Fighting insider fraud: minimising risk of call centre employees
With so much sensitive payment information flowing through a typical contact centre every day, Matthew Bryars, CEO of Aeriandi explores the growing risk of fraud from an organisation’s own employees and what can be done to minimise it.
We live in an age where the topic of data security is barely out of the news. Many organisations live and die by their ability to keep our data safe, which is why billions of pounds a year are spent on doing just that. However, a chain is only as strong as it’s weakest link and for many organisations, the humble contact centre can be an often-overlooked vulnerability that ends up being its downfall. One of the main reasons is the close proximity between sensitive payment data and contact centre agents operating in a chaotic environment that often suffers from lax security measures. It can be a recipe for disaster. Furthermore, it’s made worse by the growing threat coming from organised criminal gangs looking to capitalise on this vulnerability in a variety of different ways.
According to the UK’s Fraud Prevention Service, CIFAS, the number of confirmed contact centre insider fraud incidents is rising fast. In 2012 it leapt by 126 percent and in 2014 CIFAS announced members had reported 48 cases of employees unlawfully accessing or disclosing customer data – with over 129,500 cases of identity-related fraud also being reported. Bare in mind, this is just reported cases, the true scale of insider contact centre fraud could well be much higher as many cases go unreported or unnoticed.
So why is the contact centre becoming an increasingly attractive target for fraudsters? In part it’s due to advances in security technology such as Chip & PIN and 3D Secure making many payment channels safer than ever for consumers. Greater security in online and face-to-face channels means criminals are forced to look for new paths of lower resistance. The traditional contact centre, in which huge volumes of Card Not Present (CNP) transactions are processed, and where customers divulge their payment card details to agents over the phone, is increasingly being seen as one such path.
A growing issue
Of course, insider fraud isn’t a new phenomenon. In 2006, BBC Newsnight Scotland found that one in 10 of Glasgow’s financial call centres had been infiltrated by criminal gangs, either by planting their own members inside, or coercing current employees to pass on sensitive customer information.
More recently, CIPHER (an independent security auditor and Quality Security Assessor) was asked by a bank to investigate the unauthorised use of credit card details. It found a contact centre employee was entering the building outside their normal shift pattern and using a co-worker’s computer to access customer card details. It later transpired this employee was part of an organised crime gang that had compromised over 15,000 credit cards in this manner.
This highlights another key issue with insider threats – a single insider with access to the right systems can steal a significant amount of sensitive information in a very short time. As such, this is not an issue that any organisation can afford to ignore.
Combatting the criminals
Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) goes a long way to improving security within an organisation’s estate. There are various ways to achieve compliance but one of the most cost effective is to use secure phone payment technology to ensure sensitive card information never enters the contact centre environment in the first place. Instead, payments are routed via a secure payment platform, meaning agents can see the transaction is taking place but crucially, have no visibility of the customer’s sensitive card numbers or data. With no sensitive data taken, processed or stored on site, the risk of insider fraud is completely removed and the agents themselves are protected from potential criminal coercion.
Secure payment systems can also boost customer confidence as they no longer need to verbally hand their details over to anyone. Furthermore, without any data on site, the contact centre’s obligations with regard to PCI-DSS are significantly reduced.
Don’t be left counting the cost
The costs of internal fraud can be extremely high – aside from the sanctions and financial penalties imposed by regulators, often it is the associated reputational damage that organisations never recover from.
The irony is that organisations need not take any risk at all with payment card data. Secure phone payment solutions can completely eliminate the need for this information to enter the contact centre environment at all, making them a far less appealing target for criminals and removing the associated risks to the organisation.