In the past, a contact center agent could be reasonably secure in knowing who was at the other end of the line. And if they weren’t, answers to security questions, a verbal password, or a request to send a one-time passcode (OTP) would solve the issue.
Those days are gone, as voice deepfakes – in which a real person’s voice is cloned from snippets of it – is one of the biggest risks facing modern businesses and their contact centers.
Today’s attacks are increasingly sophisticated, putting contact centers at greater risk than ever before. In fact, our recent survey of contact center business leaders revealed that nearly 60% experienced incidents of stolen personal information used to bypass knowledge-based authentication. Additionally, 54% of them report cases of spoofing used to impersonate legitimate customers (see included article by Jonjie Sena).
Fraudster Goals
Fraudsters approach the contact center with several goals in mind. Some want to validate or enrich data breach data sets that they plan to sell on the dark web. In this instance, someone with a long list of data breach information will call contact centers to verify active or valid accounts, or that the victims’ phone numbers are still known to that organization.
Since contact center agents are trained to be helpful, they can be easily manipulated and are a favorite target for threat actors.
Meanwhile, other fraudsters may try to socially engineer the agents to collect more personally identifiable information (PII) they can add to their existing data, which they then sell for a higher price on the dark web. This enriched data set becomes more valuable for crime rings to plot out larger and more successful attacks.
Yet another tactic of threat actors is to use the PII of the recently deceased, taking multiple pathways to gain access to the victim’s account and ultimately their funds – including, you guessed it–through the contact center.
The victim doesn’t have to be deceased, of course; the PII of billions of people is readily available for purchase on the dark web. A lawsuit last year alleged that the personal financial data of nearly three billion people may have been compromised.
Pivotal Role of Contact Centers
Since contact center agents are trained to be helpful, they can be easily manipulated and are a favorite target for threat actors. In fact, contact centers are such a profitable business for fraudsters that crime rings are happy to set up their own outbound contact centers to target them.
Human agents are the front line of an organization, and the weakest link, making this type of process automation one that pays to scale.
That certainly is the case with account takeovers (ATOs), where, as the name implies, fraudsters take over victims’ accounts. Many of them are multi-staged, multi-channel attacks which involve the contact center. In ATOs, fraudsters use one or more channels to get information, then go to another channel to complete the frauds.
In these attacks, often the fraudsters will spoof the victims’ phone numbers to reach the customer service agents and then use the stolen PIIs to get past the agents’ authentication process to gain access to the accounts. In some instances, threat actors will manipulate the agents and trick them into resetting the victims’ account passwords.
Once fraudsters have these credentials, it’s game over. They can log on and transfer money out of the victims’ accounts.
If, however, the victims are employees and the threat actors gain access to their accounts, they can infiltrate a company’s network, which could lead to a ransomware attack.
How Call Spoofing Impacts Outbound Calling
By Jonjie Sena
Imposter scams, call spoofing, and data breaches are exploding, and they often involve the phone channel. AI advances and with them large language models (LLMs), and deepfake technologies (see main article), are making it even trickier and riskier for consumers trying to tell the difference between real and fake outbound phone calls.
As a result, even though consumers and businesses alike consider the phone as the most important communications tool, wary consumers are just not picking up. While bad actors are tapping into many channels to commit fraud, the phone is often seen as the tipping point for consumers: who feel reassured enough by human (or deepfake) voices to click on text or email links or share one-time passcodes.
In fact, the Federal Trade Commission (FTC) noted consumers lost over $12.5 billion in fraud last year. People lost more money per person when having interacted with scammers on the phone: an average of $1,500 per individual. And once again, imposter scams topped the list of fraud reported.
Loyalty, Costs
Call spoofing, data breaches, and imposter scams don’t just impact consumers, they also affect businesses: especially financial institutions. And in a recent TransUnion-commissioned study by Forrester Consulting, 63% of decision-makers rated call spoofing among their top five challenges in outbound voice and the second reason why customers are not answering calls.
So, let’s look deeper into call spoofing and why it is so damaging. Call spoofing occurs when a caller intentionally falsifies the phone number and caller ID information transmitted by phone. It’s often used in imposter scams to make calls to consumers look legitimate — commonly appearing as a financial institution or other trusted business partners — to steal money or personal information.
There are numerous measures businesses can take to reduce call spoofing, including branded calling and spoofed call protection.
In addition to financial losses from fraud and scams, research shows the threat of call spoofing damages customer relationships and loyalty. Consumers are all too happy to change their financial service firm, for example, if they lose trust in their ability to protect them from fraudulent schemes.
Call spoofing also leads to a loss of trust, increasing service tickets and decreasing the effectiveness of outbound communications campaigns.
Steps to Protect
Despite the recognized need for robust solutions, discovering effective call spoofing protections remains challenging. 67% of decision-makers in the Forrester Consulting study consider protection against call spoofing and related fraud as essential for enhancing customer engagement and increasing contact rates.
There are numerous measures businesses can take to reduce call spoofing, including branded calling and spoofed call protection. Branded calling enables businesses to add rich call content to the mobile display, including their names, numbers, logos, and reasons for the calls.
In addition, calls receive end-to-end call authentication, ensuring they haven’t been spoofed. 62% of decision-makers said an indication on mobile display that the call is authenticated and hasn’t been spoofed is important or critical to increasing customer engagement/contact rates.
Spoofed call protection enables organizations to digitally “sign” their own calls so they can distinguish between legitimate and spoofed calls and apply proper call treatment. This puts call authentication in the hands of the business: which is clearly vested in protecting itself and its customers from spoofed calls and the financial damage they can inflict.
When a company signs its own calls, it can ensure full end-to-end call authentication: and help to prevent spoofed calls before they even reach the consumer.
Jonjie Sena is Vice President of Product Management for TransUnion, responsible for driving the go-to-market strategy for Contact Center and Communications Solutions. In this role, Jonjie focuses on helping businesses overcome the impacts of call spoofing and robocalling so they can restore trust in phone calls.
Steps to Guard Against Voice Attacks
Contact center agents are not fraud experts, nor should they be. Unfortunately, as AI has grown more sophisticated, voice authentication is no longer reliable. To think you’ll be able to tackle AI voice clones with a singular AI deepfake detection capability is a losing cat-and-mouse game.
Instead, organizations should do as much as possible to prevent fraudsters from ever reaching the customer service agent. They should design a pathway that criminals must follow before reaching the agent so that if they get to the agent, they’ve at least moved through several gates of fraud controls first.
Contact centers should also devise a customer experience (CX) based on their risk signals so they can direct different segments of customers to the right pathways. You want to apply a strategy that implements as many risk signals as possible before a call reaches the customer service agent.
How to Execute These Strategies
First, invest in technologies like pre-answer forensic network caller authentication that can verify calling devices with phone numbers before they reach the agents. When combined with technology that automatically matches the calling numbers to the customers’ information in the CRM system, contact centers can be confident that the callers are who they say they are.
These technologies allow existing customers to have a frictionless path to a service agent while being easily authenticated. Customers can avoid the more frustrating, time-consuming experiences of answering a series of knowledge-based questions they may have forgotten; contact centers can aim to avoid this more insecure method of authentication that puts customer information at risk.
With the right technology and pre-answer strategies in place, contact centers can go back to doing what they do best…
Second, when pre-answer technology detects risks, organizations could route calls to additional authentication methods within IVR systems, and eventually to level-two support teams. This would ideally involve agents who are more experienced with certain types of fraud, so they can decide whether to escalate to the fraud department.
For contact centers, pre-answer technology can assess risk before AI deepfakes are attempted, and critically, before the human agents get involved. Because the moment you involve a human, the social engineering risk factor increases exponentially.
It’s vital to remember that the contact center may not always be “ground zero” for the ultimate attack, but it plays a large role in the fraudster’s journey to their end goal – theft – by giving them the additional “puzzle pieces” they need.
With the right technology and pre-answer strategies in place, contact centers can go back to doing what they do best: providing a seamless, helpful, and satisfying experience for customers.
