As technology evolves to support new ways of doing business and expands card not present transactions, it also creates new opportunities for fraud, like botnet attacks and static biometric fakery.
In the push to fight back against these new types of fraud, it's easy to overlook an old-fashioned vector like telephone conversations, which can also impact card not present fraud. Fraudsters know they can sometimes manipulate customer service representatives into giving up information ranging from account access to state secrets, at tremendous cost to the organizations they attack. Sadly, customer service teams may be the most vulnerable part of a company's fraud-prevention program.
So-called vishing, or voice phishing, is less common than email-based phishing schemes, but it can be very expensive. Forbes reports that the average cost of a successful vishing attack against a business is $43,000 per account compromised. And the stakes can be even higher.
How can companies guard against these attacks?
Most companies require customer service representatives to ask callers for their full name, address and date of birth before proceeding with service on an account, but all that information is easy to find online or on discarded documents salvaged from trash or recycling bins.
Some companies go a step further and require the customer to verify their account number and perhaps all or part of their Social Security number. However, stolen Social Security numbers are increasingly available on the black market, and account takeover fraud is so frequent now that possession of an account number may not guarantee the caller's identity. Moreover, calls to a live person don't undergo the same digital fraud checks that an online transaction does, like IP address, device identity, and behavioral biometrics.
But there are steps companies can take to tighten customer service security, like a standardized, multistep process for authenticating callers and strict rules on what information can be changed or shared on the phone. Customer service reps are trained to keep customers happy, and if they have some leeway they may share information that risks security—either to placate an angry caller or because a friendly caller has built a rapport with them.
To avoid scenarios in which a service rep feels bullied or lulled into complying with an insecure request, companies need a clear flowchart of authentication steps for customer service reps to follow, plus a clear explanation of what to do when the caller can't provide the required information—with the assurance that managers will support them in those situations. This means customer service managers must also be trained and ready to take over in situations in which a caller demands information without authentication.
Another best practice is to prohibit callers from changing PINs and passwords over the phone. Requiring customers to go online to change account access information means that companies can screen those requests with digital authentication tools, which can raise flags if geolocation, device identity or other factors don't match the customer's history and profile.
By training customer service teams to recognize vishing attempts and giving them the resources and authority to stop scammers from compromising customer data, companies can reduce their risk of losing money, customer trust, and valuable data. Good customer service keeps customers happy, but great customer service keeps customers' data safe, too.