24th June 2021

Five steps to streamline authentication in the contact centre

Contact centre authentication

By Jamie MacGregor

Over the last year, fraud cases have risen sharply, with 57% of organisations reporting an increase in fraud attacks in the contact centre and 80% now seeing fraud as a very serious issue. 

As a result, identification and verification (IDV) processes have become longer. In fact, research suggests that the IDV process now takes 30% longer than it did ten years ago, at over 30 seconds per call. So, with the average cost to authenticate a call now being more than 40p, multiplied by the thousands of calls contact centres handle a day, costs can quickly ramp up.

By adding additional questions in the authentication process, you increase average handling times and costs while frustrating genuine customers. So, what’s the solution to this dilemma? How can contact centres accelerate authentication without letting fraudsters in, while reducing operating costs? Here are five steps to help you streamline authentication, reduce costs and improve customer satisfaction in the contact centre:

Step 1. Consider your threat model

The first step to streamlining caller authentication is to visualise the end goal. Consider what the perfect caller experience looks like, then work backwards.

Ensure you work with all the stakeholders involved in the customer journey to map every touch point. Consider the threat posed at each point and understand where there is a higher risk of fraud. Be mindful that a common oversight can be to focus too much on fraud defences on the “happy path” and not consider whether there might be an alternative path through for fraudsters. For example, if a fraudster stays silent in the IVR, can they “zero out” of the standard call flow to avoid security controls?  

Be mindful that identity proofing is a journey. You may want to avoid adding too onerous authentication checks to ease friction while onboarding customers, only introducing additional checks when the customers complete higher risk interactions, such as making a large payment to somebody new. 

For example, a gambling company who wants to encourage new user sign ups might offer an incentive to win prizes, while ensuring the offer isn’t exploited by being used multiple times. A better approach may be to initially verify the customer’s basic identity, then introduce further challenges at a later stage when a customer wants to withdraw funds.

Step 2. Protect personal information

A common tactic for fraudsters is to use contact centres as a place to obtain valuable information that can be used for future attacks. Generally, this involves manipulating the contact centre agent into revealing a customer’s personal information using a range of social engineering tactics. 

To avoid this, make sure you limit the personal information available before the caller is properly authenticated. This includes calls in the IVR and also for agent answered calls. This will avoid agents divulging sensitive information that could help fraudsters execute more sophisticated attacks in other channels. 

Step 3. Review authentication tools for each step of the journey 

Review the authentication tools used at each stage of the customer journey. Do they provide the right level of confidence of the caller’s identity? 

For instance, a contact centre may feel confident, as they use multi factor authentication with voice biometrics. But they may not realise that if the caller remains silent in the IVR, they are routed to an agent who resorts to using Knowledge-Based Authentication (KBA).

To avoid this, consider each individual stage of the customer journey and check it meets the threat model test outlined in Step 1. This will enable you to remove any weak links.

Step 4. Integrate telephony risk signals into your online fraud detection platform 

Fraudsters can gather information by exploiting defence weaknesses, such as obtaining the account balance or recent transactions from the IVR to impersonate their bank and convince the victim to transfer money. 

To identify potential risks, do you have the same authentication process for all callers regardless of the caller’s previous behaviour? Are risk indicators, including telephony signals, fed into your authentication process? For example, an account being repeatedly accessed via the IVR by a withheld number might not be factored into the overall account risk level.

Fraud detection and customer authentication have traditionally been treated separately. Additionally, online fraud detection (OFD) platforms often lack telephony risk signals, which means the holistic overview of a customer’s behaviour and total risk profile is missing. However, by layering telephony risk signals with other fraud detection tools, you can elevate the trust level of the call. This reduces the fraud risk, while enabling a broader range of self-service transactions to be completed in the IVR. 

Step 5. Create a security culture 

One of the most important steps you can take is to build a security-focused culture. Customer-facing agents are naturally inclined to be helpful, but it’s important to balance that with the need to be resilient against security attacks.

Fraudsters are extremely adept at using behavioural tactics to manipulate contact centre agents. A common example might be to introduce a lot of disruptive background noise into a call. This increases the urgency on agents to speed up and make mistakes. Your agents need to be aware of these tactics and have the training to understand when they might be vulnerable to manipulation. It’s not enough for top managers to know the latest fraud tactics, your agents need to be informed too.

A good example of this training would be explaining why agents only have access to a limited overview of a caller’s information during the authentication process, or why certain agents are responsible for riskier interactions. This can encourage your agents to recognise risk signals and understand when vigilance is required. When they know why a security measure is in place, they work harder to comply. Through positive reinforcement of policies and continuous training, you can ensure your contact centre will develop a strong culture against fraud.

Streamlining authentication 

With fraud attacks on the rise, it’s important now to take a step back and assess how to best protect customer data and secure the contact centre without negatively impacting the customer experience. By adopting a multi-layered defence, organisations can improve caller authentication and reduce costs by successfully balancing customer satisfaction with fraud prevention. 

This ultimately improves operational efficiency and creates a smoother caller experience as more self-service transactions can be completed in the IVR. Agents can also be reached faster and can focus on serving the customer, rather than going through a long set of security questions.