Contact centre fraud: How to shape our privacy and security

Contact centres are the weakest link of many organisations which is why they often fall victim to fraud.

The days of phoning customer support, entering your personal information via the phone, and repeating the same information to a live agent, are coming to an end. Or at least they should be thanks to sophisticated technology to identify ‘you’ as the real ‘you.’ This will enable greater efficiency and security, but also to help to prevent fraud. 

Contact centre fraud is on the rise. Global contact centre fraud has increased more than 45 per cent in the past three years, according to the 2016 Call Centre Fraud Report, mostly through the phone channel, “which is the weakest link into an organisation.” 

Fraud can encompass anything from someone overhearing private information whilst on the phone, to a contact centre agent using that person’s details to access their records. Or it can be a more sinister act such as a contact centre employee being bribed to provide sensitive information to a criminal. Fraud can also include criminals directly accessing customer data held by the business and carrying out malicious actions such as selling passwords and email addresses on the dark web.   

The most common form of customer fraud is spear phishing, which is when an email seeming to be from an individual or business that the receiver knows, contains a link, and when clicked on enables the fraudster to obtain personal company and customer data. 

Therefore, contact centres – whether managed by the company or outsourced - can be the epicentre of customer data storage and availability, and as such are very open to fraud. This could result in huge damage, including financial loss and identity fraud for the customer, but also damaging a company’s reputation. 

For example, in November, UK telecoms company Three experienced a massive data breach which resulted in the personal information of thousands of customers being obtained by cyber criminals, including names, addresses, contact numbers and dates of birth. Hackers are thought to have accessed Three’s database using stolen employee information, allowing them to access the system undetected. It is not clear how such sensitive logins were obtained, however it may have been a scam email sent directly from the hackers to Three employees, but appearing to be from someone in the company.    

What should businesses be doing to prevent fraud in their contact centre? 

Firstly, they should understand the importance of making sure customer data is secure in their contact centre. A recent report from Symantec, the State of the European Data Privacy Survey 2016, found that businesses are not recognising data security and privacy as a top priority for consumers. Independent research firm, Vanson Bourne, interviewed 900 business decision-makers and IT decision-makers in the UK, Germany and France during September 2016. It showed that 74 per cent of the respondents don’t think an organisation’s privacy track record is a top three consideration for consumers.    

The report also revealed that one in 10 companies provide all employees with access to customers’ personal information, and one in 20 with access to customers’ payment details, meaning that employees including contact centre agents are potentially exposing themselves to fraud. With consumers ranking keeping their data safe as a top priority (88 per cent), there appears to be a disconnect between what businesses think customers want, and what customers actually want. 

Therefore, security awareness is key to ensuring all contact centre staff are provided with the necessary knowledge to protect customer data and realise its importance. As well as providing the knowledge needed to secure customer data, security awareness also involves creating the right culture in a contact centre that ensures both physical and informational assets are protected.   

The Symantec report also found that 35 per cent of businesses don’t believe their company takes an ethical approach to securing and protecting data, with just 14 per cent believing that everyone in the company has a responsibility to ensure data is protected. This highlights the clear need for incorporating security awareness into the entire customer support process.   

Secondly, from a technology point of view, businesses should ensure infrastructure security is a definite necessity to protect customer data from cyber criminals. To be fully effective, contact centre technology needs to be constantly updated and tested. Modern, cloud-based contact centre technology can offer this level of security, but not all of these solutions are created equal. 

For example, customer engagement cloud solutions such as PureCloud by Genesys* has security built into the design, rather than systems that are built then get security measures applied after the fact.   

Thirdly, a strong identification policy is pivotal to protecting data and preventing fraud. Contact centre employees and customers alike must be informed about the true value of using strong passwords, thus minimising hackers’ chances of accessing personal accounts.   

A brilliant use of a strong identification policy is biometrics, which uses fingerprints, voice, or iris recognition to identify an individual. Not only does this type of identification make the process simpler for the customer, but it also helps strengthen security. Fingerprints, for example, are a lot harder for hackers to access compared to stealing a simple password. Many high street banks are standing up and recognising the value of biometrics, with Barclays rolling out voice recognition at its contact centres earlier this year.   

What’s next for contact centre security?   

With the UK government announcing plans to spend £1.9bn on cybersecurity, it's clear that customer data protection should remain a top priority for contact centres. The upcoming General Data Protection Regulation (GDPR) is set to go live in 2018, a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). 

This does leave some time yet for contact centres to get their act together when it comes to data protection and ensuring all measures are taken both internally and externally to prevent fraud. Otherwise, businesses risk being prosecuted, which could lead to big fines, not to mention decreased customer satisfaction and loyalty. 

*Please note that Genesys acquired Interactive Intelligence on Dec. 1, 2016. The combined company is known as Genesys. 

Ralph Echemendia, ‘The Ethical Hacker' 

Image Credit: ESB Professional / Shutterstock

ABOUT THE AUTHOR

Ralph Echemendia is a cyber security specialist, who is known as the "The Ethical Hacker." He specialises in protecting intellectual property in the entertainment industry and educating on security.