In the struggle to recover from covid-19 chaos, Contact Centers have found themselves caught in the fallout with a convergence of unique financial and sociological circumstances that continue to impact the industry, its agents, and the customers they serve. As organizations focus attention to these new economic realities, criminal opportunists are still busy at work and have found easy and relatively unprotected access to enterprise data, employees, and assets via a single point of entry – the contact center voice network.
In this article we explore the unique challenges faced by Contact Centers in an emerging post-covid world and, specifically, the unique vulnerabilities inherent in their phone-centric, caller-supportive environment. Reporting through the eyes of experts, we outline the different types and impacts of unwanted calls specifically targeting Contact Centers, the scale of the problem, and steps organizations can take to harden their voice networks against these unwanted and, potentially, financially devastating intrusions.
TABLE OF CONTENTS
- The Big Bind
- Operational Efficiency Starts with Voice Network Integrity
- The Cost of Bad Calls
- Overview of the Full Threat Vector
- Vishing Scams (Voice Phishing)
- Revenue-Sharing Toll Fraud
- What Can Be Done?
- Exposing the Enemy
- Analytics Tool Reveals The Good, the Bad and the Ugly
- Protect Your Customer Experience (CX)
Robocalls, voice spam, and phone fraud are inflicting untold damages on businesses through lost productivity, degraded customer experience, missed sales opportunities, stolen data, and cybersecurity threats. While consumers are increasingly adopting the practice of simply ignoring calls from unknown sources – a practice even the FCC advises – it is not a viable option for organizations that depend on voice communications as their core value proposition and service offering.
This is a particularly bad state of affairs for Contact Centers which have become the targeted prey of cyber criminals and bad actors who use Unwanted Voice Traffic in the form of robocalls, spoof calls, spam calls, direct nefarious calls and social engineering calls to inflict harm and disrupt business.
Unwanted Voice Traffic can be classified into Nuisance Voice Traffic and Nefarious Voice Traffic. Nuisance Voice Traffic creates a barrier to or inhibits optimal performance. Nefarious Voice Traffic creates a critical threat or substantial risk to the business itself.
Contact Centers are being victimized by both Nuisance Voice Traffic and Nefarious Voice Traffic. Outbound Contact Centers focused on marketing, lead generation and inside sales are hitting a dead end, as contact rates plummet. Inbound Contact Centers focused on customer service and support are experiencing diminishing productivity as unwanted calls are clogging up phone lines and pulling phone agents away from customer care. The direct impacts include missed Key Performance Indicators (KPIs) and Customer Satisfaction (CSAT) targets, while the indirect results include elevated cybersecurity risk, data loss and increased potential for successful cyber-attacks.
The Big Bind
The covid crisis has only made matters worse. As with other industries heavily dependent on the service of entry-level employees, Contact Centers are struggling to bring staffing back up to pre-pandemic levels. After an 18-month hiatus, many of their former or prospective employees have moved on to other work options or simply made the choice not to return to full-time employment – a decision that has become increasingly prevalent for industries that are largely staffed by women facing a post-pandemic economy that has seen childcare costs soar and availability decline.
Further draining the Contact Center’s employee pool is competition from deep-pocket companies vying for available talent with comparatively high hourly starting salaries plus bonuses and other incentives.
Which means Contact Centers operations are caught in a squeeze. To meet their performance metrics, they must continue to be able to deliver timely, high-quality services while under-staffed. To attract and maintain additional qualified staff, they need to be competitive with other entry-level employment options. And yet, to meet their contractual obligations with their clients, they must be able to deliver quality services (often based upon established key performance indicators) in the most efficient and cost-effective way possible.
Operational Efficiency Starts with Voice Network Integrity
There are numerous areas Contact Centers can target when looking to improve operational efficiencies, maintain performance quality, and retain qualified staff in the emerging post-pandemic world. This post from CallMiner provides first-hand insights from 25 industry professionals who speak to the value of new technologies, appropriate staff training, revised internal processes and enhanced work environments.
And yet, with all the focus on processes and procedures, one notable area that has been largely overlooked is the integrity of the incoming voice traffic itself. It is understood that every call that reaches an agent should be an opportunity to assist customers, enhance relationships and/or make a sale. However, with the relentless scourge of robocalls and the increasing ability of scammers to infiltrate enterprise networks, that is no longer the case. Agents now find themselves fielding a stream of intrusive and wasteful calls at the expense of their organization and the customers they serve.
The Cost of Bad Calls
Call Center services pricing is very complex and varies based on the terms of the contract. Most out-sourced services charge per-minute or per-hour fees for each agent or call, with fees generally ranging from $0.50-$1 per minute or $10-$25 per hour.
So, if a call center fields 3,000,000 calls per year and 12% of those calls are identified as spam or robocalls, that is 360,000 unwanted calls. Assume 2 minutes of agent distraction per call, and that is 12,000 hours of agent downtime. At $20/hour paid for call center services, that amounts to $240,000/year that might otherwise be spent on high-value support activity.
Then there is the cost of missed sales. According to this extensive consumer survey conducted by inbound call center technology provider Arise, nearly two-thirds of respondents stated they would not wait on hold with a customer support call for more than two minutes before hanging up, and more than 13% stated that no hold time at all is acceptable. Presumably, they will simply take their business elsewhere.
Overview of the Full Threat Vector
But most concerning of all is the fact that, buried in all that unwanted voice traffic, there is a significant number of callers with criminal intent. According to a 2020 report released by Neustar, 45% of unwanted calls today are actual scams.
“What we’ve found is that robocalls and voice spam, while annoying and time-consuming, are actually providing cover for much more nefarious activity that can cause significant financial damage to the organization in the form of data breaches or compromised communication systems,” says Brian McDonald, Security Officer for enterprise voice communications software developer, Mutare.
No doubt, customer service Contact Centers are more enticing targets for sophisticated scammers. They are a convenient gateway to organizational and customer data and are staffed by agents who not only must answer every call but who also are predisposed to approach those calls with a helpful attitude.
As case in point, online stock trading platform Robinhood recently fell victim to a massive data breach enabled by an unsuspecting customer service representative who was tricked into divulging confidential account access information over the phone to a skilled con artist. The attacker was able to access personal identifying information for approximately 7 million individuals including names, email addresses, date of birth and zip codes – information that can easily be sold on the dark web to those intent on identity theft and future fraud or used to extort ransom payments from the attack victim. As a result, the multi-billion dollar corporation is now facing a class action lawsuit claiming “failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect PII,” while also facing untold damages from loss of public trust.
No doubt, Contact Centers are facing a complex web of threats that continues to evolve. Following are just a few of the techniques nefarious actors are employing:
Vishing Scams (Voice Phishing)
A vishing attack can take the form of a mass robocall campaign designed to compel call recipients to connect with a live agent who is part of a scam network, or a person-to-person call targeting a specific individual (as illustrated through the recent Robinhood attack). The skilled phone scammer may impersonate a customer or person within the organization in an attempt to gain account or other personal information from an unsuspecting, help-oriented agent. These criminals are usually calling from spoofed numbers (Caller IDs that have been manipulated to look familiar) and are armed with enough information gleaned from social media or dark web sources to provide a convincing front. Ideally, trained call center operators will know how to resist suspicious requests for sensitive information or account access, but in the process they have still wasted valuable time on a scam call while other legitimate customers wait in queue. As illustrated by the Robinhood breach, Financial institutions are particularly susceptible to these kinds of attacks and, in fact, have seen the volume of high-risk calls into their call centers skyrocket over the past year as revealed in this report from network security provider Next Caller.
Notes Bob Rudis, chief data scientist at the cybersecurity firm Rapid7 Inc., “Financial services firms are huge targets because there are always new customers coming: a refresh of identities, a refresh of credentials. Everyone talks about ransomware, but credentials and identities are still things being sold on the dark web and criminal forums. It’s very valuable data.”
Criminals employing vishing techniques are particularly adept at taking advantage of social, political, and economic upheavals that generate overall call volume increases – a trend that is not likely to slow anytime soon.
Revenue-Sharing Toll Fraud
This type of fraud is a kick-back scheme perpetrated by a bad actor or criminal organization in partnership with a rogue carrier. High-value toll-free numbers, such as those used by call centers, are often the target. Calls to those numbers are free to the caller, while the organization utilizing the number pays a per-minute per call fee to the number provider. That provider, in turn, distributes a portion of that fee to every carrier in the call path. A scammer may make a deal with an unscrupulous carrier to generate massive quantities of auto-generated calls that pass through that carrier and into the toll-free number. If the call reaches an IVR menu, the more sophisticated criminal systems will be programmed to apply random numbers or continuous pound signs that keep the call alive in the IVR loop as long as possible in order to generate as much revenue as possible. The carrier then shares their portion of those fees with the criminal caller. These events not only cost organizations in terms of wasted telecom fees, but also tie up agents who may eventually pick up the bogus call while, again, legitimate customer calls have to wait.
Large organizations with public profiles may at some point find their phone networks the target of a malicious attack perpetrated by nefarious organizations for the sole purpose of causing damage. These attacks may come in the form of a for-hire robocall operation or from a coordinated group of individuals, usually hiding behind spoofed numbers, who flood call center operators with negative messaging. While not motivated by financial gain, these events still constitute theft as they deny actual customers access to agent support and cost the organization in lost productivity, telecom fees, and customer dissatisfaction.
What Can Be Done?
Unlike email, phone fraud is harder to detect because the channel is opaque – only after the connection has been made is it clear which calls are legitimate and which are scams, and by then the damage is done.
“These guys are incredibly good at getting what they need to perpetrate their crimes,” says Chris Heuman, Practice Leader, RISC Management & Consulting. “They know the key to infiltrating a business is through personal contact with someone working for that organization, gaining that person’s trust through social engineering techniques, and then extracting information. And no matter what you think, there is no such thing as a hack-proof person. The criminals will keep coming back from all angles. As long as they continue to reach a human contact, they will inevitably find a way in.”
When it comes to robocalls from spoofed numbers, Congress has taken some positive action with passage of the TRACED Act and associated STIR/SHAKEN protocol which requires carriers to attest to the legitimacy of a call source and add a confidence rating to that call data before passing it along. However, the process does not actually block the call. Rather, it simply adds a confidence score to the call data and then leaves it up to the terminating carrier to determine how to pass those calls to the end recipient. For instance, a call with a low attestation score still rings through but may display a “Scam Likely” label in the Caller ID. It is a step in the right direction, but with a number of loopholes that the ever-adapting network of telephony cybercriminals have learned to exploit.
Clearly, companies need to assume responsibility for themselves and step in with more robust processes and tools if they are to ever gain back control over the integrity and security of their incoming voice traffic.
But with such an amorphous adversary, how can that ever be achieved?
Exposing the Enemy
“It starts with visibility, and that is delivered in the data,” says Roger Northrop, Chief Technology Officer for Mutare. “Every one of today’s enterprise Voice over Internet (VoIP) calls is packed with information that, with the right analytics tools, reveals a great deal about the call source and its legitimacy.”
Mutare, in fact, is uniquely equipped to not only deliver that analysis but then empowers businesses with state-of-the-art, multi-level unwanted call blocking capabilities that provide needed protections for the organization and its employees. Mutare’s powerful, enterprise Voice Traffic Filter is the only system of its kind that can identify and root out unwanted calls in their many and evolving forms, including robocalls, spoof calls, scammers, spammers, vishers, fraud attempts and organization-identified offenders. The filter applies a full spectrum of spam and fraud detection systems that offers five distinct, but integrated, layers of protection:
1) All calls are filtered through a massive, Proprietary Dynamic Database of robocall and spam numbers in order to prevent any matches from entering the network.
2) Unusual call patterns trip Mutare’s “Spoof Radar,” a sophisticated application of specific algorithms that combines advanced call pattern recognition, machine learning and heuristics capable of detecting and diverting auto-dialer voice “spam storms” before they overtake the voice network.
3) Organizations can add their own allow lists, block lists and other Custom Rules to further customize the handling of incoming calls and block any nuisance or malicious callers specifically targeting their institutions. Rules can also be applied to outgoing calls to, among other things, protect the organization from toll fraud schemes and protect employees from scam traps.
4) STIR/SHAKEN attestation call data is analyzed and becomes another marker to help determine how flagged calls should be handled (Drop, Route, Allow or send to the application’s voice CAPTCHA).
5) The system includes a unique, failsafe Voice CAPTCHA. Calls that the system suspects are fraudulent based on any of the above filters can be diverted to the CAPTCHA reverse Turing test which separates bot calls from humans. This assures that suspect calls that are legitimate are not inadvertently blocked.
Analytics Tool Reveals The Good, the Bad and the Ugly
Over the past several years Mutare has extended its trial opportunities of its voice traffic filtering and analytics technology for those businesses wishing to gain a better understanding of their voice traffic makeup. The free, “Voice Traffic Assessment” offer provides an analysis of the organization’s call data records (CDR) to reveal what proportion of those calls are legitimate and what are from known robocall or scam numbers. Optionally, Mutare also offers a real-time paid Proof of Concept trial using the full Mutare Voice Traffic Filter system for a deeper look into call sources as well as administrative hands-on experience with the system’s filtering controls. Mutare then delivers a multi-faceted assessment and report that provides key insights and metrics to help those organizations better understand the toll that unwanted voice traffic is having on their voice networks as well as their level of cybersecurity risk.
Since launching the VTA program, Mutare has analyzed more than 128 million calls across a broad spectrum of industries and found that, in general, the percentage of clearly identifiable unwanted voice traffic in the form of robocalls ranges from 6% to 15% of all calls. More concerning, 19% of calls are using spoofed caller IDs – a red flag that signals potential fraudulent intent.
Protect Your Customer Experience (CX)
According to one of Mutare’s enterprise customers with five regional Call Centers and 20 company-managed Contact Centers, “What we learned through our Proof of Concept and Mutare Voice Traffic Assessment turned out to be just the beginning. The reported percentage of unwanted calls is calculated over a 24-hour period, but nearly all the calls into our call centers come in during normal working hours. We discovered that the proportion of bad calls is actually closer to 18% to 20% during the hours when agents are most needed. What’s more, random auto-dialers were also hitting and disrupting our related call recording operations. All together, these calls were clearly having an impact on our business, customers, and our agents’ ability to drive revenue.”
His organization chose to implement the Mutare Voice Traffic Filter not only because of its layered protection approach, but also because of its unique, fail-safe Voice CAPTCHA feature. “When looking at spam blocking options, management was very wary of the possibility that the system could accidentally block an actual customer or partner caller. But with Mutare, we have the ability to send suspect calls to the Voice CAPTCHA. That way, if the caller is a customer or someone we work with, they can get through and robocalls cannot. The Mutare system has made a huge difference filtering out calls that were having a negative impact on our operations while completely removing the worry of false positives.”
From a security standpoint, Chris Heuman adds that when organizations implement robust tools to block unwanted voice traffic before it enters the network, they are also significantly lowering their potential exposure to cybercrime.
“It’s all about limiting exposure and preventing that initial access,” he says. “These guys are like cockroaches. As soon as they find a way in, you will never get rid of them. The more you can fortify your resistance strength through good practices and effective technologies that keep them away, the safer your employees, your customers, and your business will be.”
To learn more about the power of Mutare’s Voice Traffic Filter or to request a Voice Traffic Assessment for your organization, visit https://www.mutare.com/voice-traffic-filter/.