Phone Phishing: Are your Agents Too Helpful?

By George T. Platt

According to a study commissioned by the Federal Trade Commission, last year over 9.9 million Americans were victims of identity theft, at a total cost of nearly $50 billion – an average of almost $5,000 per victim. The first thing many people associate with identity theft is computer hacking or Internet security breaches. The reality is that online and perimeter intrusions contribute far less to the identity theft problem than disgruntled employees, friends, and relatives.

One of the most prevalent and accessible methods of gaining access to personal data is the simple process of picking up the phone and calling a customer service call center. Customer service agents are trained to “take care” of callers and often will go to great lengths to be helpful. This is just what an identity thief is counting on. The concept of taking advantage of helpful customer service agents to steal information over the telephone is sometimes called phone phishing or pretext calling; in a broader context it can be referred to as social engineering. Phone phishing is particularly disturbing because unlike Internet phishing, the victim is not involved and is completely unaware that someone else is calling pretending to be them. With just a few calls, thieves can gain the bits and pieces of data required to assemble unquestioned access to a customer’s accounts and other information. In fact, criminals find the telephone very attractive because it is inherently faceless, hard to trace, inexpensive, and they know that companies are relying on information alone for identity verification.

They’ve Got Your Number: Whether we like it or not, we have become a number. Our personal information essentially becomes our identity as we interact with entities such as banks, insurance providers, and the government. In many cases, access to our accounts can be had with little more than these six core pieces of information:

  • Social Security Number/Insurance Number
  • Mother’s Maiden Name
  • Date of Birth
  • Name
  • Address
  • Phone Number

The nature of each business relationships determines how much or how little information is available. However, many lenders and providers share information with each other in the normal course of doing business. Furthermore, five out of six pieces of our core identity are publicly available. If it seems it could not get any worse, our identity information resides in thousands of places, online and offline.

The Evolution of Self-Service: The evolution of our reliance on customer self-service is adding to the risk of exposure. In the past, most self-service applications were used to automate simple tasks involving information retrieval. Now self-service systems allow the user to actually execute transactions such as bill payment, product procurement, or securities trades to name a few. The ability to actually execute transactions with no human interaction after identities have been stolen can increase the risk of loss associated with identity theft.

Solving the Problem: The obvious answer for call centers to stopping identity theft and fraud is simply to verify identities better, with something more than information alone. Verifying that the information provided matches the information on file is no longer sufficient to allow access to account information or transactions to be executed.

Protecting callers’ personal data, while keeping interactions fast and easy, is the foundation of strong customer loyalty and a key to increasing customer retention. In order to attain this goal, it is important to reduce the likelihood of human error from the identity verification process. Unfortunately, criminals prey on the good intentions of customer service agents. Improving agent training is an important part of a comprehensive fraud prevention program. However, high turnover rates and a desire to help callers will always make live agents a point of risk.

So, with the human element remaining a threat, what can be done to prevent this growing problem? Individual action is a start. As individuals who use online banking or make purchases over the phone, we should be protecting our identity with the same passion that we protect our personal safety. Just as we install a home security system for protection, individuals should also install firewalls on home computers, encrypt their wireless network, and decide to use better passwords.

The community as a whole can also be a strong deterrent of identity theft. Institutions can require cardholders to activate new credit cards by calling from a home phone, place a hold on deposited checks exceeding a certain amount, or require strong passwords for online banking. It would also help to compare personal information provided against information in a database before granting access to an account over the phone.

As with most other crimes, crime prevention can also be a strong deterrent to the problem. For years, financial institutions have been using automated pattern recognition systems to detect credit card buying patterns that do not match the normal behavior of the credit card holder. These solutions are becoming increasingly sophisticated, looking not only for patterns within an individual account, but also for patterns across multiple accounts.

All of these solutions could certainly play a large role in stopping identity theft through the telephone. However, just as with the problem itself, these solutions largely involve a human factor.

The Technology Solution: As with identity theft and fraud through the computer, the most reliable way to prevent identity theft and fraud through the telephone is through the use of technologies that take away the human factor. Automated systems remove live agents from the identity verification process, allowing an identity to be confirmed before a caller can reach an agent who is willing to give out sensitive information.

Automated voice systems can empower users to protect themselves by offering a simple voiceprint enrollment process that takes approximately one minute to complete. On subsequent calls, the voiceprint becomes one of the key factors used to verify a customer’s identity. At the same time, behind the scenes, an application performs behavior pattern tracking an analysis as customers interact with the automated system. For example, the system can monitor for too many calls from the same phone number inquiring on different accounts within a period of time.

The reliable authentication of customers using something as unique as a voice print can save agent time, while reducing the caller’s responsibility for remembering the myriad of PINs, passwords, and security questions. Furthermore, automating this process plugs a vulnerable security leak, our thoughtful agent, while freeing these same agents to address issues for callers who have already been authenticated.

In addition to providing authentication and reducing the number of common requests received by live agents, the return on investment for voice-based applications is considerable. Datamonitor reports call centers currently deal with 26 billion call minutes per month; by 2007 this will increase by 35 percent to 35 billion. On average, providing customer service in the traditional agent-assisted manner within a call center costs $9.50 a call, therefore the return on encouraging callers to use self-service channels companies can be a financial windfall.

With the emergence of standards like VoiceXML and SALT, and support from major software and hardware vendors, speech automation is rapidly moving into the mainstream. Call centers can now extend their investments in Web-based infrastructures to include voice-based applications. The ability to manage one code base for both Web- and voice-enabled applications makes it possible to extend new self-service Web capabilities to customers/employees.

Conclusion: In the 1970s, when the call center was first introduced to provide centralized customer service, verifying customers using information alone may have seemed like a reasonable security measure. Today, this weakness is exposed with the convergence of identity theft and fraud, the digitization of information, and the affordability and ubiquitous nature of the Internet. Telephone security had not changed in 30 years, but the introduction of voice-based authentication and automated voice applications can now remove customer service agents from the identity verification process, reduce call times and customer frustration, improve call center profitability, and create customers for life.

George Platt is currently Senior Vice President and General Manager of Intervoice’s Enterprise Business Unit where he is responsible for product marketing, product management, services marketing, software product development, and professional services within the enterprise sector.

[From Connection Magazine Jul/Aug 2005]