Call center fraud on the rise.

Credit unions’ desire to always help their members is playing into the hands of fraudsters, who are taking advantage of call center agents by spoofing member IDs in order to take over their accounts. In this first installment of a two-part series, we’ll look at how credit unions are addressing caller identification.

The “2019 State of Call Center Authentication” from the Portland, Ore.-based caller authentication and fraud prevention systems provider TRUSTID, a Neustar company, reported 51% of financial services respondents recognized the phone channel as the primary source of account takeover attacks.

As credit unions have strengthened their cyber defenses, fraudsters have instead targeted call centers with easily-obtained personally identifying information from the dark web, Patrick Cox, Neustar vice president and general manager of TRUSTID, emphasized. “One hundred percent of account takeovers occur after weak authentication. None of your credit union readers would ever offer to give money to an unauthorized person or a stranger.”

Last September, the Atlanta, Ga.-based voice authentication firm Pindrop in its “2018 Voice Intelligence Report” found voice fraud rates climbed more than 350% since 2013 across several industries, including banking. Pindrop found various causes share the blame, such as new voice technology and the significant rise in data volume. Fraudsters’ techniques include imitation, replay attacks, voice modification software and voice synthesis, and are often very successful.

Pindrop revealed the year-over-year voice fraud increase was most dramatic in the insurance industry (36%), followed by banking (20%). While credit unions saw half the fraud rate of banks, 80% of fraudulent calls to credit unions are domestic in origin compared to 43% of fraudulent calls to banks.

So, what are some of the current best practices for caller verification?

Melisa Crass, director of jhaCall Center at the Monett, Mo.-based Jack Henry & Associates, explained her organization partners with each credit union to determine caller verification criteria. “JHA makes recommendations to help if it is struggling to implement a strong telephone authentication policy, but the decision ultimately lies with the institution,” she said. Internally, the jhaCall Center has a two-miss rule in addition to its requirements from each credit union; if callers flub two verification questions, they must visit a branch for positive identification.

One key practice for credit union agents is to balance caller verification with member attention and creating a positive experience. Crass indicated a technology solution that requires consistent authentication for each call helps prevent the human reaction of falsely trusting an imposter.

More than 75% of call center leaders who participated in the TRUSTID call center survey said they were optimistic about preventing account takeovers without obstructing the customer experience. “But human beings are nice and want to be helpful, and fraudsters like that,” Cox pointed out.

Crass noted, “Even the most impatient caller wants to have their information protected, and part of our de-escalation and handling of difficult caller training revolves around the authentication process to ensure we are protecting the caller and credit union, and providing world class member service simultaneously.”

Protecting member privacy and maintaining compliance is at the forefront of everything JHA does, Crass maintained. “The jhaCall Center requires each agent to complete quarterly regulatory training along with any updates that might come out more frequently.”

The $963 million, Metairie, La.-based Jefferson Financial Federal Credit Union doubled its assets over a relatively short time. To ensure timely and safe interactions with members, the credit union implemented jhaCall Center for overflow and Synapsys, a comprehensive CRM program from JHA’s Symitar division, to assist with member relationship management and marketing strategies.

Kristin Morrison, COO for Jefferson Financial, explained the credit union was looking for a call center solution for a while before selecting the Jack Henry solution, which it installed on Oct. 1, 2018. A fraud incident affected its choice.

“It did have me questioning how difficult it is to manage a call center when you’re handling private information,” she said. “You want to be 100% certain that somebody isn’t being taken advantage of by somebody pretending to be somebody else.”

Morrison explained credit unions by nature are member service-driven, therefore reps might give phony members the benefit of the doubt, which scammers can then take advantage of. Currently, the credit union only outsources calls to the jhaCall Center after hours or for calls longer than two minutes; however, it plans to eventually farm out all calls over the next few years.

For now, the credit union’s internal call center agents receive coaching to properly identify callers. “Our agents are training to preface the calls by letting [members] know they need to verify certain information before they can assist them over the phone,” LaDonna Montgomery, regional director for Jefferson Financial, explained. She added the verification process is the same, whether it’s handled internally or handed off to the jhaCall Center. “They ask the same questions. If the member cannot respond, they have some alternate questions, [which are] more detailed and specific relative to the transactions.”

Jefferson Financial agents also pick up some e-service requests, such as password resets. Montgomery acknowledged, “That is one of the more sophisticated ways accounts are taken over. Our agents have an eye for it and they engage our e-services department and upper management whenever there is some concern about reactivating or locking up members’ online banking access.”

Montgomery also explained the credit union uses Synapsys to document issues so all internal and external agents will see the same data. “Anything that’s suspicious is documented so all parties looking at members’ accounts have access to this information if there’s something fishy going on.” Morrison added the credit union’s call center reps also converse about caller exchanges on a regular basis.

“Call center fraud has existed in parallel to customer service call centers since inception,” John Buzzard, industry fraud specialist for the Rancho Cucamonga, Calif.-based CO-OP Financial Services, said. He said a lot of terminology is used to refer to this crime, such as social engineering, identity theft, account takeover and occasionally imposter scams.

“All of these terms boil down to a fraud actor who purchased or directly stole the personally identifiable information of a consumer to gain access to valuable financial accounts,” Buzzard said. He held the ebb and flow of call center fraud ties directly to major security events exposing an enormous amount of PII, enabling fraudsters to overcome standard member authentication questions. “We tend to see upticks in call center fraud after major payment card compromises.”

Technology can help fight fraud by picking up inbound caller irregularities, Buzzard noted. However, because there is a sizable human element to call center fraud, some other techniques can help as well, such as using randomized verification techniques in which callers face different questions each time they interact with the system, or simply employing common sense. “It is perfectly acceptable to put a caller on hold if you suspect you have an imposter on the line or call the member directly to verify whether the caller is legitimate.”

Buzzard also recommended agents be suspicious of a series of major account changes over several calls. “A change of address followed by a new card request and/or PIN change, for instance, is a signature criminal move,” he said, adding impatience is another criminal calling card. “Rushing a call center representative through verification steps is a classic criminal move, so representatives should not be swayed by a busy, argumentative caller.”

Every credit union should also involve members in the security process. “A simple security word or short phrase can be powerful, as long as the call center representative does not provide clues to callers who claim to have forgotten,” Buzzard said. “Credit union people especially want to please at every member interaction, but fraud prevention is serious business and protocol must be followed.”

Part two of our look at the authentication process at credit unions will run in the April 17, 2019 print issue of CU Times.