Best practices guide to addressing — and preventing — fraud in your IVR system

Amongst the many challenges businesses faced in 2020, ensuring safe and seamless customer support remained a top priority. While the world experienced various lockdown restrictions over the past year, many people shifted from in-person to other ways of contacting their preferred brands. Not surprisingly, customer support call volumes increased by 42% over 2019. And while many of those calls were genuine inquiries — a lot of them were fraudulent, says new research from Forrester.

These fraud attacks are having a major impact on customer service operations with 57% of firms experiencing an increase, and 53% seeing a resultant impact to their bottom line.

The interactive voice response (IVR) system has emerged as a prime target for fraudsters looking to glean or verify personal customer information and commit large-scale identity theft. “More fraudster account reconnaissance in the [IVR] is exposing security gaps that need to be closed,” notes the Forrester report.

Four out of five brands see IVR fraud as a very serious issue in their customer support operation, while only a third say they have a strong handle on it. And although digital and visual IVR technology is growing rapidly, today’s immediate challenge remains ensuring customers using traditional IVR channels continue to enjoy frictionless, cross-channel customer experiences (CX).

This is what you need to know.

What is IVR fraud, and how does it work?

Data breaches and fraud attacks in 2020 affected both big and small businesses, exposing billions of customer records. This is the latest annual addition to a decade-long total of about 70 billion, says Robert Siciliano, an instructor on cyber social identity protection with security company ProtectNow. “All of that data is being pieced together and used by criminals to pose as a company’s clients.”

The path many fraudsters take to obtain information from IVR systems boils down to combining leaked information with multiple combinations of numbers to eventually crack open customers’ accounts.

How can companies balance combatting this with adequate security measures while still providing a simple, effortless customer experience?

How to create a layered identity verification system

To be effective, an automated identity verification system must be consistent across channels, as cybercriminals will often use a combination of voice, IVR and self-service channels.

Human intervention is also key, says John Sileo, an independent cybersecurity expert and keynote speaker. “Too many teams try to leave it all to technology, but tech without humans is like a car without a driver in this case. Focus on the people, invest in the people and give them the tech tools to do a better job,” he says.

Biometrics, including real-time voice authentication, can create an effective first line of defense, Sileo notes. Creating a fraud watch list using voice authentication helps to quickly identify and report potential fraudsters.

Delays in call connection can also be a red flag for fraud, particularly for mobile callers. Flagging potentially fraudulent calls as soon as they connect to the IVR system can prevent the system from sharing any sensitive information before verifying the caller’s identity.

Another way to reduce mobile fraud through an IVR system: partnering with mobile carriers to implement real-time customer background checks using data they already have stored in their databases.

If the system detects potential fraud, the most common security escalations are one-time passcodes (OTPs) and secure links sent by SMS. Some companies replace OTPs with a one-time secure link to quickly verify a customer’s mobile device. Similarly, knowledge-based authentication (KBA) prompts customers to verify specific information associated with the account, like names and passwords. And customers can also increasingly scan their driver’s license or other documentation for further verification.

Balancing security with seamless customer experience

As they implement increasingly stringent security protocols, executives must mind the gaps between security and an effortless experience. Creating a bulletproof customer verification process could be easy on its own, but doing so without appearing to waste customers’ time is much more challenging.

Many B2C brands have an understandable bias toward the customer and optimized CX, but they’d do well to bring their IT teams to the table. Customer experience and IT security teams often exist in silos, says identity theft consultant Carrie Kerskie. “Many times the focus is on making it easy or convenient for the customer. If it is easy for a customer, it is easy for a bad guy,” Kerskie says.

Customers want increased security from companies, but it needs to feel trustworthy. Two-thirds of Americans want companies to do more to safeguard their personal information and will give preference to those that do, and 77% of consumers prefer doing business with a firm that has more advanced verification systems, according to IDology’s Customer Digital Identity Study.

Still, it’s a thin line to walk. If the identity verification process during account opening seems untrustworthy, the IDology study suggests that over 50% of customers say they’ll likely bail on signing up, and many others will use a one-time guest checkout option or be unwilling to store a credit card for future purchases.

That’s where customer communication comes into play. Kerskie says discouraging ID theft is difficult because organizations implement anti-fraud measures but don’t take the time or opportunity to explain them to their customers. “Taking the time to educate customers on why it was implemented and how it will protect them, encourages customers to embrace it,” Kerskie says.

Preventing IVR fraud begins and ends with team members

Strong, multi-layered ID verification systems lessen the time the customer support team needs to devote to customer authentication, helping them focus on legitimate customers. But live customer support personnel are fundamental to preventing fraud, with most businesses relying on them as the first line of defense. If companies aren’t already doing so, measuring and compensating employees based on fraud reduction goals creates an additional incentive.

Engaging the support team in interactive training can identify opportunities to improve, says Sileo. “Small group training using a method called ‘appreciative inquiry’ is by far the most effective.”

The method requires support team members to generate the triggers of fraud themselves and apply them to specific real-life situations. “The knowledge is often inside the house, but few executive teams take the time to listen and leverage [it],” says Sileo.

With fraudsters growing more sophisticated all the time, CX leaders would be wise to maximize their resources to safeguard their customer data today and in the future.