GUARDING AGAINST ATOS
Call centers are unfortunately vulnerable to account takeovers ( ATOs ) - the most common type of cybercrime they face .
In an ATO scenario , the cybercriminal obtains their victim ' s information and calls the call center , pretending to be their victim . They may use emotional manipulation or blackmail to pressure the agent to provide additional sensitive details or make changes to the account . Once the cybercriminal has control , they can cause considerable damage to their victim ' s account .
ATO , misrepresentation , and ID fraud are not new . And the best defenses against them , or any fraud or other crimes are vigilance and common sense . If something doesn ’ t look , sound , or smell right it isn ’ t right .
ATO , MISREPRESENTATION , AND ID FRAUD ARE NOT NEW . AND THE BEST DEFENSES AGAINST THEM ... ARE VIGILANCE AND COMMON SENSE .
Case in point : I received a call back in 2008 from someone claiming to be a case worker from the Indiana Department of Child Protective Services ( DCS ). They mentioned that they needed to get the child in to see a doctor because the parent physically abused the child . They provided the member ' s Social Security Number ( SSN ) when I asked for the member ' s Medicaid ID , case number , or SSN .
Then the caller verified the person ' s full name , address , and phone number but crucially they could not provide me with the date of birth .
The caller seemed very upset when I explained that this is part of caller authentication to keep our member ' s account safe . I empathized with the caller and let them know I wanted to help , but I could not provide any account-specific information without the proper verifications .
The caller even started to cry . So , I asked what information she needed , and she wanted the child ' s Medicaid ID because the doctor needed the number .
Something was off when the caller asked for the child ' s Medicaid ID . My suspicions were confirmed when I looked into the account and discovered that the SSN provided belonged to a 32-year-old adult .
I had to let the caller know I couldn ' t give her that information . Still , I apologized and kindly informed her that I could provide general program information , such as names of doctors in the area or member benefit information .
I can ’ t recall us receiving any training on cybersecurity or reporting the attempt to the fraud department through an email .
We were simply trained on HIPAA , such as what information we had to obtain before speaking to someone about their account . If they couldn ’ t verify HI- PAA , then we couldn ’ t release any information about their case .
PROTECTING AGAINST OVERZEALOUSNESS
Our agents , like those in other contact centers , understandably take compliance with regulations to protect customers , like HIPAA , to heart . But sometimes too much so .
Just a few months ago , I was recently disappointed to hear that a call center agent refused to assist a caller , even though the assistance the caller needed did not require the agent to provide any details about the caller ' s account .
The agent had to receive and send the information to the analyst , who would verify it before making the update . Unfortunately , this authentication process became a barrier to assisting the customer . As you can imagine , the caller asked to speak to a supervisor , the team lead , who mentioned the incident to me .
COACH ’ S CORNER
Both my colleague , David Sluss , and I had to go back to the drawing board to figure out how we could better emphasize that authentication is a necessary first step before you can read any information from our system ' s screen .
HOW CAN WE USE TECHNOLOGY TO HELP OUR AGENTS WHILE ADDING EXTRA PROTECTION TO CUSTOMERS ' ACCOUNTS WITHOUT THE INTRUSIVENESS THAT MAY COME WITH CALLER AUTHENTICATION ?
However , no caller authentication is required if the agent takes information from the caller or provides general program information , which can be found on a public-facing website . By making this tweak to our training , agents are now asking callers how they can help and determine if caller authentication is necessary .
As a customer , I feel that caller authentication can sometimes be overbearing . I recall calling an organization where I had to authenticate twice — once on their IVR system and then again with the agent .
Another time , I had a simple question — Did my order get shipped ? — but the authentication process took over five minutes !
It started with basics like my full name , address , email address , date of birth , and phone number . It went overkill when the agent sent me two verification codes to my phone , which I had to provide to him before I could get a simple confirmation that my order had shipped . It was too much — I felt overly scrutinized to get a simple answer .
ENHANCING THE CX THROUGH IMPROVED CALLER AUTHENTICATION
How can we use technology to help our agents while adding extra protection to customers ' accounts without the intrusiveness that may come with caller authentication ?
MAY 2023 23