Fraud, unfortunately, has become pervasive in customer interactions, whether these take place in person, online, or yes, through the contact center.
The challenges become in finding ways to prevent fraudsters from reaching contact centers and agents without making the customer experience (CX) overly burdensome to the point where customers will walk away from or hang up on businesses.
To find out how organizations can protect themselves (and ultimately their customers) from fraud through risk mitigation - while still ensuring a positive CX – I recently had a virtual conversation with Richard Tsai, Senior Director, Global Fraud Solutions at TransUnion.
Q. What are the big trends that are you seeing with customer fraud?
The volume of U.S. data breaches has never been higher. And with the seeming ubiquity of these events across industries, organizations are facing greater financial exposure while consumers may be modifying their behaviors to avoid becoming victimized.
TransUnion’s 2024 State of Omnichannel Fraud Report, assembled from proprietary insights gleaned from our global intelligence network, notes that data breaches in the U.S. reached a record volume of 4,903 events. [These include] both primary (or direct) and indirect, third-party attacks.
Between 2020 and 2023, data breaches increased by 156%. While healthcare and education took the brunt of total attacks, the financial services industry saw the greatest number of direct attacks: mainly because that’s where money lives.
Our report also finds that synthetic identity fraud is on a precipitous rise. It is the fastest-growing type of digital fraud, with incidents up a striking 184% from 2019 to 2023. Bad actors are putting stolen identity credentials to work in establishing fraudulent digital accounts and creating multibillion-dollar exposure for lenders.
All types of digital fraud are growing, with account takeovers (ATOs) the most common type in 2023, followed by credit card fraud and identity theft. And for financial services organizations, in particular, the call center remains a vulnerability as a customer service channel.
Q. What types of consumer data are being stolen?
Almost all data breaches involve the exposure of individual names. But nearly two-thirds involved birth dates, and more than half involved Social Security numbers: enough for bad actors to begin building completely new synthetic identities and personas to commit fraud.
With the sensitivity of their credentials in mind, 50% of consumers consider personal data security when deciding to transact with an online company. Further, 79% expressed that having confidence in the personal data security is very important in transactional relationships.
While businesses must collect a certain amount of personal information to establish client accounts, they continue to walk a fine line. [They must balance] their needs to perform identity proofing, which is the process to understand who their customers are, with consumers’ desires for secure and simple processes.
High levels of friction continue to be an issue, as 52% of people have abandoned online financial and insurance applications citing safety and ease.
For consumers, giving away what they perceive as too much information may give pause. Nearly half of Americans who walk away from online applications do so because the need to provide too much information is off-putting, and often there is a sense that personal data won’t remain secure.
Q. Is it true, then, that digital accounts aren’t always what they seem?
Yes, unfortunately. Consumers are right to second guess to whom they entrust their information. With the amount of personal data exposed, fraudsters have plenty of ammunition to work with. Even a few pieces of legitimate data are enough to develop illegitimate credit profiles that can cost businesses billions of dollars.
Although the proportion of newly opened digital accounts in the U.S. associated with synthetic identities seems relatively small, at less than one percent at year-end 2023, the financial exposure for lenders is huge. Combined, lenders for auto loans, bank credit cards, retail credit cards, and unsecured personal loans are exposed to an estimated $3.1 billion in potential losses.
According to our report, globally 13.5% of newly created digital accounts in 2023 were suspected to be fraudulent, and certain industries seem distinctly attractive to bad actors.
“Institutions without the proper vetting practices in place to authenticate callers before agent interactions even begin are placing themselves and their customers in a precarious position.” —Richard Tsai
In retail, 44.7% of new digital accounts were suspected to be associated with digital fraud. In travel and leisure, the proportion was 36%, while the proportion was 31.5% in video gaming. Fraud in the account creation process - encompassing account signup, registration, and loan origination - far surpassed ATO risk during account logins (3.2%) or fraud risk during financial transactions (2.5%).
Fraudsters appear to be adopting the approach of using stolen credentials to create digital accounts that they can control from the outset. Although this synthetic identity fraud is growing in prevalence, bad actors’ tried-and-true methods aren’t going anywhere.
As organizations rely on an omnichannel approach to engage with customers and prospects, they must be vigilant in monitoring all touchpoints for vulnerabilities, including the call center.
Q. Why are contact centers still being attacked by fraudsters?
Contact centers remain targeted for credentials. When seeking answers to questions or resolutions to issues, consumers often turn to an organization’s call center for swift and reliable service. Having access to an agent who can provide guidance and assurance is key to building trust, but this human element continues to be exploited by fraudsters.
In 2023, bad actors increased their attacks on call centers in bids to garner personal information and credentials to prepare their ATOs. From 2022 to 2023, we measured a 55% increase in the percentage of high-risk inbound calls to U.S. contact centers.
Fully one-third of organizations consider the contact center as a leading source for ATOs, and that number nearly doubles within one high-value industry: financial services. According to earlier reports, 60% of financial institutions are concerned that call centers are inadvertently releasing enough information to illegitimate callers to facilitate ATOs.
Institutions without the proper vetting practices in place to authenticate callers before agent interactions even begin are placing themselves and their customers in a precarious position. Once connections are made, fraudsters have a better chance of using social engineering and ill-gotten credentials to burrow further into customers’ business and cause often irreparable damage.
Q. What steps can be taken to minimize and mitigate fraud risks and attacks?
There are several moves that organizations and contact centers can make.
1. Reduce exposure by sequestering high-risk calls.
Financial institutions and other organizations can mitigate risk in the contact center - and, by extension, to their customers - by putting systems in place to scrutinize calls before their instigators are placed in a position to do further harm. These criminals apply social engineering tactics to agents or enter stolen credentials in IVR systems to gain full account access.
By identifying incoming calls as high-risk, organizations can use additional tactics and evaluation on those contacts to determine the authenticity of the callers before divulging any sensitive information. Calls that are low-risk and trusted, on the other hand, would be allowed to proceed through the system with minimal friction, maintaining a positive, friction-right experience for legitimate callers.
One way organizations can implement such a practice is by recognizing where calls originate from. In our 2024 report we found that calls from non-fixed Voice over Internet Protocol (VoIP) numbers were disproportionately high risk.
Making up only 3% of total call volume in 2023, VoIP calls were tagged as high-risk 61% of the time. In comparison, mobile phones accounted for 84% of calls, and only 2.4% were noted as high-risk for fraud. This is due to the fact that fraudsters tend to use tools that spoof phone numbers, which predominantly leverage VoIP.
2. Leverage additional call data and standards available.
Organizations can go a step further and take advantage of solutions that provide additional data points to determine, nearly instantly, the potential threat of an incoming call. While a phone number can be spoofed, there are other qualities that can’t be masked, such as the type of device, call history, call routing, and length of device ownership or use.
To help organizations combat fraudulent calls, phone carriers have also adopted STIR/SHAKEN standards, which use certificates to digitally sign phone calls and document authenticity. Each call receives an attestation rating from carriers, indicating the level of confidence in the trustworthiness of the call.
This type of signal information can help organizations that are of particularly high value to fraudsters, such as financial services companies, identify calls that need a higher level of scrutiny and even perhaps trigger fraud department intervention. The idea is that bad actors will become uncomfortable enough with deeper examination that they will abandon their efforts and move on.
“...organizations can use additional tactics and evaluation on those [high risk] contacts to determine the authenticity of the callers before divulging any sensitive information.”
While even STIR/SHAKEN standards may not label every fraudulent call, they do provide an important tool in the ever-growing arsenal to combat fraud. It is critical for enterprises to be aware not only of the standards but also of how they can be leveraged to provide actionable information.
3. Step up to stay a step ahead.
Of course, organizations of all stripes must remain vigilant to prevent fraud, but they must also keep abreast of new tactics adopted by increasingly savvy fraudsters. As entities put up new roadblocks, bad actors tend to respond with new techniques to get around them or simply find another way in.
As our report demonstrates, fraud in multiple channels is persistent. Constant innovation is necessary to thwart bad actors while protecting customers and their sensitive information.
By continuously seeking better data, analytics, and technology, organizations can implement a friction-right authentication approach at any point of the customer journey. [Thereby] ensuring a positive experience for trusted clientele while dissuading fraudsters from their malicious intentions.