Contact center fraud is exposing gaps in identity verification

At a glance

What this is: This is an analysis of contact center fraud and the identity verification weaknesses that let criminals manipulate agents, bypass checks, and take over accounts.

Why it matters: It matters because contact centers sit at the junction of human identity, customer access, and privileged workflows, so weak verification can undermine both IAM controls and customer trust.

By the numbers:

• Nearly 29% of U.S. adults experienced account takeover in 2024.
• Fraudulent calls surged to 12.5 billion in Q1 2025.
• Account takeover fraud has increased by 330% in recent years.

👉 Read 1Kosmos's analysis of contact center fraud and passwordless identity

Context

Contact center fraud is an identity problem as much as it is a fraud problem. The issue is not only that criminals make deceptive calls, but that frontline verification often depends on brittle signals such as security questions, caller ID, and agent judgment under time pressure. For human identity programmes, that means the control point is the interaction itself, not just the login.

The article’s core warning is that fraudsters now combine social engineering with AI-generated impersonation, making old verification habits easier to bypass and harder to spot. When customer service teams are measured on speed and satisfaction, security steps are often the first thing to weaken, which creates a repeatable access path into customer accounts and sensitive data.

Key questions

Q: How should contact centers verify identity for high-risk customer requests?

A: Use layered verification, not a single check. Combine stronger proofing for high-risk actions with contextual signals from the call, the channel, and the account. Security questions and caller ID should never be the only gate for resets, payout changes, or profile edits. The goal is to make impersonation expensive enough that routine fraud attempts fail before an agent can expose sensitive access.

Q: Why do traditional call center checks fail against modern fraud?

A: Traditional checks fail because they assume attackers cannot easily obtain the information needed to pass them. Today, breached data, caller spoofing, and AI-generated voices give criminals enough material to impersonate legitimate customers convincingly. That means the verification process is often authenticating known facts, not proving the caller’s current identity or intent.

Q: What do security teams get wrong about contact center fraud detection?

A: They often look for a single bad call instead of a pattern of escalating behaviour. Fraud frequently starts with IVR probing, moves through repeated retries, and ends with rapid account changes after an agent is persuaded. Detection improves when teams correlate these signals and treat unusual sequences as a takeover attempt rather than isolated noise.

Q: Who is accountable when a fraudster convinces an agent to bypass verification?

A: Accountability usually sits with the organisation, not the individual agent alone. If the workflow allows exceptions under pressure, the issue is a governance failure in policy, training, and control design. Regulators and auditors will expect the contact center to demonstrate that high-risk actions required stronger verification and that exceptions were monitored, recorded, and reviewed.

Technical breakdown

Why caller ID and knowledge-based checks fail

Caller ID, security questions, and similar knowledge-based checks assume the caller is operating within a stable, verifiable identity context. Fraudsters break that assumption by using stolen personal data, spoofed numbers, or synthetic identities, so the verification step authenticates a story rather than a person. In practice, these checks fail because they are static, easy to precompute, and vulnerable to reuse across channels. Once an attacker has enough profile data, the control becomes a speed bump instead of a gate.

Practical implication: replace single-signal verification with stronger identity proofing before agents can disclose or change account data.

How AI voice cloning changes contact center risk

AI voice cloning raises the quality of impersonation without changing the attacker’s basic goal. Instead of relying on coarse social engineering, criminals can now mimic tone, cadence, and urgency well enough to pressure an agent into skipping steps or escalating access. Voice biometrics can help, but only when they are part of a layered model that also checks device, transaction, and behavioral context. On their own, audio-focused controls are vulnerable to increasingly realistic synthetic speech.

Practical implication: treat voice analytics as one control layer and require secondary verification for high-risk requests.

Why monitoring must cover the full interaction path

Contact center fraud often unfolds across several touchpoints: IVR probing, repeated retries, agent interaction, and post-access account changes. That means monitoring has to connect signals across the whole path, not just detect a bad call in isolation. Anomalies such as repeated failed authentications, unusual urgency, or rapid profile changes can be early indicators of account takeover. The mechanism matters because fraudsters often test, adapt, and then strike when controls are inconsistent between channels.

Practical implication: correlate IVR, agent desktop, and account-change telemetry so suspicious behaviour is visible before takeover completes.

NHI Mgmt Group analysis

Contact center fraud is a human identity failure first, not a call-quality problem. The article shows that attackers win by exploiting the gap between verification policy and real agent behaviour under pressure. Security teams should treat customer service as an identity enforcement point, not just a support function, because the transaction itself is where the compromise occurs.

Security questions have become a broken assumption, not a weak control. They were designed for a slower threat model in which personal data was less available and impersonation was easier to detect. That assumption fails when adversaries can combine breached data, caller spoofing, and AI-generated voices, so the implication is that identity proofing at the contact center must be rethought around stronger evidence of presence and intent.

Speed metrics can quietly override security design. When agents are rewarded for fast resolution, verification steps become optional in practice even if they remain mandatory on paper. The result is a governance gap between policy and execution, and practitioners need to measure whether frontline workflows are actually preserving the controls the programme depends on.

Layered identity verification: the most important lesson is that no single check can safely stand in for trust when attackers can impersonate across channels. The article’s own figures on takeover and call volume show that contact centers now operate at a scale where weak verification becomes systemic exposure. Practitioners should treat this as a programme design issue across human identity, access governance, and customer experience.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• Only 44% of developers are reported to follow security best practices for secrets management, which shows that confidence and execution are often misaligned.
• For a broader governance lens, read Ultimate Guide to NHIs for how identity controls, lifecycle management, and access discipline fit together.

What this signals

Identity proofing at the contact center is now a cross-functional control surface. Fraud teams, IAM teams, and customer operations need to share one view of trusted verification, because the attack path moves across people, processes, and systems. The strongest programmes will treat customer recovery, call handling, and account changes as governed identity workflows rather than isolated service tasks.

With 27 days as the average estimated time to remediate a leaked secret in our research on AppSec, organisations should assume that once customer data or verification artefacts leak, attackers have enough time to operationalise them. That makes prevention at the interaction layer more valuable than post-incident cleanup.

The next step is to connect contact center controls to broader identity architecture, including the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10 where shared credentials, session integrity, and access governance intersect.

For practitioners

• Remove sole reliance on knowledge-based verification Retire security questions and caller ID as standalone approval signals for account changes, password resets, and high-risk disclosures. Require an additional proofing step that is harder to precompute or socially engineer.
• Correlate fraud signals across channels Join IVR behaviour, agent desktop activity, call metadata, and account-change events so repeated retries, unusual urgency, and rapid profile edits can trigger intervention before takeover completes.
• Train agents against pressure-based bypass tactics Use scenario-based coaching that teaches agents to pause when callers create urgency, claim authority, or present overly detailed personal information. Reinforce that policy exceptions create identity risk, not customer loyalty.
• Apply stronger verification to privileged contact center actions Segment workflows so address changes, payout changes, credential resets, and account recovery require stronger authentication than routine service requests. Keep the higher-friction step tied to the specific risk of the action.

Key takeaways

• Contact center fraud succeeds when verification is treated as a script rather than an identity control.
• The scale is material, with takeover rates and fraudulent call volume showing that this is a systemic operating risk, not a fringe abuse case.
• Stronger identity proofing, cross-channel telemetry, and better agent decisioning are the controls most likely to reduce exposure.

Key terms

• Contact Center Fraud: Fraud that targets customer service operations to trick agents, bypass verification, or gain unauthorized access to accounts and data. It blends social engineering with identity abuse, so the real failure is often in the trust checks and workflows that govern the interaction.
• Account Takeover: A situation where an attacker gains control of a legitimate customer account and can act as the rightful owner. In contact centers, takeover often follows successful impersonation, weak recovery checks, or poorly governed exception handling.
• Knowledge-Based Authentication: An authentication method that asks the caller to answer personal questions or provide facts that should be known only by the legitimate user. It is weak when data is exposed, because the verifier is checking remembered information rather than strong evidence of identity.
• Passwordless Authentication: An identity verification approach that replaces shared or reusable secrets with stronger factors such as device-backed credentials or biometric signals. In contact centers, it reduces dependence on information that can be stolen, guessed, or socially engineered.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: Contact center fraud happens when criminals exploit customer service operations to steal sensitive information, drain accounts, or gain unauthorized access. Read the original.