Press 4 To Give Us All Your Money

I guess it had to happen: phishers are not only trying to snag you by setting up fake banking websites, now they’re trying to snag you by setting up fake switchboards too.

Tim McElligott writes in Telephony Online that scammers “posing as a financial institution and using a VoIP phone number e-mailed people asking them to dial the number and enter the personal information needed to gain access to their finances.” Simply put, the phishers in this case aren’t directing you to a fake website where you enter your password and other data sufficient for them to empty your account; they’re directing you to an automated phone service, where you’d give the same details.

The information comes from Cloudmark (“the proven leader in messaging security solutions for service providers, enterprises and consumers”), which claims in a press release that it has seen two separate such attacks this week:

In these attacks, the target receives an email, ostensibly from their bank, telling them there is an issue with their account and to dial a number to resolve the problem. Callers are then connected over VoIP to a PBX (private branch exchange) running an IVR [an automated voice menu] system that sounds exactly like their own bank’s phone tree, directing them to specific extensions. In a VoIP phishing attack, the phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN.

As Telephony Online points out, setting up this kind of phone network is easy. “Acquiring a VoIP phone number is about as hard as acquiring an IP address or a domain name,” it quotes Adam O’Donnell, senior research scientist at Cloudmark, as saying. “Phishers figured out how to quickly and fraudulently get that information a long time ago.” An old PC with a voice modem card and with a little PBX software and you’ve got a company’s phone tree which can sound exactly like your bank, O’Donnell says.

This all makes sense. Indeed, we should have seen it coming. It’ll be interesting to see how banks cope with this. Right now their argument has been that if in doubt, a customer should phone them. That no longer is as watertight an option. They could argue that customers should not respond to any email they receive, but that’s also not always true. Banks and other financial institutions need to communicate with customers.

One solution to this is the signature: Postbank last month launched a service where all its emails to customers come with an electronic signature. The only problem with this is that most email clients don’t support the service — only Microsoft Outlook. This is a bit like giving customers a lock that only works on certain kinds of door.

Perhaps banks are just going to have to pick up the phone. If customers are now under threat from automated phone trees maybe the solution is not more technology, but less? A cost the phishers are unlikely to be able to bear would be an actual voice on the other end of the line that sounded familiar and authentic. The only question then would be for the customer to establish the authenticity of the banking assistant.

“Your Call Is Important To Us. Really.”

Paul English’s website about about getting around ‘interactive voice response’ phone systems (where you talk and a computer listens) is already triggering industry rebuttals, like this one from – Top 5 Reasons NOT to Zero Out of an IVR System (via Dan Gillmor):

If you’ve visited Paul English’s website, you’ve learned how to “zero out” of the automated voice systems of many companies. As the market leader for on-demand call center and Interactive Voice Response (IVR) solutions, is here to tell you why zeroing out will only hinder your attempts to accomplish your objective for the call.

It’s actually a bit of a naff response (not least because the ‘market leader’ can’t even bring itself to provide a link to Paul English’s site, which displays either the company’s ignorance or its petulance (neither looks pretty). But the argument is also weak:

Automated voice systems, otherwise known as Interactive Voice Response (IVR) systems, can minimize the caller’s wait time by making sure they get to the right person, and if designed correctly, can often answer the most frequent inquiries immediately.

And then goes on to list 5 reasons why you should NOT zero out of an IVR System — starting off with the assertion that

#1 Most IVR systems are good, especially speech-enabled systems. Two-thirds of consumers feel voice automation is efficient and fulfills their needs, whereas 34% of consumers complain that they have dealt with unfriendly live agents.

This according to a “landmark study on consumer attitudes on customer service conducted by Nuance and Harris Interactive” which once again isn’t linked to. I believe they’re referring to this one (PDF only), which was commissioned by a company called Nuance which, er, makes IVR systems like Call Steering. Their ‘study’ reads more like a press release than a ‘landmark study’:

Businesses are choosing automated speech applications because they allow customers to interact in a more natural fashion than cumbersome keypad or touch-tone systems. It’s no surprise, then, that the majority of speech users (61 percent) are highly satisfied with their most recent speech encounter.

(In fact, if one wants to get picky, I believe that 61% — which I’m guessing is citing as fulfilling their needs — represents only 61% of 41% of the sample of 326 people, since only 41% of people interviewed had actually used an IVR in the previous three months. So that’s 82 people according to my bad math. The landmark survey is relying on the word of 82 people? And I couldn’t find any reference to 34% of consumers complaining about ‘unfriendly live agents’, although perhaps it’s in another account of the study. )

Anyway, the 5 reasons go on:

#2 Every selection you make in the IVR system will help the system make progress towards solving your problem either in the IVR system or by routing you to the most qualified live agent.

I can’t really argue with that, but of course this assumes that the IVR system is better than a ‘live agent’. If the live agent were qualified and well-trained, wouldn’t the converse be true?

#3 By zeroing out at the first prompt, you give up control over the type of agent you will ultimately speak to. You will likely end up in the most generic queue and, hence, the queue with the longest wait time. Then you’ll explain your problem to somebody who is not qualified to solve the problem, who in turn will place you into yet another queue.

Once again, the assumption is that the staff are actually less qualified than the computer. I can see what they’re getting at — that they have only a limited number of qualified staff, so they need to line up their customer duckies to maximise the usage of those staff — but it all rests on the IVR system being smart enough to understand problems that may not easily fit menu options. My experience is that as many times as this works, it doesn’t, and that you get sent to the back of a queue because the IVR (or touch tone options) pushes you into the wrong part of the maze.

#4 In almost all cases, if you have a request that can be resolved completely by an IVR system (like account balance, order status etc.), using the IVR system correctly will get you results faster than talking to a human.

Of course; I don’t think anyone’s questioning the usefulness of checking a bank balance via this system. I doubt anyone would quibble with that; indeed it’s somewhat creepy having a real person read out your bank balance (‘Dude! You’ve only got $34.23 in your account. Better get a real job”) but the real naffness in this line of argument is betrayed by the last ‘reason’:

#5 The more people that use IVR systems for easy requests (see #4), the greater the number of live agents who are available for complex requests. This leads to better and more qualified service for everyone – the IVR system you are doing a service to all your fellow callers.

In other words, by subjecting yourself to a time-wasting maze of dumb or irrelevant choices you’re helping the company cut down the number of ‘live agents’ who actually provide a service. Or, as Paul English puts it in his rebuttal:

Of course IVR systems sometimes work, and that they can save you time for some very specific simple requests (e.g., check flight arrival) and they can sometimes save you time by directing you to the correct department. However, consumers are not stupid, and they should be given the choice to connect to a human when they want.

Hear, hear.

‘Say ‘Five’ After The Tone If You Want To Curse One Of Our Customer Service Computers’

The good news: We don’t have to use those silly touch-tone menus anymore when we call our friendly utility. Now we can speak to a real computer.

A report by Chartwell, an industry research service, says that more and more utilities “are implementing or investigating speech recognition for their interactive voice response units, and advocates say the technology has the potential to revolutionize automated customer service”. What this ‘revolution’ means, it turns out, is that customers can use voice recognition to report outages, or even conduct “customer self-service” (I love that idea! Why didn’t I think of that?) such as billing, payments and updating account information. As someone who has just tried to resolve some thorny billing problems relating to my mother’s poor choice of electricity and gas utility in the UK, I can only say: Yeehar!

Here’s Dennis Smith, Research Director & Manager of Chartwell’s CIS & Customer Service Research Series: “Speech recognition is a progressive customer self-service tool that can be extremely valuable to a utility, provided it is designed correctly.” Incorrect designs are, among other things, unfriendly self-help service menus. Oh. So we don’t get to chat with a computer, we get to say ‘two’ instead of pressing two on our touch tone phone. That’s progress.

This is another bit I like: The report includes case studies on what it calls ‘progressive utilities’ (as opposed to what? ‘Regressive utilities’? ‘Incorrect thinking utilities’?) utilizing speech recognition technology. One, We Energies, “after concluding that many of its incoming calls related to billing or payments, implemented a speech system in order to offer customers a more personal and prompt way to conduct business without the assistance of a customer service representative (CSR)”. I am particularly happy the customer service representative has an abbreviation: Given it’s the only one in the report I can only assume that assigning an abbreviation is what happens prior to downsizing. And how, exactly, can you have a ‘personal’ way to conduct business using a computer? More personal than what? Pressing the keypads on your phone until they sink into the plastic moulding?

Look, I’m a big fan of computers, and I’m probably still reeling from trying to find an email address I could write to to complain (there wasn’t one; even the website wouldn’t recognise my Mozilla  browser and suggested I upgrade. You’re a utility, for God’s sake! You’re selling electricity! It’s not as if you’re selling Porsches, or smartphones! What if I was some elderly person wanting to check my electricity bill? Jeez) but I don’t get it. I always hoped that computerisation would free up staff so they could talk to customers, find out what’s bugging them, try to make things better. I guess that’s never going to happen now. We’re going to be sitting there in the dark, the electricity long gone out, the gas fire cold, saying ‘four… six… six…. I said SIX’, our voices echoing down the hallways, for eternity. Please, give me an CSR. I really need a CSR.

You can buy the full report, Speech-Enabled Customer Service Applications in the Utility Industry for $350 here.