Contact centers are a prime target for social engineering criminals. Customer service representatives (CSRs) are common high-value targets as their main goal is to help customers resolve their problems as quickly as possible.
CSRs often have access to lots of data at their fingertips and are the easy touch points for customer data and transactions. Hackers know that if they can successfully socially engineer a CSR, they can likely get the “keys to the kingdom.”
…call centers and their employees are unwittingly involved in many billions of dollars of fraud a year.
Remote, work-from-home employees (WFH) are likely to have a few more personal distractions than they would at a traditional, formal call center, making it easier for the social engineer to be successful. But formal contact center employees also face many distractions, like from colleagues, HR, and onsite activities.
Traditional social engineering scams against call centers can come in a variety of different scenarios. Some scammers are simply trying to get to customer data or take over the customers’ accounts. Some are looking to get access to the call center’s databases and networks. And some are just looking to get free equipment and services.
In all, call centers and their employees are unwittingly involved in many billions of dollars of fraud a year. That’s why it is critical to get a handle on this evil and banish it or at least close the door on it.
The ATO Scam
The most common scams are account takeovers (ATOs). These are where hackers try to take control of legitimate customers’ accounts and take advantage of that access to fraudulently steal something of value.
Scammers often fake being customers, supplying previously learned information (often previously socially engineered from the real customers) in order to gain access to the accounts and control them in the future.
Technology is making it easier than ever for bad people to scam call centers. There are now hundreds of AI-enabled deepfake tools that allow scammers to accurately mimic voices and videos of anyone (e.g., customer, boss, partner, etc.).
It takes the average person longer to sign up for the free account to a deepfake site than it does for a scammer to make a deepfake video of you or anyone else saying or doing anything. All they need is a picture of the target and six seconds of audio (although longer is better).
It used to be that you taught people not to believe every email that they received. Then we added SMS messages. Now, we have to add QR codes, pictures, and videos of anything – which may contain suspicious links like for phishing – and anyone to the list.
If you receive something digitally unexpected asking you to do something unexpected, you have to have a healthy level of skepticism. And you must verify before performing the requested action.
With ATOs, scammers try to convince CSRs to provide information to gain access to customer accounts. In most cases, call centers have policies to mitigate scammer requests that, if the CSRs follow to the letter, will prevent scammers from being successful. You just have to make your CSRs understand the risk and understand how important it is to follow policy.
Your Best Cyber Defenses
Whether or not your company or call center is or isn’t hacked like in an ATO scam in a given time period comes down to how well you do – or don’t do – in implementing these best cybersecurity defenses.
First, implement anti-social engineering policies. Social engineering is involved in 70% to 90% of successful hacking, even more so when call centers are involved. You must use the best defense-in-depth combination of policies, technical defenses, and education to mitigate social engineering attacks.
You must ensure that all the commonly known places where social engineering can be used to circumvent existing technical security controls have policies to mitigate the risks. Employees need to be taught the policies, made to understand the importance of following them, and tested to ensure compliance.
…making employees aware of social engineering attacks is the best way to reduce cybersecurity risks.
This is a great YouTube video to show how an experienced social engineering hacker can get around a call center’s social engineering mitigation policies by creating a fake source of empathy.
All employees should be taught how to spot social engineering, how to mitigate it, and how to appropriately report it. They should have anti-social engineering training at the beginning of employment, at least monthly thereafter, and be given simulated phishing tests to ensure they are following expected policies. Let employees know that circumventing these policies for any reason can result in negative consequences to the organization up and to their own positions of responsibility.
Study after study has shown that making employees aware of social engineering attacks is the best way to reduce cybersecurity risks. Nothing else comes close. Here’s an example report from my company showing the effectiveness of anti-social engineering training.
Second, all employees should be given and use phishing-resistant multi-factor authentication (MFA) for logging onto call center systems. This way, simple phishing attacks can’t be used by scammers to access call center systems. And using MFA is a great way to ensure the employee is not re-using passwords between call center systems and personally.
If an employee must use a password, they should use a strong password that is unique for every system they access. Employees should be given access to and use a password manager, if possible, because password managers make it easy to create and use strong passwords that are different for every site and service.
Third, all employees should ensure that their workstation devices are patched and up to date. About one-third of all successful data breaches involve unpatched software or firmware. Usually, patches are handled by the call center’s IT staff. But if the CSR notices their system isn’t receiving the necessary critical patches, they should notify the help desk/IT staff.
When working from home, staff should also ensure their network devices (e.g., cable modems, Wi-Fi routers, etc.) are fully patched. On a similar note, employees should try their best to avoid being tricked into installing fake patches (a common hacker ploy). When in doubt, the employee should confirm their workstation’s patching status with IT.
Since the creation of computers, social engineering (and unpatched software and firmware) has been involved in nearly all successful hacking attacks. While this evil will continue to lurk, with the right defenses and methods – critically including employee training – it can be stopped at the door.