Everyone knows (or should know) about the dangers of phishing, when someone tries to obtain sensitive personal information (e.g., passwords, credit card information, social security number) via a seemingly routine telephone conversation or an email request.
Despite the publicity about these attacks and multiple warnings to avoid them, phishing continues to hook people in.
According to the State of the Phish report recently released by Wombat Security Technologies, phishing attacks increased by 13 percent in 2015 from the previous year.
It’s a confidence game that can entrap not only the overly trustworthy (some would say naïve), but people who really should know better.
Like customer service representatives.
According to the cybersecurity specialist Kapersky Lab, some 30 percent of of phishing attacks in 2014 shifted from banks to payment systems and online shopping sites.
And the target isn’t just the consumer of these services anymore, but those who deal with consumers on behalf of these services.
Related Article: Shark in the Water: Protecting Your Business from Phishing
Getting Too Chatty
Consider the experience of Eric, a self-described “heavy-user” Amazon customer whose personal information may have been compromised in a series of faked customer chats.
The user became aware of this thanks to a stock email from Amazon customer service asking if the problem they were contacted about had been resolved.
Well, Eric hadn’t contacted customer service about any problem. Further investigation revealed that a faked chat with customer service had divulged Eric’s home address and phone number, though an initial attempt to get his credit card information had failed.
While it’s true that it isn’t all that hard to find someone’s home address on the Amazon website, (The Privacy Blog points out that if you have an Amazon wish list, you make your address public), to be fair, personal addresses are searchable from a number of public sources.
The point is that a customer service rep need not be the source of that information.
Particularly when Eric requested a note be put on his account indicating it was at “extremely high risk of social engineering”, and the same thing happened again. Twice.
And while at least the customer rep didn’t divulge Eric’s complete credit card information, the last few digits of the card number were compromised.
Getting Some “Kindling” for Phishing
A similar thing happened to Scott Hanselman. This time it was a chat request to customer service to send a replacement Kindle to a different address.
All the “customer” needed to do was provide the rep with Scott’s email address and shipping address.
Problem is that Scott had never requested a replacement as his Kindle was working just fine. Fortunately, the rep did not grant the additional request to cancel sending a confirmation email of the change because, “he never checks his email” (which right there should have been a warning sign).
Otherwise, Scott wouldn’t have been tipped off that his account was compromised until charges showed up on his credit card.
Why, by the way, would anyone want someone else’s Kindle? Because a pre-registered Kindle may come linked to the user’s "1-Click" ordering system.
Which means a lot of stuff could be ordered before major alarms sound. And if the scammers can collect a number of pre-registered Kindles (say, a couple hundred), that’s a significant fraud opportunity.
Related Article: You Had an Ongoing Data Breach for Months. How Could You Not Know?
What Customer Service Reps Should Know
None of this would have happened if the customer service rep had been more aware of common social engineering tactics. These include:
- Pretexting, defined as “where attackers focus on creating a good pretext, or a fabricated scenario, that they can use to try and steal […] personal information.” Any request to confirm “forgotten” credit card number, mailing address, or other such personal information is highly suspect and should immediately raise a red flag.
- Phrasing that seems suspicious or otherwise not typical conversational English. Poor grammar, awkward sentence structure, and use of formal language such as referring to you as “sir” or “ma’am” are usually indicative of non-English speakers. True, it’s possible a rep could be having a chat within the U.S. with a legitimate customer whose first language is not English. But it’s also true that a great number of scams are initiated overseas. While not conclusive evidence of a scam in action, language usage should at least put the rep on heightened alert that something “phishy” might be going on.
- Requesting a new and different location to ship a completed order. Though these might be legitimate, customers should always be able to log into their accounts to make a last-minute address change before the order ships. If a customer in a chat or a telephone call requests sending an order to a different location, simply tell the customer to log in to their account. It’s fine to tell a customer how to do it, but the rep should never change a shipping destination without further verification of identity, such as a password.
- Asking for an order number or other information that the customer should have access to. Particularly in a chat, when the “customer” is on a computer and should have access to his or her account and ordering information. If it’s over the phone, and conceivably the customer could legitimately not have immediate access to ordering details, the rep should note the request and politely tell customers that for their own security further action cannot be taken without supplying the necessary information.
- Making multiple chats or other contacts with customer service reps with similar requests over a short time. Reps should have access to all previous interactions to note such behavior.
Additional precautionary steps for customer service reps handling customer chat inquries include:
- Check the IP origination of the chat request. If it doesn’t match the customer’s usual location, is of unknown origin, or from a VPN (virtual private network), be on guard for suspicious questions and behavior.
- Ask customers to log in to their accounts. If they can’t, say, they don’t remember their password, or (and this is most likely the surest sign) ask the rep for their password, tell them that for their own security nothing can be done until they are able to log in.
- But what if they really did forget their password? In the vast majority of cases, this is probably legitimate. The problem is that phishers depend on the regularity with which people forget their passwords and ask for help. Customers must be able to answer a series of security questions, identify key phrases, and/or identify previous orders before making any log-in changes.
Nothing is foolproof. And if customers themselves weren’t often so susceptible to phishing schemes, the job of the customer service rep in maintaining confidentiality would be that much easier.
The point here is that your reps shouldn’t be further contributing to the problem.
Rather, by thinking critically and advising customers in a professional and respectful matter that for their own security certain information cannot be disclosed, they truly will be doing your customers a service.