Vishing is a real problem, with often the most vulnerable customers being exploited. Targeted communication in order to defraud individuals, often using the trust banks have spent years to build, can be achieved with little more than a phone number.
In a recent article published on the BBC, the Financial Ombudsman Service (FOS) said that banks are not responsible for any vishing-related losses in approximately two-thirds of cases. In 63%, targeted victims have been left without compensation, being deemed to have simply given their money away.
For banks, good news from a liability perspective can be a real headache when it comes to customer interaction. There will always come a time when customer engagement is necessary to confirm abnormal activity, and to protect accounts from potential abuse. But with customers being told they’ll probably be held liable if the interaction turns out to be vishing, what can you do to enhance their confidence that they’re actually interacting with you?
Here are some suggestions:
- Education. Keep customers well educated on what you will ask for during interactive communication, and what you won’t. For example, you will never ask for PIN or passwords in full over the phone, or ask them to send them personal banking information via email or text.
- Early-life communication. Communication with your customer in early account stages will prompt them to interact with you quickly and efficiently, and will undoubtedly enhance the long-term customer experience. Forming a process of interaction with a customer early on in the relationship will mean fraud alerts will be viewed with less suspicion and more urgency.
- Notification. Where possible, consider using push notifications through a mobile banking application to enhance the feeling of authenticity. When you need to use other channels, be sure to use consistent numbers, messaging, voice talent and personal details to ensure confidence levels are high enough to prompt interaction.
- Information. Transaction validation (particularly on a trusted device) requires very little in the way of ID&V (identification and verification). Interactive SMS are often sent to customers without the need for identification. When the voice channel is used, asking for partial information or even giving multiple-choice options for ID&V work extremely well to enhance the level of authenticity. A risk-based approach to ID&V should be used in automated communication, leaving more obtrusive ID&V questions for potential account takeover situations.