Published: April 23, 2018 | Comments
No matter the industry, contact centers are prime targets for fraud. With sensitive data, like payment card numbers, Social Security numbers and other personally identifiable information (PII), flowing through the environment, it is easy to see why hackers and fraudsters are looking for ways to exploit these customer interaction hubs. In fact, a stolen credit card number with a CVV can sell for as much as $110 on the dark web, while medical records can go for upwards of $1,000.
However, not all fraudsters are outright malicious. A simple mistake by a customer service representative (CSR) or agent can compromise PII and lead to a costly, brand-damaging data breach. Of course, most CSRs are honest and trustworthy people, but it takes just one bad seed to wreak havoc on a company. At the same time, many contact centers still rely on outdated and risky data collection practices that leave exploitable gaps in their security strategy. For example, 70 percent of contact centers that collect payments require customers to read their credit card numbers out loud to a CSR, which exposes the data to the staff members, call recording systems and even nearby eavesdroppers.
With so many risk factors, contact centers must stay a step ahead of fraudsters, regardless of how many security controls they already have in place. Although fraud comes in many shapes and forms, based on our years of experience of helping and advising on contact center security, there are a few stand out characters we've come across. The five most common types of threat we see are:
1. The Tempted Temp: Temporary agents, such as those hired to handle seasonal surges in call volumes, can pose a serious threat to contact center data security - whether due to a lack of loyalty to the company or a lax employee screening process. For companies that require customers to read their card numbers aloud when conducting phone payment transactions, the readily available PII can be incredibly tempting to a temp worker or any "rogue" agent. Those who do not work in clean rooms (where writing materials, cell phones, and other personal items are prohibited) can copy down or record callers' card numbers to fund an online shopping spree or order lunch.
2. The Credulous Clicker: Even the most trustworthy employee can accidentally expose sensitive customer data, especially if the PII resides within the contact center environment. For example, an agent may click on a link or open an email attachment thinking it is from a customer, only to unleash a virus. That virus can spread across the contact center's IT network, stealing customer data and landing the company in the news for suffering a major breach.
3. The Vengeful Victim: There are other employees inside a contact center's organization, in addition to agents, who can threaten data security. Consider this: an administrative worker with a grudge against management bribes an agent to share customer payment card data, thinking that the stolen funds will compensate for being underpaid. With this information stored and accessible in CRM systems, the agent hands over hundreds of credit card numbers which the vengeful employee sells on the black market.
4. The Hidden Hacker: Anyone who comes in contact with contact center agents' computers could illicitly access sensitive data stored in a network. For instance, someone from the IT support team with a secret affinity for hacking could discretely introduce a Remote Access Trojan, or "RAT" into a computer. This little piece of software allows the device to be accessed remotely, enabling the hacker to tap into copious amounts of customer data.
5. The Contract Cleaner: If data is held in a contact center's IT environment, anyone with access to the facility can get their hands on PII. With unrestricted access to a contact center's office, cleaning crew members could easily slip tiny USB sticks, which contain key logging software and a Wi-Fi transmitter, into several computers. That software could capture detailed information on customer transactions, including payment card numbers - all accessible to a conniving cleaner who collects the unnoticed USBs the following week.
These are just a few examples of the types of fraudsters that contact centers encounter - any one of them can adversely impact an organization and its brand. To protect one's company, customers, data, and CSRs, follow best practices such as training staff to recognize attacks, conducting proper employee background checks, and encrypting or tokenizing PII. But, there's an easier way: remove as much sensitive data as possible from the contact center environment.
For instance, adopt solutions that descope contact centers from compliance with the Payment Card Industry Data Security Standard (PCI DSS). This includes dual-tone multi-frequency (DTMF) masking technologies, which allow customers to enter numerical PII directly into their phone keypad. Such solutions replace DTMF tones with flat tones, shielding data from CSRs and even call recording systems. The agent can remain on the line in full voice communication with the caller, while data is sent straight to the appropriate third party, such as the payment processor, bypassing the contact center's IT infrastructure altogether. This technology not only helps descope direct phone-based payments but can also be used to remove and protect sensitive data across other customer interaction channels, including online chat platforms, social media, email and more.
By recognizing common types of fraudsters, following simple best practices and adopting descoping technologies that keep PII out of the contact center environment, organizations can ensure they are a much smaller target for cybercriminals. As a result, CSRs are free to do their jobs without fear of threats, brand reputations are preserved, and customers' data is kept out of the wrong hands.