier). It begins with one of the consequences of living as online societies: regular, large-scale data breaches that fuel an ever-busy trade in consumer identities over the dark web.
Once purchased, stolen identities need testing for accuracy and completeness until they are ready to be used to pass identification and verification processes. As just mentioned, the cover of IVR is often used to validate key information, such as card CVV and balance checking.
When enough personal data is gathered, the fraudster can then break into an account, set up new payees, ask for password resets, change postal addresses and establish new accounts. As ownership and control is established, the end game is triggered: directly transferring balances to different bank accounts or persuading customers to do so. Examples include life insurance scams, hoax messages claiming a comprised account that needs an instant transfer of funds and get rich schemes, such as investing in cryptocurrencies that need funding.
This cycle of information gathering and checking is typically omnichannel and multimodal. Fraudsters often move between voice and text channels, covering in person, online and contact centre touchpoints. Sometimes they’re hunting the organisation, other times they’re hunting the consumer by masquerading as a trusted organisation.
As all contact centre leaders know, real-time insight into legitimate omnichannel behaviours remains challenging for most organisations. Therefore, spotting the footprint of fraud activity within the increasingly complex mix of omnichannel behaviour, which lockdown has encouraged, is tough and often missed until it’s too late. On top of this challenge is the need to create quick, effortless user journeys for customers, which sometimes compromise security for convenience.
Protecting your contact centre against fraud
To beat fraudsters, contact centres need cross-functional collaboration to produce balanced strategies and to invest in technology.
Historically, one of the biggest challenges has been developing multi-layered strategies that keep pace with the increasing technical prowess of fraudsters and keep customers safe without adding noticeable levels of extra effort.
Thankfully, the expert view is that over time, AI-empowered biometrics will become more affordable and will replace traditional knowledge-based approaches to identification and verification (ID&V), which are operationally expensive and easily overcome for experienced fraudsters.
For instance, ContactBabel research shows that traditional, advisor-driven ID&V processes take an average 37 seconds to complete on every call. This costs the UK contact centre industry an estimated £2.1bn each year. It is also a well-known source of customer irritation when calls are transferred and require re-authentication.
In addition to biometrics and other methods of identification, AI-generated pattern recognition will also play a big part in this multi-layered solution. Even conversational analytics can help surface fraudulent behaviours. For instance, expert analysis over millions of calls shows clear patterns that can be searched using post-interaction analytics and IVR reporting. These patterns show that:
- On average, a fraudster makes 26 calls in the weeks before executing the final attack.
- Two thirds of fraudulent calls are from withheld numbers. In almost all cases, the fraudster simply withholds their number and continues the attack to get around a bank’s phone number blacklists.
- A fraudster executing an IVR attack can be detected by a high volume of calls with short duration and a short time-to-next call. A typical fraudster probing the IVR makes on average 20 calls in an hour from withheld numbers.
These insights can then be used to focus the contact centre and security teams on pre-emptive actions.
In summary, fraud continues to be a major threat, especially in financial services. The pandemic has created many new opportunities for social engineering that have taken time to recognise and respond to. Fraud levels have grown, tactics have adapted and contact centres remain embedded in the workflow that enables this activity. As a rule of thumb, 60% of online fraud starts with or includes a call into the IVR to gather account information, according to Pindrop Labs.
To find out how you can reduce your contact centre’s vulnerability to fraud, download Puzzel’s white paper: Securing your Contact Centre. It includes three basic security measures contact centres can implement right now to protect customers, agents and your business. You can discover more about Puzzel’s omnichannel cloud contact centre for Financial Services here.
About the author
Martin Hill-Wilson was CEO of one of the first BPOs and CX consultancies in the UK. He then spent a decade in the systems integration industry positioning the value of new technology and the associated change agenda. He is now in his tenth year as Brainfood Consulting, offering a mix of services. These include conference chairing, keynotes, webinars, whitepapers, workshops, consulting and mentoring.