How COVID-19 has Reshaped Inbound Authentication
Originally published on DestinationCRM.com
On average, contact centers have seen a 42 percent increase in year-over-year call volume since the COVID-19 pandemic began, while their workforces have shrunk by about 25 percent over the same timeframe. Unfortunately, fraudsters are taking advantage of the imbalance. Nearly 60 percent of contact centers report an increase in fraud attacks since the start of COVID-19. Only one-third of firms feel strongly that they have a handle on fraud.
Unfortunately, new fraud-fighting tools often frustrate customers and delay call resolution. Stressed callers are twice as likely to have “difficult interactions” with call center agents, which dampens cross- and up-sell opportunities and predicts churn. Frequently, difficult interactions begin with poor authentication, "often the number-one pain point for customers.”
Most inbound caller authentication approaches require caller engagement, which prevents agents from serving callers as efficiently as possible. This enables fraud, frustrates customers, and balloons average handle times. On the other hand, organizations that resist accelerating inbound caller authentication increase their risk of losing millions of dollars to fraud, customer attrition, and operational waste.
Traditional inbound caller authentication helps fraudsters and hurts callers
Most inbound contact centers still rely on post-answer authentication approaches, such as knowledge-based authentication (KBA) challenge questions. And yet, criminals are better prepared to handle KBA than callers. They are often armed with the personally identifying information needed to answer KBA questions, neutralizing this method of authentication.
The impact of KBA on the consumer experience is equally dire. Consumers have less patience for perceived delays in service while they are under stress. KBA extends average handle time by 20 percent. Forrester’s study found that, “Many firms struggle to maintain high quality customer experience throughout authentication: 62% of firms have low customer satisfaction and/or an end-user process that is too complicated.”
Contact centers’ difficulty identifying callers quickly compounds this struggle. Very often, customers call in from a different phone number than what appears in the associated record. Some callers may have switched phone carriers recently or may no longer use the phone on file. When an inbound number does not match a CRM record, the caller must identify herself again. This wastes time and money and degrades customer experience.
If callers are flagged as possible fraud risks because they struggle to answer KBA questions, they could defect to competitors. Consumers have shown little patience for the same mistake in the purchasing process. Almost 40 percent of consumers will abandon a credit card after a false decline. Nearly 60 percentof high-income cardholders reduce or stop patronage of merchants where a false decline occurred. An equivalent loss of customer lifetime value could be significant for a contact center.
Caller authentication has not kept pace with emergent fraud tactics
Many criminals also use virtualized call services to bypass authentication processes that require caller engagement. When they reach an agent they have an excellent chance of socially engineering the agent into granting control over a customer’s account. The 2020 State of Call Center Authentication survey found that virtual calls were recognized as the fastest-growing account takeover (ATO) threat—70 percent of survey respondents saw “somewhat” or “much more” threat activity toward the call center as coming from virtualized call services than from call spoofing.
Agents’ natural inclination to help, heightened by empathy for many callers’ high anxiety, raises an already elevated risk of account takeover attacks. “Organizations generally have fraud detection as a separate unit focused on transactional activity, leaving the contact center open for criminals to attack,” states Javelin Strategy & Research. “High-risk calls are being handled by customer service representatives who do not have a background in understanding fraud.” Over 80 percent of contact centers rely on agents as the first line of defense in identifying potential fraud.
The IVR is equally plagued by waste. The value of self-serve options is limited because criminals can acquire the answers to KBA questions without much effort. This limitation means that callers with complex or higher-value matters end up transferred to agents, delaying resolution and increasing operating costs. If one minute of agent time costs one dollar, then every agent-handled call that begins with KBA costs one dollar before service can begin. Over millions of inbound calls, KBA squanders millions of dollars.
At the heart of all these issues is post-answer authentication: an outdated model that increases the risk of fraud, frustrates customers, and drives operational waste. Post-answer authentication prevents agents from quickly resolving calls. “The engagement models of service have changed,” states Javelin Strategy & Research, “yet security in contact centers is, for the most part, stuck in the 1990s.” This begs the question: how well prepared are inbound call centers to distinguish fraudsters from customers over the long term? Now more than ever, it is critical for call centers to find new ways to handle high volumes of inbound calls safely and efficiently.
Authenticate inbound callers pre-answer using their phones
Nearly all of the problems described above are essentially eliminated if callers can be authenticated before getting to the IVR or an agent. Callers using mobile phones and residential cable and landlines can be identified and deterministically authenticated via their devices. When the calling phone is confirmed as authentic and the calling number matches the reference phone number on file, then the contact center can trust that it is engaged in an authentic call with the customer’s unique, physical, legitimate phone—similar to the way that credit cards facilitate cashless transactions. If the caller’s device is not unique and physical, then other signals can be used for a probabilistic pre-answer risk assessment, such as the calling history, call routing, and line type.
Device-based authentication represents the gold standard for security and customer convenience. Consumers’ devices are uniquely attached to their owners and likely to be replaced quickly if lost or stolen. They are trustworthy proxies for establishing confidence in callers’ identities. Device-based authentication is imperceptible to customers, and the method minimizes false positives for fraud.
By completing authentication before callers hear "hello," this method is much faster and more secure than post-answer authentication strategies, like KBA. Callers that are deterministically authenticated receive an authentication token, a strong sign of their trustworthiness. They may be routed into a trusted caller flow for faster service and offered self-serve options that are typically too risky with KBA: account transfers, contact information updates, and PIN resets. Agents see customer records at the moment of connection—even when callers use different phone numbers than those on record. Unknown callers are identified via an authoritative database of precise linkages between each consumer’s name, phone number and phone activity.
Call centers can refocus valuable fraud-fighting resources by stratifying non-authenticated callers into “trust levels” using probabilistic risk assessment. Moderately trusted callers receive faster-than-normal authentication. Unknown but credentialed phone numbers can be added to the caller’s account to streamline authentication of future calls from that device. Less-trusted callers experience standard KBA questions and IVR permissions. Only risky callers encounter stepped-up authentication or the full focus of fraud-fighting resources. This reduces the fraud department’s search for “a needle in a haystack” into a more efficient search in a much smaller population.
False positives and false negatives are all but eliminated. Since most callers can be deterministically authenticated with their devices, they will never enter a fraud review queue as a false positive. That allows the fraud department to focus its costly resources on the fewer remaining callers. The results of each non-authenticated caller’s probabilistic risk assessment may be analyzed in conjunction with other signals. However, unlike post-answer authentication approaches, which require fraud feedback in order to ward off future attacks from the same source, device-based authentication doesn’t require a fraud incident before flagging a risky caller. Detecting and preventing “first-time attacks” provides immediate value in reducing fraud loss, while also providing an important signal for other fraud tools’ future reference.
Device-based inbound authentication satisfies contact centers' disparate needs. The process takes full advantage of the unique power of physical calling devices as ownership-based authentication tokens to improve fraud detection rates, customer experience, and operational efficiency.
Treat each inbound caller by their trustworthiness
Pre-answer authentication allows contact centers to provide the experience consumers expect without increasing the risk of fraud. Stratifying callers by trust level reduces false positives sent to the fraud department and shrinks the pool of callers that merit closer scrutiny. Shortening the authentication experience for trustworthy callers improves customer satisfaction and reduces average handle time. Shielding against social engineering attacks allows agents to focus on speedy resolution of more complicated matters.
These are powerful advantages under normal circumstances. But these are not normal circumstances. As the country continues to feel the impact of COVID-19, contact centers must serve more callers with fewer agents safely and efficiently. As contact centers stand at the front lines of customer service, inbound caller authentication sets the tone for the rest of the interaction. Identifying and authenticating callers before they reach the IVR or an agent restores trust in the contact center experience.