A customer lookup returns 3 “John Smith” records. The system auto-selects the most recently active one and processes a $200 refund. The actual customer was the second-most-recent match. $200 went to the wrong person.
Auto-selection by any heuristic — recency, order count, purchase value, geographic proximity — is a guess. Only the customer can confirm their identity.
The Data
500 multi-match lookups:
| Approach | Correct customer identified |
|---|---|
| Auto-select most recent | 73% |
| Ask for email/phone | 98% |
27% wrong-customer actions from auto-selection. Over 1,000 cases in 6 months: 85 incorrect refunds ($12,000), 120 wrong account modifications, 65 privacy disclosures. After switching to identifier-based: 2% error rate.
The Disambiguation Flow
When a lookup returns multiple matches:
- Ask for an additional identifier — email, phone number, order number, account number
- If first identifier unavailable — ask for an alternative (zip code, last 4 of phone, order number)
- If no identifier resolves — escalate to human (2% of cases)
Never auto-select. Never display all matching records to the customer (exposes other people’s data). Never contact all matches (privacy violation).
Why Heuristics Fail
| Heuristic | Problem |
|---|---|
| Most recently active | Activity recency ≠ current caller |
| Highest order count | Purchase history ≠ identity |
| Geographic proximity (IP) | VPNs, shared networks, dynamic IPs |
| Conversation topic matching | Still a guess, not identification |
No combination of heuristics matches customer-provided identifiers. The automation adds complexity to guessing without achieving identification.
Privacy Considerations
- Displaying all matches shows other customers’ information to the caller — privacy violation
- Emailing all matches contacts uninvolved people about a support case — privacy violation
- Auto-selecting wrong customer and showing their details to the caller — privacy violation
The identifier-based approach avoids all three: the customer provides their own data, the system matches it, no other customer’s data is exposed.
Speed vs Safety
Asking for an identifier takes ~10 seconds. Wrong-customer cleanup takes minutes to hours. The 10-second question prevents $12,000 in incorrect refunds, 120 wrong modifications, and 65 privacy incidents per 1,000 cases. Both speed and safety constraints are satisfied.
One-liner: Never auto-select from multiple matches — ask the customer for an email, phone, or order number instead, reducing wrong-customer actions from 27% to 2% and preventing $12,000 in incorrect refunds per 1,000 cases.