With data breaches on the rise, Semafone advises contact centers to strengthen efforts to prevent fraud and protect brand reputations
Boston and Guildford, U.K. – March 21, 2018 – Semafone, a provider of data security and compliance solutions for contact centers, shares the five most common types of fraudsters putting contact center data at risk. Coming from both inside and outside an organization, these fraudulent individuals use bribery, coercion, social engineering and malware to get their hands on sensitive customer data. However, not all fraudsters are malicious – a simple mistake by an agent or customer service representative (CSR) can expose personally identifiable information (PII) and lead to a high-profile, brand-damaging data breach.
The following are five fraudsters contact centers need to know:
- The Tempted Temp: Temporary agents, such as those hired to handle seasonal surges in call volumes, can pose a serious threat to contact center data security – whether due to a lack of loyalty to the company or a lax employee screening process. And, for those companies that require customers to read their card numbers aloud when conducting payment transactions over the phone, the readily available PII can be extremely tempting to a temp worker or any rogue agent. Those who do not work in clean rooms (where writing materials, cell phones and other personal items are prohibited) can easily copy down or record callers’ card numbers to fund an online shopping spree or order lunch.
- The Credulous Clicker: Even the most trustworthy employee can accidentally expose sensitive customer data, especially if the PII resides within the contact center environment. For example, an agent may click on a link or open an email attachment thinking it is from a customer, only to unleash a virus. That virus can spread across the contact center’s IT network, stealing customer data and landing the company in the news for suffering a major breach.
- The Vengeful Victim: There are other employees inside a contact center’s organization, in addition to agents, who can threaten data security. Consider this: An administrative worker with a personal grudge against management bribes an agent to share customer payment card data, thinking that the stolen funds will compensate for being underpaid. With this information stored and accessible in customer relationship management (CRM) systems, the agent hands over hundreds of credit card numbers which the vengeful employee sells on the black market.
- The Hidden Hacker: Anyone who comes in contact with agent computers could illicitly access sensitive data stored in a network. For instance, someone from the IT support team with a secret affinity for hacking could discretely introduce a Remote Access Trojan, or “RAT” into a computer. This little piece of software allows the device to be accessed remotely, enabling the hacker to tap into copious amounts of customer data.
- The Contract Cleaner: If data is held in a contact center’s IT environment, anyone with access to the facility can get their hands on PII. With unrestricted access to a contact center’s office, cleaning crew members could easily slip tiny USB sticks, which contain key logging software and a Wi-Fi transmitter, into several computers. That software could capture detailed information on customer transactions, including payment card numbers – all accessible to the conniving cleaner who collects the unnoticed USBs the following week.
“While these are just few examples of the types of fraudsters and cybercriminals that contact centers encounter, it is more important than ever for organizations to protect themselves and their customers against potentially brand-damaging data breaches,” said Tim Critchley, Semafone CEO. “Of course, most employees are trustworthy people, but it only takes one rogue worker to expose or steal PII.”
Best practices for preventing company insiders and outsiders from accessing sensitive data include: conducting proper employee background checks; training employees to recognize attacks, especially those using social engineering tactics; tokenizing data (replacing it with a meaningless equivalent); and enforcing the least-privilege user access (LUA) principle on computer systems, whereby agents have the minimum level of access necessary to do their job. However, the ideal solution is to take customer data out of the contact center environment completely.
“By removing as much sensitive PII as possible from business infrastructures, contact centers can reduce the risks associated with a detrimental, costly data breach,” Critchley added. “They do not have to worry about outside hackers, third parties with fraudulent intentions, or even agents prone to honest mistakes. As we like to say at Semafone, ‘No one can hack the data you don’t hold.’”
To keep sensitive data out of the contact center environment, organizations can adopt dual-tone multi-frequency (DTMF) masking technologies which allow customers to enter payment card information and other PII directly into the telephone keypad. Such solutions replace keypad tones with flat tones, shielding data from agents, nearby eavesdroppers and even call recording systems. The agent is also able to remain on the line in full voice communication with the caller, ensuring a smooth customer journey. The sensitive data is sent straight to the appropriate third party, such as the payment processor, bypassing the contact center’s infrastructure completely.
To learn more about the threats to contact center data security and how to mitigate them, download Semafone’s new eBook, “The Flawed Five: Who’s Threatening the Security of Your Contact Center,” here.
For more information about Semafone, please visit: www.semafone.com
Semafone provides software to contact centers so they can take personal data securely over the telephone. Semafone’s patented data capture method collects sensitive information such as payment card or bank details and social security numbers directly from the customer’s telephone keypad for processing. This prevents personal data from entering the contact center, which protects against the risk of fraud and the associated reputational damage, ensuring compliance with industry regulations such as PCI DSS.
The company was founded in 2009 and now supports customers in 25 countries on five continents. Semafone is vertically agnostic and its extensive customer base includes companies such as Aviva Canada, Amica Mutual Insurance, British Sky Broadcasting, Pethealth, Rogers Communications, Santander and TVG.
BT offers a hosted version of Semafone’s technology – Cloud Contact PCI. Major investors of Semafone include Octopus Investments and BGF (Business Growth Fund).
Semafone has achieved the four leading security and payment accreditations: ISO 27001:2013, PA-DSS certification for Cardprotect its payment solution, PCI DSS Level 1 Service Provider and is a registered Visa Level 1 Merchant Agent. To learn more, visit www.semafone.com and follow us on LinkedIn, Twitter and Facebook.