The insider threat in the contact centre

From financial institutions to retailers, most businesses either directly operate or outsource to a contact centre. With such widespread focus on cyber security, the call centre is now arguably the weakest point of entry for fraudulent activity. Research shows that in the last year there has been a significant increase in the amount of money organisations are losing to phone fraud. In the UK, £0.86 per call is lost to phone fraud — an increase from £0.51 in 2015.

Data security is an increasingly topical discussion point, particularly for large organisations consumers trust to look after their data. This has resulted in billions of pounds being invested in security every year, and according to IDC, information security spending will top $101 billion by 2020.

However, a chain is only as strong as its weakest link and for organisations with contact centres, their security vulnerability is often overlooked. The traditionally high turnover of staff that contact centres experience means there is a specific risk posed by employees (past and previous) who may be disgruntled and who may have insider knowledge of customer identification and security process flaws.

>See also: How to protect against insider threats while maintaining employee trust

The close proximity between sensitive payment data and contact centre agents operating in a chaotic environment means security measures can be lax. This is a recipe for disaster. There is also a growing threat from organised criminal gangs looking to capitalise on these vulnerabilities in a variety of different ways. This makes the insider threat far more serious.

Are contact centres an easy target?

The contact centre is becoming an increasingly attractive target for fraudsters. In part this is due to advances in security technology, such as Chip & PIN and 3D Secure, making many payment channels safer than ever for consumers.

Greater security in online and face-to-face channels means criminals are forced to look for new paths of lower resistance. The traditional contact centre environment, where huge volumes of Card Not Present (CNP) transactions are processed and customers divulge payment card details to agents over the phone, is increasingly being seen as one such path.

Fraud can encompass anything from someone overhearing private information whilst on the phone and passing this to a third party, to a contact centre agent using a person’s details to access their records without authorisation.

>See also: The insider threat: 5 things to do if your employee has gone rogue

It can also be a more sinister act such as a contact centre employee being blackmailed into providing sensitive information to a criminal. Fraud could include criminals directly accessing customer data held by the business and carrying out malicious actions, including selling passwords and sensitive card data on the dark web.

Fundamentally, contact centres – whether managed by the company or outsourced – can be the epicentre of customer data storage and availability. Failing to provide adequate safeguards for this data can result in significant damage, including financial loss and identity fraud for the customer, but also damage to a company’s reputation.

What should businesses do?

A report from Symantec last year revealed that one in ten companies provide all employees with access to customers’ personal information, and one in twenty with access to customers’ payment details.

Security awareness is key to ensuring contact centre staff, as well as employees throughout an organisation, are provided with the necessary knowledge to protect customer data and realise its importance.

With GDPR and MiFID II coming into play in 2018, businesses must also ensure that the infrastructure holding sensitive data is secure. One way organisations are ensuring infrastructure is secure whilst also combating the insider threat is by turning to secure cloud-hosted platforms to hold card payment information.

Instead of relying on employees to handle the sensitive personal information, payments are routed via a secure payment platform. This means that agents can see the transaction is taking place but crucially, have no visibility of the customer’s sensitive card numbers or data.

>See also: How to boost employee awareness in the age of the insider threat

With no sensitive data taken, processed or stored on site, the risk of insider fraud is completely removed and the agents themselves are protected from potential criminal coercion. Secure payment systems can also boost customer confidence, as they no longer need to verbally hand their details over to anyone, and improve the customer experience in the process.

Act before you lose out

The costs of internal fraud can be extremely high. GDPR will place tighter regulations on how calls are managed and with fines as high as €20 million, or up to 4% of global turnover, the risks associated with lack of compliance are significant. The reputational damage that organisations risk is even greater and often unquantifiable, so business must act now before they face the grave – and potentially irreversible – consequences.


Sourced by Tom Harwood, CPO and co-founder at Aeriandi

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...