#contactcenterworld, @Semafone

Semafone, a provider of data security and compliance solutions for contact centers, shares the five most common types of fraudsters putting contact center data at risk. Coming from both inside and outside an organization, these fraudulent individuals use bribery, coercion, social engineering and malware to get their hands on sensitive customer data. However, not all fraudsters are malicious – a simple mistake by an agent or customer service representative (CSR) can expose personally identifiable information (PII) and lead to a high-profile, brand-damaging data breach.

The following are five fraudsters contact centers need to know:

1. The Tempted Temp: Temporary agents, such as those hired to handle seasonal surges in call volumes, can pose a serious threat to contact center data security – whether due to a lack of loyalty to the company or a lax employee screening process. And, for those companies that require customers to read their card numbers aloud when conducting payment transactions over the phone, the readily available PII can be extremely tempting to a temp worker or any rogue agent. Those who do not work in clean rooms (where writing materials, cell phones and other personal items are prohibited) can easily copy down or record callers’ card numbers to fund an online shopping spree or order lunch.
   
   
2. The Credulous Clicker: Even the most trustworthy employee can accidentally expose sensitive customer data, especially if the PII resides within the contact center environment. For example, an agent may click on a link or open an email attachment thinking it is from a customer, only to unleash a virus. That virus can spread across the contact center’s IT network, stealing customer data and landing the company in the news for suffering a major breach.
   
   
3. The Vengeful Victim: There are other employees inside a contact center’s organization, in addition to agents, who can threaten data security. Consider this: An administrative worker with a personal grudge against management bribes an agent to share customer payment card data, thinking that the stolen funds will compensate for being underpaid. With this information stored and accessible in customer relationship management (CRM) systems, the agent hands over hundreds of credit card numbers which the vengeful employee sells on the black market.
   
   
4. The Hidden Hacker: Anyone who comes in contact with agent computers could illicitly access sensitive data stored in a network. For instance, someone from the IT support team with a secret affinity for hacking could discretely introduce a Remote Access Trojan, or "RAT" into a computer. This little piece of software allows the device to be accessed remotely, enabling the hacker to tap into copious amounts of customer data.
   
   
5. The Contract Cleaner: If data is held in a contact center’s IT environment, anyone with access to the facility can get their hands on PII. With unrestricted access to a contact center’s office, cleaning crew members could easily slip tiny USB sticks, which contain key logging software and a Wi-Fi transmitter, into several computers. That software could capture detailed information on customer transactions, including payment card numbers – all accessible to the conniving cleaner who collects the unnoticed USBs the following week.
   
   

"While these are just few examples of the types of fraudsters and cybercriminals that contact centers encounter, it is more important than ever for organizations to protect themselves and their customers against potentially brand-damaging data breaches," said Tim Critchley, Semafone CEO. "Of course, most employees are trustworthy people, but it only takes one rogue worker to expose or steal PII."

Best practices for preventing company insiders and outsiders from accessing sensitive data include: conducting proper employee background checks; training employees to recognize attacks, especially those using social engineering tactics; tokenizing data (replacing it with a meaningless equivalent); and enforcing the least-privilege user access (LUA) principle on computer systems, whereby agents have the minimum level of access necessary to do their job. However, the ideal solution is to take customer data out of the contact center environment completely.

"By removing as much sensitive PII as possible from business infrastructures, contact centers can reduce the risks associated with a detrimental, costly data breach," Critchley added. "They do not have to worry about outside hackers, third parties with fraudulent intentions, or even agents prone to honest mistakes. As we like to say at Semafone, ‘No one can hack the data you don’t hold.’"

To keep sensitive data out of the contact center environment, organizations can adopt dual-tone multi-frequency (DTMF) masking technologies which allow customers to enter payment card information and other PII directly into the telephone keypad. Such solutions replace keypad tones with flat tones, shielding data from agents, nearby eavesdroppers and even call recording systems. The agent is also able to remain on the line in full voice communication with the caller, ensuring a smooth customer journey. The sensitive data is sent straight to the appropriate third party, such as the payment processor, bypassing the contact center’s infrastructure completely.

#contactcenterworld, @Semafone