How to protect contact centre agents from social engineering
With COVID-19 causing disruption on a global scale, organisations face mounting challenges to continue business as usual while finding new ways to securely interact with their customers.
However, fraudsters are launching increasingly advanced attacks against contact centres to take advantage of vulnerabilities caused by this shift. As the gatekeeper between customer and business, contact centre agents are on the front line of those attacks. So, what can contact centres do to protect themselves from fraud?
To find out, we spoke with Amber Burridge, Head of Fraud Intelligence at Cifas – a not-for-profit organisation working to reduce and prevent fraud and financial crime in the UK.
An accredited fraud specialist with over a decade’s experience in crime and fraud analysis, Amber is the leading expert in today’s fraud landscape and how fraud has evolved during the COVID-19 pandemic.
Grant White, Smartnumbers: Thanks for joining us today, Amber. It is well reported that COVID-19 has created a rise of fraud in contact centres. With many organisations turning to Cifas for guidance, information and to share their experiences, what are the biggest fraud challenges you are seeing?
Amber Burridge: One of the most significant challenges facing contact centres right now is that agents are often unaware of the increasingly sophisticated approaches fraudsters adopt for their attacks.
We’re seeing bad actors place an array of calls into a potential target and socially engineer situations in their favour. So, we need to be more proactive in educating frontline staff to spot the tell-tale signs of fraud and teach them the best practices for mitigating risk – not only for themselves, but also customers.
GW: You mention that attacks have become more sophisticated, can you give us an example of what that looks like?
AB: One example we see a lot of is that criminals are able to build a synthetic identity using information they gathered from public-facing social media profiles, like children’s names, pet’s names and addresses. If you think about it, these are the answers to security questions asked by contact centres.
So when we think about the vulnerabilities of a contact centre environment, it’s easy to fixate on the technology. And, when we think about the victims of fraud, we tend to focus on the customer who has been duped and lost money or worse. What we don’t do, however, is think about the contact centre agent who was manipulated and fallen foul of these slippery individuals, and unwittingly aided fraud to take place.
In a recent article by TransUnion, they found that fraudsters make an average of 5 calls to a contact centre before taking over an account. The way they do that is by building a rapport with the agent so when asked a security question, they claim that due to ill health or a recent life-changing event, they’re unable to remember the answers. As the agent is only human and trained to be as helpful as possible, they’ll sometimes provide that information. The fraudster typically disconnects, calls in again to get another agent and goes through the same steps as before until they gain full access to the account.
GW: Contact centres are under pressure to manage rising call volumes yet deal with customers quickly; so it’s understandable that red flags might be missed. From your point of view, what can contact centres do to respond to those challenges?
AB: There are two things you can look at: first, is knowledge around the typical modus operandi of fraudsters and that’s where Cifas comes in. As an intelligence community with over 590 members sitting across thirteen different sectors, it’s vital for organisations to dispense any information about threats they’ve come across so it can be shared across the community. It’s easy to think of fraud happening in silos, but in actuality, fraudsters target multiple sectors to find vulnerabilities to exploit.
Second, is to focus less on technology and more on the human side. Organisations need to build awareness so contact centre agents can identify when they’re being socially engineered. This is particularly important in today’s climate when they might be more susceptible to emotional manipulation. Everyone knows someone who has been impacted by the pandemic and fraudsters use that to garner sympathy from agents to gain access to the account they’re targeting.
GW: Excellent point. In that case, what do you think is needed to build awareness so contact centre teams are better equipped to spot fraud?
AB: Disruptive events such as a pandemic can create financial challenges, where we know fraud instances rise. So, now is the time to launch a comprehensive education campaign among your contact centre agents. Fraud is an absolute non-compete and we should all be working together to tackle it. But the information shared needs to go beyond senior management and used to inform those handling customer calls.
As well as educating frontline agents on the MO of fraudsters, there needs to be education on how to take control of a situation. For example, how to push back on a caller and ask for further evidence to authenticate if they’re ever uncertain. This can impose friction into the customer journey. But, when handled correctly and customers are informed of the reasoning behind it, you’d be hard pushed to find someone who would argue with the level of focus you put on protecting their personal information. And finally, educate yourself on the technology available in the market to help collect data in order to build profiles of your individual customers. This can help you identify potentially fraudulent engagements much earlier and lift some of the burden off your frontline teams.
GW: That is brilliant advice and something organisations need to take into consideration in their fraud prevention strategy. Thank you for your time.
With fraudsters looking to exploit any vulnerability and targeting your front line staff, find out more about how your business can tackle fraud while balancing customer authentication by downloading our eBook.
