Computer voice interactions have come a long way. Not long ago, customer service phone systems relied on unreliable voice transcription, or touch-tone phone prompts to guide the experience. And anything but the most basic interactions always required two human beings: A caller and a customer service representative.
Today, things have changed. People have grown accustomed to Siri, Alexa, and other “virtual assistants.” In customer service, smart voice bots with natural language understanding have significantly reduced the wait times for customers seeking assistance on support calls by handling more customer calls on their own. This reduces hold times by saving the human agents for only the most complex calls.
For all the benefits of voice, it comes with risks: Many of today’s most dangerous incursions have begun over the phone. Staggering sums of money are at risk. In May 2020, the Secret Service announced that an offshore hacker ring had defrauded Washington state residents in unemployment fraud. In January 2021, COVID-related unemployment fraud had cost California alone upwards of eleven billion dollars. It is more important than ever for businesses to secure both virtual and human agent experiences in their customer phone lines.
Account breaches are often the result of a combination of nefarious high-tech know-how and low-tech cunning. In many cases, a multi-channel attack will make a sophisticated technical attack on an IVR, then use data obtained in that process for a low-tech but dangerous social engineering attack.
Social engineering. By deploying publicly available facts and convincing lies, fraudsters can persuade contact center agents to hand over control of an account. Most contact center agents go through extensive training, but the ploys still work from time to time. By one measure, 61% of organizations faced attempted social engineering in 2020. Moreso, fraudsters are constantly innovating their fraud techniques. For example, during the height of the pandemic, cunning social engineers sometimes took over accounts by claiming to be the representatives of hospitalized patients.
IVR fraud. The coronavirus pandemic caused a massive spike in calls to contact centers in specific industries. In some cases, there was up to an 800% spike in phone calls in the second quarter of 2020. This led to a decline in social engineering attacks. Criminals didn’t want to wait for hours as long wait times translated to fewer attacks. So, they came up with another avenue of attack: The IVR, or interactive voice response systems that many organizations employ to offer customers “self-service” options.
Manually “mining” IVR systems to obtain or confirm a potential victim’s personally identifiable information, including PINs, dates of birth, and the final few digits of account holders’ social security numbers, takes a lot of time and busywork for scammers. To circumvent this, many criminals use sophisticated autodial technologies to mine data at scale.
Auto dialing for personally identifiable information is strictly a machine-to-machine hack. That means that a breach can occur without a single instance of human interaction. And once hackers’ autodial systems have completed IVR reconnaissance, they may well have all the tools they need for a social engineering attack. A recent Opus Research concluded that “fraudsters treat IVRs as a font of knowledge to support their illegal activities.”
In most cases, it’s impossible to take over an account from tricking an IVR into divulging personal information. But when autodialed, an IVR gives criminals an easy way to verify stolen identity information that might have been purchased on the dark web and learn more information that can be used in the next stage of their campaigns. Most security breaches occur across multiple channels; the information gleaned via IVR might be used to reset a stolen account’s password or in a later conversation with a contact center agent who will find that the hacker has all the correct information needed to “verify” the identity that they claim.
When fraud is successfully perpetrated, businesses and consumers may be able to claw back stolen funds or lockdown accounts, but it’s better to halt fraud while it’s still in its planning or reconnaissance stages. The reputational and financial penalties of fraud can be steep: The 2013 Target breach cost the firm more than $200 million all told, while Equifax paid more than half a billion dollars for a breach, Marriott was initially fined $124 million, and Uber spent nine figures paying for a leak. The good news is that technologies exist to counteract the latest incursion strategies.
Automatic voice and call authentication services can flag questionable calls or detect when a fraudster makes an artificial call to engage with an IVR system. An auto dialer will usually “spoof” phone numbers, so it seems that a call is coming from a domestic number. IVR Fraud monitoring systems can flag accounts that are being ‘probed’ by multiple incoming callers, a likely attempt to mine data about that account. Flagged accounts can be put on extra alert in sensitive wire transfer or password reset requests.
Unobtrusive security software can detect spoofed calls originating overseas but appearing to come from a number associated with a local customer’s account. These security systems can also provide real-time intelligence on social engineering calls intended to reach a customer-facing contact center agent. If, for example, a call comes from a spoofed number or an unlikely device, agents can be notified that they should be on the lookout for suspicious behavior. These processes run in the background so that innocent callers won’t be inconvenienced and guilty callers won’t realize they’re being found out.
Planning for the Future
Today, roughly 1 in every 40 calls to the IVR is moderate- or high-risk. As voice grows in importance, the need for proper security integration will grow ever more apparent. Any organization handling personally identifiable information through an IVR or contact center must secure its systems and implement proper risk management protocols. If they don’t, they and their customers may well suffer severe financial and reputational damage in the years to come. The tools are available, and the benefits are clear. If your IVR is unsecured, your organization is vulnerable. Don’t end up in tomorrow’s headlines for all the wrong reasons.