Call centres. Outbound call verification

TL;DR: 

• Stop asking customers to verify themselves 
• Reduce friction and annoyance 
• Empower your staff to be more effective
• Develop an alternative model that works best for you 

I’m sure we’ve all experienced authenticating ourselves when calling a company. You have a (hopefully) trusted contact number, you dial in, answer some information, and the call handler can access your account. 

What about the other way round? 

You’re called out of the blue by a company. They start the conversation by demanding information from you, citing “data protection” before they’ll go any further. But how do you know they are who they say they are? 

I experienced this recently from finance and healthcare providers. The caller ID was withheld (yes, the caller ID can be spoofed but I’ll get back to that later). The interaction would go something like this: 

Them: “Hello, I’m calling from your delivery company to arrange a date, can I take your date of birth please?”
Me: “No” 

It’s understandable, especially in the case of a health related delivery company, that they might not want to identify themselves or what they’re delivering. They might have the wrong number, or someone other than the patient has picked up the phone. But equally it’s not OK to be coaching people into just handing out their personal information. 

Provide a validated phone number 

One way to deal with this is to call the company back on a validated number, a number not provided by the caller. The challenge here is that it’s often difficult to get back to the original person, or that the call queues are long. 

Technology and automation can help here. Sending an email or text notification with a validatable website link allows people to arrange their own deliveries, or to send a secure message back. Be aware that not everyone will want or be able to do this. 

Codeword method 

So how to mutually authenticate on a phone call that originates from a company you already have a relationship with? A codeword can be useful, for example: 

“Hello, I’m calling from your delivery company to arrange a date. I’ll need to verify your identity in a moment, but to show you I’m calling from the company the code word you’re expecting is banana.” 

An argument against this is that the calling company doesn’t know who’s picked up, it could be a bad actor. Armed with that code word the bad actor can now spoof the company’s phone number, call the real person, give the correct code word, and proceed to interact as if they were the real company. A bit of a convoluted way round but still a risk. 

Codeword method improved 

An alternate would be to pick from multiple options, for example: 

“Hello, I’m calling from your delivery company to arrange a date. I’ll need to verify your identity in a moment, but to show you I’m calling from the company please can you confirm which code word you’re expecting from the following three: apple, banana, peach.” 

This shows the customer that the caller has some knowledge, and vice-versa. Also, if the wrong person is called it cannot be replayed. 

Overall though this is not a particularly great situation as it needs the codeword to be setup first, and for it to be recalled at the next interaction which could be years in the future. 

Consider in-app calling

If your customer already uses a mobile app, use the app to provide a layer of authentication. Some financial services firms are already doing this, removing the need for any further authentication. Calling is triggered from the app itself.

If in-app calling is a stretch too far, how about using the app to provide a degree of mutual authentication? It’s a much easier route to provide a pre-shared phrase or key, far less likely for your user to have forgotten it!

It may even be possible to provide limited push-message based authentication from within that app.

Advice for call centres  

Some thoughts then on how to approach company initiated customer contact: 

1. Avoid voice calls wherever possible. Use text, email, or app messaging with a verifiable link or security conscious wording such as “call us on the number printed on the back of your credit card”. 
2. Wherever possible use in-app calling.
3. In a voice call, step up authentication as needed. If it is a purely informational call with no personal details divulged, then there is no need to ask for personal information up front. 
4. Pre-agree codewords on account creation, especially in the financial and healthcare sectors. Make them accessible via website or app.
5. Have a mechanism where a customer can easily get back in touch with you by calling a trusted number (found on a website for example), and giving them a specific extension to bypass the call centre’s first line. 
6. Avoid normalising requesting personal information from unsolicited callers.