Call centers are susceptible to fraud partly because of their helpful nature. The systems and agents we use in our call centers are there to help our customers, to make it easier for them to find information. Unfortunately, that plays right into the hands of fraudsters.
While companies focus massive security efforts to prevent online and email fraud, call centers are equally vulnerable. We can’t afford to take our call center security any less seriously than our online or physical security.
One reason phishing is so insidious is that it can be very low-tech, flying well under the radar. It’s basically a confidence scam that plays on human psychology.
Basically, fraudsters get personal information out of consumers any way they can, and they use that information to get even more information—eventually leading to credit card numbers, social security numbers, account numbers, et cetera.
In phone phishing, or vishing, fraudsters either call consumers or get consumers to call them through fake emails supposedly from their bank or other institution. Once on the phone, consumers think they’re talking with their bank and share information.
Many scams begin with a lost or stolen wallet, but in dumpster diving, fraudsters actually go through trash like you’re a celebrity, looking for any data they can find. Dumpster diving, although inefficient and very visibly illegal, can give fraudsters basic information to get their scam started.
Fraud on the Phone
Armed with a certain amount of information, fraudsters can phone call centers and try to extract more information from helpful, unsuspecting customer service agents. (When your job is to help people, it’s hard to turn that off or even know when you’re supposed to turn it off.)
By using human psychology, just like tricksters and con artists have done for eons, a fraudster can play a coy game and extract information from customer service agents. Once they have enough data, they can begin phony transactions that look legit on the surface.
In the recent Target and Neiman Marcus breaches, fraudsters gathered info and flooded the black market with it: “very high-quality information that would confound most fraud filters and rules-based engines,” according to CardNotPresent.
Worse Before It’s Better
According to reports, the recent breaches have wreaked havoc on every level of the payment chain.
The breaches have been “an unmitigated disaster for retailers, card issuers and service providers up and down the payments value chain. Just about every one of them can point to real financial impact from the events that began in the last year and continue to threaten them into 2014,” said CardNotPresent.
In a recent report, the Federal Bureau of Investigation told U.S. retailers that another form of attack—using “memory-parsing” malware against point-of-sale (POS) systems to gather information—will increase in the near future.
“We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms’ actions to mitigate it,” the FBI report says, according to Reuters. “The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cyber crime attractive to a wide ranger of actors.”
And FBI agents aren’t the only ones saying this.
“For merchants that accept card-no-present payments and companies that support them, the forecast could be not only continued unsettled conditions, but a full-on storm to rival what the industry at large just went through,” writes CardNotPresent.
To protect our customers’ sensitive data against an ever-increasing onslaught of fraud, we have to lock down security in our call centers. This goes for the present and also the future.
We’ll have to look to innovations like today’s voiceprint biometrics and tomorrow’s phoneprinting and multilayer security techniques.