Fraud’s Achilles Heel: The Contact Center

Gartner has labeled the contact center as Fraud’s Achilles Heel. Fraudsters look to exploit the weakest link in an organization’s security policy. And, according to our partner, Pindrop, almost 2% of all calls into a contact center are spoofed! That sounds like the sort of weak link that fraudsters attack.

From our own customers, we have seen a constant pattern of a fraudster will try either account opening or account takeover fraud in the web channel, get blocked and then immediately pivot to the contact center where they use the stolen credential information to socially engineer the call center rep into giving them control of the account. It should not be this easy.

At the core of the problem is that the two channels don’t talk, they just happily exist in separate security swim lanes. They might have risk detection on the incoming device and (at least our customers) have risk detection on the web channel but the two never ever communicate what is happening.

ID Dataweb solves this within its orchestration layer with a credential reputation service. By monitoring both the web channel and the IVR on the call center channel, we can inform each of increased risk associated with failed or repeated attempts on the other. So now, when either a valid or malicious attempt is made to access an account, the organization can marry the device risk with the reputation risk to make an even more informed decision. And the beautiful part is that this is all passively happening in the background.

Determining risk is great but what do you do with a risky caller? The most expensive and risky thing you can do is turn it over to the Call Center Rep to figure out this mess, they’re not security professionals and shouldn’t be asked to be. The answer is either inline MFA or inline identity verification which is automated to happen BEFORE the caller hits the call center rep. This is known as IVR containment and is amazing for security and customer experience.

This chart might look a bit complicated but basically it says, if a caller looks risky step them up to either MFA or Identity Verification. There are three checks that happen:

  1. At the initial risk analysis, we check for spoofing, consortium risk, cross channel risk through our Attribute Exchange Network, most notably with Pindrop.
  2. If it passes that stage, we utilize Pindrop again to attempt to authenticate the user via their voice and device signature. For an unenrolled user, we step them up for identity verification using our easy to deploy templates. If they pass, they are enrolled and sent to the contact center rep, verified and authenticated.
  3. If the user is enrolled, we authenticate using their voice and device signature. If they pass, they are seamlessly sent to the contact center rep. If they don’t pass, we step them up to an MFA process, once they pass that step, they are sent to the contact center rep, verified and authenticated.


Any user who cannot be verified and authenticated can also be passed to the contact center rep for manual verification. The great news is that by using this process, that amounts to a very low amount of manual reviews and the contact center rep will have access to doing government ID verification, mobile phone verification or dynamic KBA verification and not have to rely on whether the user knows their account number or some other easily hacked method.

Achilles injuries take a long time to heal, if you have the means to prevent it you should. ID Dataweb has the solution for the Achilles Heel problem and would love to help you solve it. Join our webinar on March 14, 2024 at 8A Pacific or reach out to us directly.