Customer service is one of the most frequently outsourced business functions, with outsourced contact centers accounting for approximately 25 percent of the global contact center market. While turning to a third party to handle customer calls may lower costs and drive new efficiencies, it has its fair share of risks.
Whether they are outsourced, offshored, nearshored or using remote workers, contact centers are natural targets for fraud. The sheer amount of sensitive data they handle, store and process is tantalizing for any cybercriminal looking to steal credit card numbers, social security numbers, birthdates, addresses and other Personally Identifiable Information (PII).
At the same time, poor outsourcing decisions account for 63 percent of data breaches across industries, elevating the potential threats within these customer interaction hubs. The result is a perfect storm for contact center fraud. And in an age when a single data breach can cost millions of dollars, ruin a brand’s reputation and damage customer trust, contact centers must continually work to stay a step ahead of fraudsters – no matter how many security controls they have in place or how well they’ve vetted and trained their staff.
However, such fraudulent individuals aren’t necessarily cybercriminals on the FBI’s “Most Wanted” list. Fraudsters come in all shapes and sizes, with a multitude of motives, making it more difficult to prevent or deter an incident. Based on our experience of helping and advising on contact center security, here are five often-overlooked types of fraudsters we think every contact center should be aware of:
Fraudster #1: The Temp: The common practice of bringing in extra staff to handle seasonal peaks in call volumes opens doors to additional “inside” threats. A temporary agent may have little loyalty to a company, and perhaps was not properly trained and vetted – making available PII extremely tempting. For example, a temporary agent could copy down a customers’ credit card numbers as they are verbalized during a phone transaction. With this information in hand, the agent could order a round of pizzas at lunch or sell the information on the dark web, where stolen credit card numbers with a CVV go for as much as $110 each.
Fraudster #2: The Accident-prone Agent : Not all fraudsters have malicious intentions, and most agents are good, honest people. However, a simple mistake by an agent or any other contact center employee could wreak havoc. As such, an agent answering customer inquiries via email could open an attachment unknowingly containing a virus that quickly spreads across the contact center’s network, stealing customer PII.
Fraudster #3: The Retaliator: Any contact center employee (not just agents) can pose massive data security risks. What if an administrative assistant were to bribe an agent – who has access to unencrypted customer information – to share a few credit card numbers? Motivated by years of being underpaid, the assistant may feel that the crime is justified and snags a handful of card number to sell on the black market for profit.
Fraudster #4: The IT Consultant: Potentially, anyone with access to the contact centers’ computers could illicitly access any available PII. This includes IT support, another frequently outsourced function. Armed with basic hacking knowledge, and no affiliation to the contact center or its organization, a tech team member fixing an agent’s desktop could covertly insert a Remote Access Trojan (RAT) into the computer. This piece of malware allows the IT consultant to access the device remotely and tap into the contact center’s network, where PII is ripe for the taking.
Fraudster #5: The Maintenance Worker: Less obvious external threats include cleaning crews, HVAC technicians and other third-parties with unrestricted access to the contact center’s office – if sensitive data is held within the contact center network. For instance, a devious maintenance worker on the night shift could insert small USB sticks containing keylogging software into the backs of agent desktops. This captures any customer information, including credit card numbers entered into the computer during the phone transaction. The maintenance worker could collect the USB sticks, filled with PII, the following night and fund an online shopping spree.
They Can’t Hack the Data You Don’t Hold
These five fraudsters, of course, are just a few examples of those who can compromise a contact center’s data security, but serve as excellent reminders of the breadth of internal and external threats. Contact centers (whether or not they are outsourced) must amplify their security and compliance efforts to lower risks. For example, organizations should conduct in-depth employee background checks and ensure outsourced service providers obtain the proper security certifications. Educate staff on emerging threats and seek technologies that tokenize or encrypt PII.
Another frequently used security tactic requires agents to work in clean rooms, where writing materials, cell phones, bags and other personal items are prohibited. While this prevents agents from copying down credit card numbers, or accidentally downloading malware, it does not deter outside hackers or unassuming third-parties from tapping into data stored on the network. Moreover, clean rooms attribute to poor employee morale and lead to high-turnover rates, so it is not the ideal fraud deterrent.
However, clean rooms, training programs and tokenization technologies can only go so far. To make a contact center an ultra-high security zone – without compromising job satisfaction or spending valuable time updating incident response plans – simply remove sensitive data from the contact center environment. The more “toxic” data is kept out of the network, the less of a target the contact center will be for fraud: they can’t hack the data you don’t hold.
Emerging technologies like dual-tone multi-frequency (DTMF) masking solutions can help in this department. Many contact centers are adopting DTMF solutions to shield numerical PII from agents, nearby eavesdroppers and even call recording systems by allowing callers to directly input their information into the telephone keypad. The keypad tones are masked with flat ones so no one can decipher them, while the PII is sent straight to the appropriate third party (such as a payment processor). This means that the data never touches the contact center’s infrastructure, keeping it out of the wrong hands.
Although it is virtually impossible to prevent every type of fraudulent activity, contact centers can reduce risks by recognizing the many faces of fraud and by keeping as much toxic information as possible out of their networks in the first place. These proactive efforts will help organizations stay a step ahead of fraud, create a safer work environment and keep brand names out of the news for falling victim to a devastating data breach.