Article : Semafone Warns Contact Centers of Five Types of Fraudsters Threatening Data Security
Semafone, a provider of data security and compliance solutions for contact centers, shares the five most common types of fraudsters putting contact center data at risk. Coming from both inside and outside an organization, these fraudulent individuals use bribery, coercion, social engineering and malware to get their hands on sensitive customer data. However, not all fraudsters are malicious – a simple mistake by an agent or customer service representative (CSR) can expose personally identifiable information (PII) and lead to a high-profile, brand-damaging data breach.
The following are five fraudsters contact centers need to know:
- The Tempted Temp: Temporary agents, such as those hired to handle seasonal surges in call volumes, can pose a serious threat to contact center data security – whether due to a lack of loyalty to the company or a lax employee screening process. And, for those companies that require customers to read their card numbers aloud when conducting payment transactions over the phone, the readily available PII can be extremely tempting to a temp worker or any rogue agent. Those who do not work in clean rooms (where writing materials, cell phones and other personal items are prohibited) can easily copy down or record callers’ card numbers to fund an online shopping spree or order lunch.
- The Credulous Clicker: Even the most trustworthy employee can accidentally expose sensitive customer data, especially if the PII resides within the contact center environment. For example, an agent may click on a link or open an email attachment thinking it is from a customer, only to unleash a virus. That virus can spread across the contact center’s IT network, stealing customer data and landing the company in the news for suffering a major breach.
- The Vengeful Victim: There are other employees inside a contact center’s organization, in addition to agents, who can threaten data security. Consider this: An administrative worker with a personal grudge against management bribes an agent to share customer payment card data, thinking that the stolen funds will compensate for being underpaid. With this information stored and accessible in customer relationship management (CRM) systems, the agent hands over hundreds of credit card numbers which the vengeful employee sells on the black market.
- The Hidden Hacker: Anyone who comes in contact with agent computers could illicitly access sensitive data stored in a network. For instance, someone from the IT support team with a secret affinity for hacking could discretely introduce a Remote Access Trojan, or "RAT" into a computer. This little piece of software allows the device to be accessed remotely, enabling the hacker to tap into copious amounts of customer data.
- The Contract Cleaner: If data is held in a contact center’s IT environment, anyone with access to the facility can get their hands on PII. With unrestricted access to a contact center’s office, cleaning crew members could easily slip tiny USB sticks, which contain key logging software and a Wi-Fi transmitter, into several computers. That software could capture detailed information on customer transactions, including payment card numbers – all accessible to the conniving cleaner who collects the unnoticed USBs the following week.
Sponsor message - content continues below this message
Employee Engagement Awards NOW OPEN!
Enter your center,and compete for this prestigious award to attract new staff and show investors and customers you are #1 in your nation!!
Content continues ….
"While these are just few examples of the types of fraudsters and cybercriminals that contact centers encounter, it is more important than ever for organizations to protect themselves and their customers against potentially brand-damaging data breaches," said Tim Critchley, Semafone CEO. "Of course, most employees are trustworthy people, but it only takes one rogue worker to expose or steal PII."
Best practices for preventing company insiders and outsiders from accessing sensitive data include: conducting proper employee background checks; training employees to recognize attacks, especially those using social engineering tactics; tokenizing data (replacing it with a meaningless equivalent); and enforcing the least-privilege user access (LUA) principle on computer systems, whereby agents have the minimum level of access necessary to do their job. However, the ideal solution is to take customer data out of the contact center environment completely.
"By removing as much sensitive PII as possible from business infrastructures, contact centers can reduce the risks associated with a detrimental, costly data breach," Critchley added. "They do not have to worry about outside hackers, third parties with fraudulent intentions, or even agents prone to honest mistakes. As we like to say at Semafone, ‘No one can hack the data you don’t hold.’"
To keep sensitive data out of the contact center environment, organizations can adopt dual-tone multi-frequency (DTMF) masking technologies which allow customers to enter payment card information and other PII directly into the telephone keypad. Such solutions replace keypad tones with flat tones, shielding data from agents, nearby eavesdroppers and even call recording systems. The agent is also able to remain on the line in full voice communication with the caller, ensuring a smooth customer journey. The sensitive data is sent straight to the appropriate third party, such as the payment processor, bypassing the contact center’s infrastructure completely.
Today's Tip of the Day - Right Metrics?
More Editorial From Semafone
Semafone provides secure voice transactions for contact centres and retailers taking Cardholder Not Present (CNP) payments. The solution allows a call - and the call recording - to continue as normal whilst the customer enters their credit card information using their telephone keypad. For complete security, Semafone's patented technology masks the Dual Tone Multi-Frequency (DTMF) tones from the cardholder's telephone and replaces them with a flat tone so they can't be recognised by the call centre agent or recorded on the call recording system. By ensuring all card data remains segregated and by removing Sensitive Authentication Data (SAD) before it hits the call recorder and the contact centre infrastructure, the contact centre is taken out of the scope of PCI DSS, protected against the risk of opportunistic agent fraud and the associated reputational risk.
Published: Tuesday, March 27, 2018
Aspect Software contact center and workforce optimization solutions engage consumers, empower agents, improve quality, and lower the cost of delivering remarkable experiences. Our cloud, private cloud...
Genex, part of the IPE Group UK, is an outsourcing provider of customer experience management and trusted by world’s leading brands. We achieve results through transforming our clients' businesses and...
ConSol bridges the gap between governments, corporations institutions and their stakeholders using technology, facility provides efficient services in exchange of valuable information solutions that i...
Teleperformance is a global provider of customer experience management in terms of revenue and global scale. We are the industry leader in security and our management has over 30 years of experience w...