Contact Centres: Adapting Security Methods to Fight Fraud

From banks and insurance providers through to utility companies and major retailers, many of today’s organisations operate Contact Centres (or, at the very least, outsource their customer service to one), writes Ben Taylor. Brands and businesses are placing a heavy emphasis on the customer experience, with Contact Centres remaining an essential way in which to manage client issues. However, due to the ever-present threat of cyber attacks, data breaches and episodes of insider fraud, ensuring reliable and secure service within these Contact Centres is becoming increasingly difficult. As a result, security within the industry is a significant issue, with legacy systems coming under severe scrutiny.

A recent survey conducted by data security specialist Semafone revealed that Contact Centre data security finds itself in a dire state. In parallel, a report into Call Centre fraud in the UK found that attacks have increased by 113% within the last 12 months. These findings clearly highlight the continued use of outdated and risky practices to capture, process and store sensitive data.

Indeed, data security remains a heavily debated topic, and particularly so in regard to the practices of large organisations responsible for the security of hundreds of thousands of their customers’ personal details and sensitive information. Information loss and data breaches feed fraudulent activities. This is where Contact Centres come under close scrutiny. Many currently operate hybrid estates combining newer technologies and older legacy systems while they transition towards full-scale digital transformation. Others simply operate with pre-existing legacy systems. Frankly, neither of these solutions is optimal.

The deployment of disparate services and products that act in isolation is a hindrance rather than a help. In order to provide better protection, Contact Centres need cohesive and complimentary systems. More on this anon.

Challenges facing Contact Centres

Aside from issues of outdated technology, there’s also a human element in play. Contact Centre agents are themselves a data security risk, both internally and externally. They’re exposed to – and handle – large amounts of sensitive customer data and are an easy target for the fraudsters. Faced with high volumes of call traffic every day, cumbersome administrative procedures and time-based performance targets, it’s all-too-easy for mistakes to be made and information to be mishandled.

The traditional Contact Centre environment – where Card Not Present transactions are processed and personally identifiable information (PII) and card details divulged to agents over the phone – is a hub of customer data storage and availability. It’s perhaps no surprise, then, that it has become a breeding ground of criminal activity.

In November 2016, telecoms company Three suffered a massive data breach which saw the personal information of thousands of its customers harvested by hackers. Criminals managed to obtain customers’ names, addresses, contact numbers and dates of birth. It’s believed that the cyber attack targeted Three’s database through stolen employee information — obtained by way of an e-mail scam sent directly from hackers to employees — which allowed access to the system without raising any red flags.

At least in part, the targeting of Contact Centres by criminals is due to the advances in security technology for online and in-store transactions. Chip and PIN, PINsentry card readers and 3D Secure have all made purchasing goods through these channels safer than ever before for consumers, but the knock-on effect of these innovations is that fraudsters are forced to re-evaluate their approach and identify new pathways. In short, they identify the pathways of of lower or least resistance. For many criminals, Contact Centres are considered the easiest point of entry. The ‘low-hanging fruit’ that’s ripe for exploitation.

Legacy systems and cyber attacks

The simple truth is that legacy security systems are no longer a match for modern attacks. Identity confirmation procedures, such as Knowledge-Based Authentication, can be breached by those in possession of the relevant details (ie details like those obtained during Three’s breach). Caller ID and Interactive Voice Response systems are susceptible to number spoofing and spear phishing e-mail scams that imitate a company’s automated call system.

Most recently, there has been the rise of ‘smishing’ scams. These involve sending text messages to customers that appear to have been sent on behalf of a bank. It’s a sophisticated technique combining number spoofing with the hijacking of legitimate correspondence between bank and customer which makes texts appear on a pre-existing message thread. This tactic affords customers a misplaced certainty that they’re continuing to converse with the Contact Centre.

There’s also the ‘insider threat’ to consider. This phrase is used to delineate malicious activity committed on behalf of an organisation’s employees. Not only do Contact Centre agents handle sensitive information on behalf of customers, but they also have access to where such information is stored. In an industry well known for its high staff turnover – with current and former employees often having intimate knowledge of identification processes or security flaws – such breaches can be difficult to track.

Whether participants in criminality are willing accomplices or have been coerced into giving up such information, the insider threat represents another example of the unique security challenges facing today’s Contact Centres.

Replacing outdated systems, reducing risk

Bearing all of the above in mind, what should risk and security managers, analysts and advisors be doing to better protect Contact Centres from security breaches?

The first step for risk management professionals should be to audit the legacy systems currently in operation. Awareness is essential to protection, and vulnerability testing is vital when it comes to understanding where systems are weak and what needs to be done to improve security and fraud prevention.

Once weaknesses are identified, a thorough review of digital technologies should be conducted to determine what solutions best fit the needs of the business. When evaluating the available technologies, you need to consider cost, integration, on-boarding and staff training.

The final step should be to focus on how to retire legacy systems with minimal disruption. Many Contact Centres are reluctant to take this step due to how deeply ingrained within the business such systems are, but any hesitation in modernising your organisation – and any foregoing of investment in technologies designed to streamline processes and beef up security – is going to be risky.

Over the last few years, security and fraud prevention technologies have matured significantly. So much so, in fact, that they’ve now moved beyond working alongside older solutions and, instead, justify replacing them.

Adapting security methods through digital technology

To be fully effective in adapting their security methods, risk management professionals need to put digital technologies front and centre. Artificial Intelligence, machine learning and automated decision-making systems are fast reshaping the security landscape. They provide swift, reliable services that streamline processes and grant greater protection.

Machine learning tools are being used to detect patterns in behavioural data, while automated decision-making platforms can identify the anatomy of a fraudulent transaction and direct employees on how best to respond.

The important distinction to make here is between task automation – namely task-centric Robotic Process Automation tools – and automated decision-making tools that encode human expertise. For Contact Centres, the best way in which to reduce security threats is to combine digital technology solutions with processes and employees.

By mapping out the theoretical knowledge of their subject matter experts, and encoding it into their security platforms, the thousands of interactions a Contact Centre churns through each day can be marshalled by the highest level of expertise. This enables organisations to both enhance their security and provide a greater degree of operational consistency along the way.

Such technologies are proving key to delivering excellent customer service and educating employees on how to handle a variety of threats. If the correct actions are taken by a Contact Centre’s agents in response to potential fraudulent activity or a cyber attack, then such threats can be contained and dealt with before the breach becomes too widespread.

In terms of combating the insider threat, regulatory change is driving a rethink in regard to in-house security. The Markets in Financial Instruments Directive II, which came into force in January of this year, and the European Union’s General Data Protection Regulation now compel businesses to ensure that the infrastructure housing personally identifiable information is secure.

Many organisations are opting to migrate to secure cloud-based platforms to hold payment details and card information. This removes agents from the process, subsequently freeing customers from the burden of having to disclose their details over the telephone.

Remaining on step ahead

Ben Taylor

Ben Taylor

As technology solutions advance, so too does criminal activity. To create a watertight security and fraud prevention framework within the Contact Centre environment, it’s vital to keep abreast of a security landscape in which fraudulent activity and new technologies develop alongside one another.

To stay one step ahead of criminal innovation, Contact Centre management teams need to change their approach. Replacing legacy systems with automated digital technologies is an essential requirement. By increasing adoption and acceptance of the ‘new’, you can reduce risk and put your organisation’s Contact Centre(s) in a strong position to navigate the challenges that develop with time.

Ben Taylor is CEO at Rainbird AI

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts