Fraud Detection & Prevention

Insider fraud: The risks posed by call centre employees

This is a contributed piece from Matthew Bryars, CEO of Aeriandi

We live in an age where the topic of data security is barely out of the news. Many organisations live and die by their ability to keep our data safe, which is why billions of pounds a year are spent on doing just that. However, a chain is only as strong as its weakest link and for many organisations, the humble contact centre can be an often-overlooked vulnerability that ends up being its downfall. One of the main reasons is the close proximity between sensitive payment data and contact centre agents operating in a chaotic environment that often suffers from lax security measures. It can be a recipe for disaster. Furthermore, it’s made worse by the growing threat coming from organised criminal gangs looking to capitalise on this vulnerability in a variety of different ways.

According to the UK’s Fraud Prevention Service, CIFAS, the number of confirmed contact centre insider fraud incidents is rising fast. In 2012 it leapt by 126% and in 2014 CIFAS announced members had reported 48 cases of employees unlawfully accessing or disclosing customer data – with over 129,500 cases of identity-related fraud also being reported. Bare in mind, this is just reported cases, the true scale of insider contact centre fraud could well be much higher as many cases go unreported or unnoticed.

So why is the contact centre becoming an increasingly attractive target for fraudsters? In part it’s due to advances in security technology such as Chip & PIN and 3D Secure making many payment channels safer than ever for consumers. Greater security in online and face-to-face channels means criminals are forced to look for new paths of lower resistance. The traditional contact centre, in which huge volumes of Card Not Present (CNP) transactions are processed, and where customers divulge their payment card details to agents over the phone, is increasingly being seen as one such path.

A growing issue

Of course, insider fraud isn’t a new phenomenon. In 2006, BBC Newsnight Scotland found that one in ten of Glasgow’s financial call centres had been infiltrated by criminal gangs, either by planting their own members inside, or coercing current employees to pass on sensitive customer information.

More recently, CIPHER (an independent security auditor and Quality Security Assessor) was asked by a bank to investigate the unauthorised use of credit card details. It found a contact centre employee was entering the building outside their normal shift pattern and using a co-worker’s computer to access customer card details. It later transpired this employee was part of an organised crime gang that had compromised over 15,000 credit cards in this manner.

This highlights another key issue with insider threats – a single insider with access to the right systems can steal a significant amount of sensitive information in a very short time. As such, this is not an issue that any organisation can afford to ignore.

Combatting the criminals

Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) goes a long way to improving security within an organisation’s estate. There are various ways to achieve compliance but one of the most cost effective is to use secure phone payment technology to ensure sensitive card information never enters the contact centre environment in the first place. Instead, payments are routed via a secure payment platform, meaning agents can see the transaction is taking place but crucially, have no visibility of the customer’s sensitive card numbers or data. With no sensitive data taken, processed or stored on site, the risk of insider fraud is completely removed and the agents themselves are protected from potential criminal coercion. Secure payment systems can also boost customer confidence as they no longer need to verbally hand their details over to anyone. Furthermore, without any data on site, the contact centre’s obligations with regard to PCI-DSS are significantly reduced.

Don’t be left counting the cost

The costs of internal fraud can be extremely high – aside from the sanctions and financial penalties imposed by regulators, often it is the associated reputational damage that organisations never recover from.

The irony is that organisations need not take any risk at all with payment card data. Secure phone payment solutions can completely eliminate the need for this information to enter the contact centre environment at all, making them a far less appealing target for criminals and removing the associated risks to the organisation.


« Brain tech report: The $35 billion niche waiting to break


Top Tips: How to move to the cloud securely »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?