Contact center caller authentication guide & best practices

Learn how to fend off bad actors with this comprehensive guide.
Phone with checkmark indicating caller authentication

The 2024 Enterprise Communications Landscape revealed that 85% of enterprise IT leaders feel concerned about their contact center’s security. Yet 63% of consumers will pay more for great customer service, and contact centers have been expressly designed to meet this demand and expedite problem resolution. 

IVR menus and conversation AI have proven valuable for quick fixes. And 68% of customers turn to a phone when they have a problem and need help. While you tend to these genuine callers, some bad actors will try to take advantage of your good customer service.

Without proper gating through the right caller authentication solutions and techniques, they can cost your customers and your contact center money and resources.

What is caller authentication?

By using tools like voice bioauthentication, ANI Validation, and fraud risk analysis, caller authentication helps contact center agents verify the identity of the caller and confirm the authenticity of a call.

This helps mitigate the risk of fraudulent activities and enables organizations to establish a more secure and trustworthy communication environment. With caller authentication, businesses can confidently answer calls, protect sensitive information, and maintain the integrity of their communication systems.

4 ways fraudsters can target contact centers

The most common target for fraud in contact centers isn’t your agents–it’s your Interactive Voice Response (IVR) system. 

IVRs have historically had lower monitoring rates than the agent leg of calls. Bad actors (or their bots) will usually take advantage of this to either:

  • Commit fraud within the IVR, or
  • Collect enough information from the IVR to impersonate a user or take over an account.

Approximately 1% of all IVR calls carry a moderate to high fraud risk, compared to 0.15% of calls in the agent leg.

Here are some ways that fraud may occur within the IVR:

Information mining and leakage

Before launching an attack, fraudsters will gather information on their target consumers that allows them access to their accounts. They may buy this information off the dark web, pull it from social media, or use other means to find out sensitive information.

Since IVRs usually aren’t gated and take repeat requests, bad actors can then validate this information using your IVR, or fill in any missing information. This validated information can be further used to answer knowledge-based authentication questions (KBAs) and access a consumer account.

Watch out for a high volume of short-duration calls from a singular number with a short time-to-next call. An average fraudster may make 20 calls within an hour, with extreme cases ranging up to 300 calls within a short period.

Account surveillance

Many high-risk actions in the contact center can’t be completed in an IVR, such as large withdrawals or transactions. However, bad actors will often use lower-risk IVR activities like checking one’s account balance to identify their next target or plan their next attack (ex. timing a fraudulent withdrawal after a paycheck or large deposit). 

Account surveillance itself isn’t dangerous, but it does indicate a threat is lurking. Like with information mining, it’s important to monitor for strange calling behaviors, such as a single number making sequential, repeated calls about the balances in different accounts. 

Enterprise Communications Landscape 2024

Hear how 1,000 IT leaders are improving customer and agent experiences with better authentication.

PINs and passwords

IVRs can be great for handling simpler tasks, such as resetting a forgotten password. However, this can pose a risk if used by fraudsters to gain unauthorized access to user accounts. 

Fraudulently changing a PIN or passcode doesn’t just let bad actors in, it can lock your customers out. Make sure to notify customers of password changes via multiple channels (like an email follow-up) to allow customers to verify the authenticity of requests. 

Cross-channel fraud

Fraud that begins in the IVR or in a call center may not stay limited there. If a fraudster has gained enough information to access an account, they may move to another channel—online, in-app, or in-person—to commit fraudulent activity. 

If a fraudster connects with a live agent, they may attempt to use social engineering tactics to manipulate the agent into sharing sensitive or confidential information. These tactics include pretending to be an authority figure or person of importance (“Don’t you know who I am? I could have you fired!”) or creating emotional appeal (“My mother is in the hospital, I have to pay her medical bills”), among others. This tactic usually can’t be tracked proactively, but it can be trained on to prevent loss. 

What are the consequences of fraud in the contact center?

The impact of fraud can be significant and far-reaching, depending on the scale of the attack. Even negligible losses can add up for customers caught in the middle and impact how they view your business. 

Financial damage and product loss

Fraud can be extremely costly to organizations, going beyond just the dollars lost to fraudulent transactions or product loss. There’s financial damage that arises from labor & investigative costs, legal fees, and recovery expenses that add up. According to Lexis Nexis, in 2022 every $1 lost to fraud cost U.S. financial services firms $4.23. 

Reputational damage

Fraud can also lead to a hit in brand reputation, due to service interruptions, public disclosure of a company’s sensitive information, or loss of customer data. Ultimately this can eat away at consumer trust and business revenue. 83% of customers say they will not do business with brands they don’t trust.

Compromised data

The targeted company isn’t always the only victim when fraud occurs. If a bad actor can commit an individual or a larger-scale data breach, they may use that information to inflict fraud across other organizations as well. This can lead to financial and reputational damage for affected customers caught in the middle.

How to protect your call center 

So what can you do to protect your call center from bad actors? Here are a few strategies that can help. 

Implement 2FA or MFA in your contact center

Two-factor authentication (2FA) and multi-factor authentication (MFA) are ways to verify someone’s identity using more than one metric. The first factor is the customer’s login information, but the additional factors can vary. It could be as simple as a verification code sent to the customer’s phone, or as advanced as voice biometrics that match an inbound call to the customer’s unique voiceprint.

Requiring multiple forms of authentication adds additional layers of security, keeping sensitive data and assets much better protected. It also integrates well with IVR systems, making this an easy tool to implement and prevent fraud.

Proactively monitor for red flags

To gain access to and monitor certain fraud indicators, you may need to partner with a third-party vendor. Some providers specialize in spoof and fraud detection to see if a call is truly originating from the device that owns the number, or if it’s being spoofed. You can also get alerts from real-time fraud databases that will check the inbound call against a list of known fraudsters, and identify bad actors that have been previously reported for malicious activity. 

Advanced fraud tooling, like Pindrop, may also be beneficial in high-risk industries. Systemic fraud attacks tend to take a while as fraudsters identify targets and gather information. Using ML/AI and advanced fraud tooling can identify patterns of risky behavior and enable your business to proactively deter fraud before it even happens. 

Make efficient use of routing logic

If you’re able to identify potential fraud calls, make sure you have the routing logic in place for them. You can route the potential bad actors to stay in your IVR (with attempt limits or blocking to prevent IVR mining) so they don’t waste your agents’ time, or direct them to a specialized team that can authenticate them.

Conduct regular employee training

As much as you may try to identify and prevent fraud, it may still slip past your proactive measures undetected. Most call centers will gate sensitive actions from the IVR such that it requires a human touch. 

That means your agents are your last line of defense against fraud in a call center. For this reason, every agent should receive regular training on how to identify and prevent fraud.

Protect your contact center with effective caller authentication

The risk of fraud is only increasing as we create more self-service solutions and bad actors adapt their penetration techniques. Fraud rates in contact centers rose 40% in 2022 over 2021, and are expected to keep rising in 2023. 

The good news? There are lots of different strategies and technologies that you can use to protect your call center. It’s only a matter of making sure you’re picking the right ones to protect your business.