Key takeaways
- Inbound fraud is up 26% and KBA is costing contact centers up to 25,000 agent-hours a month while still failing against AI-enabled fraud including deepfake voice attacks. Benchmark against peers here.
- 80% of your outbound calls may be going unanswered if your caller ID is unknown. And branded calling alone does not fix either problem if your underlying phone number reputation is compromised.
- Contact center security and resilience contribute to the same problem. Leading finance teams manage both from one view.
Finance contact centers face a trust gap on both ends of the call. Customers don’t trust and don’t answer unknown calls from enterprises. Agents can’t always trust the callers coming in. These gaps are dragging down your customer experience, and will continue to cost you customer relationships unless you start managing them proactively.
Two-way trust issues in voice calls
Inbound fraud
Inbound fraud rose 26% in 2024, according to TransUnion[1]. Many financial institutions are still using knowledge-based authentication (KBA) to fight it. The catch is that much of the required proof of identity is readily available through phishing schemes or data breaches. Fraudsters can just call in with the stolen information pre-loaded.
AI has made this worse. Deepfake voice technology has made it increasingly easy for bad actors to synthesize a caller’s voice using publicly available audio. This is increasingly common.
Meanwhile, legitimate customers are asked to prove their identity again and again, and 46% say the process frustrates them[2]. Agents spend more time on caller authentication, too. Each call takes an extra 30 to 90 seconds just for verification[3].
At 1M monthly inbound calls, KBA can cost up to 25,000 agent-hours spent on authentication that isn’t stopping the threat it was built to stop. Caller authentication and voice biometrics address this by moving verification before the agent picks up, embedding risk scoring in the IVR, passively authenticating low-risk callers, and routing higher-risk calls to specialists automatically.
The real-time standard: Look for call authentication technology that produces a fraud score during the live call, not after it. Solutions that score calls pre-answer or within the IVR allow automated routing decisions before any agent interaction.
Outbound trust
80% of calls from unidentified numbers are likely to go unanswered. Call labels, such as “Scam Risk” and “Spam Likely,” push answer rates even lower[4]. Carriers and consumer-blocking apps apply labels based on signals like call patterns and consumer complaint data, and legitimate numbers can get caught in the sweep without the contact center knowing.
How to check your phone number reputation: The most reliable way for enterprises to identify a mislabeled number is through a number reputation management platform that monitors your numbers across major carrier databases and consumer-blocking apps simultaneously.
→ What STIR/SHAKEN does and does not do: STIR/SHAKEN is a call authentication framework mandated by the FCC that cryptographically signs calls at the originating carrier and validates them at the terminating carrier. It tells the receiving party whether the calling number has been verified as legitimate. For outbound calls originating from your contact center, STIR/SHAKEN attestation improves deliverability and reduces the likelihood of mislabeling. It is a protocol, not a platform. Implementation requires a carrier that has STIR/SHAKEN natively built into their network, not layered on through a third-party service.*
Establish your identity: Branded calling displays your business name, logo, and call reason directly on the recipient’s phone, replacing the unknown number with something recognizable. Research from First Orion shows it can lift answer rates by up to 18%[5]. But branding the call display doesn’t solve for reputation. Call labels can still override branded call displays, where consumers will see “Spam Likely” instead of logo and call reason. Branded calling without active phone number reputation management is an unreliable and expensive investment.
Protect your brand: In 2025, imposter scams were the #1 reported fraud type in the US, with over 1 million cases [6]. With branded calling, there is a fear that fraudsters will hijack branded displays and run impersonation scams under the bank’s name.
Advancing technology requires advanced security. Branded call display can be protected against illegal caller ID manipulation with pre-call verification at the network level. Using short term tokens, you can verify each call before it reaches a recipient device so that your brand is only applied on calls coming from your business – making it significantly harder for bad actors to impersonate your business.
That’s a fundamentally different function from display branding, and different again from spam label remediation. Each one addresses a distinct failure point in your outbound trust stack, and using only one layer of prevention is where most outbound strategies fall short.
Why one-sided solutions only solve half the problem
Inbound and outbound problems compound each other. A fraudster who passes authentication measures and infiltrates an account may generate an alert. If that fraud alert fails to reach the customer, the fraudster can continue to do more damage. You need to have both working properly to have a strong defense.
Caller authentication determines who gets through inbound. Phone number reputation management determines whether customers pick up outbound. Financial institutions need both for voice to keep working as a trusted channel and they need both connected to the same operational view.
How financial institutions benchmark against peers in contact center security and trust
Bandwidth’s Finance Voice Security & Resilience Benchmark Report sorts financial institutions into three maturity tiers. The sorting is based on inbound fraud mitigation, outbound trust and reputation, voice channel resilience, visibility and control, and carrier strategy.
1. The developing tier
The contact center mostly finds out about problems after they’ve happened.
Caller authentication depends on the agent spotting fraud once a suspicious caller is on the line, impacting Average Handle Time. Spam label and branded calling impact might not be measured, costing you answer rates and hence, revenue. The carrier layer is largely outsourced through a CCaaS provider or reseller, so contact centers have no independent access to call routing decisions or network-level performance data.
The priority: Moving from reactive to programmatic. You may need to focus on automating outbound label remediation or implementing network-level identity verification so your agents aren’t the only line of defense.
2. The mature tier
The contact center has better tools in place, though with limitations.
Calls now arrive with a fraud score attached but further routing is probably still manual.
Phone number reputation management is part of the workflow, and branded calling is active on key numbers. Impact measurement is still too inconsistent to prove ROI.
The carrier layer is partially decoupled from the CCaaS platform, giving teams greater visibility into performance. However, the view is fragmented, and switching carriers or rerouting traffic quickly is not easy.
The priority: Integration, orchestration, and automation. It’s time to move toward a unified platform where fraud scores help dictate call flow, and where outbound branding is tied to measurable conversion metrics.
3. The leading tier
By this point, the contact center has moved from reactive to proactive on fraud.
The fraud indicator starts inside the IVR before an agent answers. Higher-risk calls go to specialists; lower-risk callers move through with fewer steps. Voice biometrics run in the background during the opening seconds.
Outbound numbers are monitored across carriers and consumer-blocking apps in real time, and mislabeled numbers are automatically remediated. Branded calling is secured at the network level to help prevent branded display manipulation.
By decoupling your carrier traffic from the CCaaS platform through a BYOC model, the infrastructure team gains direct control over global routing and disaster recovery, with visibility into network-level performance in one place.
The priority: Continuous optimization. As the carrier ecosystem evolves (like the evolution of STIR/SHAKEN and the introduction of advanced tech solutions), your goal would be to maintain this single pane of glass visibility across your global footprint.
Mind the gaps in your voice channel
If your contact center uses knowledge-based caller authentication as its first line of defense, it’s already costing you customers and agent hours. The same is true if you’re finding out about scam/spam labels through agent escalations and customer complaints.
Start with the voice channel risk and trust scorecard to see how your inbound fraud defenses and outbound reputation posture compare against finance peers. You’ll know which maturity tier your financial institution falls into and what to prioritize next.
Then book a consultation with a Solution Engineer to pinpoint two or three needle-moving changes that impact handle time, answer rates, resilience, and fraud exposure.
Bandwidth consolidates fraud mitigation, Number Reputation Management (NRM), and authenticated branded calling directly into the carrier network layer. NRM monitors your numbers across major carrier databases and consumer-blocking apps, identifies mislabeled numbers, and automates remediation requests directly with carriers, so your team isn’t manually chasing label corrections across a fragmented stack. Because that monitoring runs alongside inbound caller authentication at the same network layer, infrastructure teams get a single view of call authentication status and outbound reputation health without stitching together separate platforms for each. For financial institutions managing large outbound number portfolios and high inbound call volumes simultaneously, consolidating both functions into the carrier layer removes a category of operational overhead that third-party overlay solutions can’t.
Explore Number reputation management and other contact center security and trust services.
Data sources:
[1] TransUnion
[2] Pindrop Voice Intelligence and Security Report 2025
[3] Neustar Knowledge-based Authentication Threat whitepaper
[4] Hiya State of the Call, 2025
[5] First Orion State of the Call 2025
[6] FTC Consumer Sentinel Network
FAQ
KBA asks callers to provide information they should know: account numbers, Social Security digits, security question answers. It is easy to implement and widely deployed. It is also the authentication method most susceptible to social engineering, data breach attacks, and AI-generated fraud, because key customer information it requires is no longer reliably secret.
Voice biometrics authenticates the caller’s identity based on the vocal and behavioral characteristics of their voice, not on information they recite. Passive voice biometrics run during normal conversation without the caller completing a separate verification step. For financial institutions, this means callers who have enrolled their voice profile are authenticated in the first 15 to 30 seconds of the call, before any agent interaction.••
The critical limitation to assess in any voice biometrics platform today is deepfake detection. Legacy voice biometric systems were trained on natural voice data and are not typically resilient to synthesized voice attacks. Platforms that include liveness detection, i.e. signals designed to help identify AI-generated voice inputs offer a meaningfully different level of protection than those that do not.
What this means for platform selection: When evaluating call authentication technology for your contact center, the comparison should not only be KBA vs. voice biometrics. It should be: does the voice biometrics platform include active deepfake detection, and does it operate in real time during the live call or only at enrollment? See our Pindrop voice authentication carrier-level intgeration.
The most reliable method is a number reputation management platform that monitors your numbers across carrier databases and third-party consumer-blocking apps simultaneously. The manual option is to call your number from 3 different carrier plans (for 3 major carriers), on both Apple and Android devices. To catch all carrier-level labeling decisions, enterprise contact centers typically need automated monitoring across all active numbers rather than spot-checking individual ones.
Platforms that embed fraud scoring inside the IVR operate before the agent picks up. Passive voice biometrics solutions authenticate the caller during the natural opening of the conversation, without a separate verification step. The real-time standard to evaluate against is whether the platform produces a fraud score or authentication signal before any agent interaction begins, not after the call is logged.
See our Pindrop voice authentication carrier-level intgeration.
Preventing brand impersonation at the carrier level works by cryptographically signing outbound calls, binding the call to the originating carrier’s verified identity. This makes it significantly harder for third parties to impersonate your number. Network-level prevention through a carrier that has this identity authentication built in provides stronger protection than solutions that apply attestation through a third-party overlay.
The meaningful comparison points are: where in the call flow the fraud score is generated (pre-answer vs. post-call), whether the platform is keeping up with advancing fraud techniques such as deepfake voice detection, how the platform integrates with your IVR and CCaaS for automated routing, and whether outbound reputation management is handled in the same platform or separately. Platforms that consolidate inbound fraud scoring and outbound number reputation management reduce operational complexity and give infrastructure teams a unified view of the voice channel.
Effective number reputation management requires monitoring your numbers across carrier databases and consumer-blocking apps, identifying mislabeled numbers quickly, and submitting remediation requests to the relevant carriers. Platforms that automate this process across all active numbers outperform manual remediation workflows, especially for large enterprise contact centers running high outbound call volumes.
It’s the protection most finance teams skip.
If your institution has numbers that should never make outbound calls i.e. fraud hotlines, inbound-only support lines, customer service numbers that only receive calls, then those numbers could be actively impersonated right now with no network-level signal stopping them.
Do-Not-Originate registration flags these numbers with participating carriers so that outbound calls trying to display them as caller ID are more likely to be prevented before reaching a customer. Coverage depends on carrier participation and is not guaranteed across all networks. It doesn’t require a new platform. It requires telling your carrier which numbers are inbound-only and ensuring those statuses are registered across the carrier ecosystem.
*STIR/SHAKEN attestation is one component of a broader outbound trust strategy; financial institutions should consult with their legal and compliance teams regarding their full regulatory obligations.
**Voice biometric enrollment and passive authentication may be subject to notice and consent requirements under applicable biometric privacy laws (e.g., BIPA, GDPR); financial institutions should confirm requirements with legal and compliance teams before deployment.