Social Engineers Target Service Staff

Customer service skills can be a handicap in the fight against fraud.

September 26, 2012

Technological controls and expensive countermeasures do little to prevent a credit union’s own employees from succumbing to social engineering tactics. Customer support staff in particular make attractive targets to social engineers.

Could some organizations be so preoccupied with securing their network perimeters that they fail to notice a threat knocking on the front door?

Recent industry studies and real-world tests indicate the answer is “yes.” Even more alarming is the frequency in which unsuspecting employees not only unlock the door, but allow the threat to enter unimpeded.

Thus is the dilemma of social engineering: technological controls or high-budget countermeasures do little to prevent a company’s own employees from succumbing to social engineering tactics.

Social engineers are essentially con men, hence they’re experts at manipulating people into doing things they normally wouldn’t do. Instead of attempting to bypass sophisticated technological security controls, this class of criminal selects targets of opportunity that can be exploited with minimal effort, offer a low risk of being discovered, and have the potential for a high payoff.

So it’s no wonder they consider employees, specifically customer service and call center staff, to be such attractive targets.

These con men—and con women—use deception and exploitation to persuade unsuspecting people to willingly perform actions they know they shouldn’t, such as divulging confidential information or allowing unauthorized access to sensitive data.

Because customer support and call center staff can give social engineers access to almost all sorts of information ranging from the innocuous to the highly sensitive, this makes customer service centers a “one-stop-shop” for criminals looking to steal valuable data.

Their shopping lists include profile information such as passwords or account information that can be used for identity theft, confidential corporate information (sensitive product data or staff account information), or even bulk account data that can be exfiltrated during a single engagement and lead to a large scale breach.

Unlike technological safeguards that are built on emotionless “black and white” decision engines, humans are influenced by their emotions during the decision process. Although guided by written policies and procedures intended to set the overall parameters of their job role, employees may succumb to a social engineer who appeals to their emotions through persuasion, pressure, guilt, and other tactics.

The main goal of a customer service employee is to be accommodating, solve problems, and provide exceptional service. Ironically, these essential traits needed to be in a customer service role are actually a handicap in the fight against fraud.

Criminals recognize the ingrained doctrine of “the customer is always right” as a security weakness and leverage the employee’s fear of customer complaints, or even the perception that they provided poor service, as an effective tool of persuasion.

The concept of “good service” is nearly impossible to encompass within a written policy or procedure, so employees often must determine on their own how to balance good customer service against the need for good security. It takes only a simple lapse in judgment for a breach to occur.

Of course, this isn’t to suggest customer service employees will be influenced by a superficial, unrealistic story. That’s why successful social engineers take great effort into devising a credible “pre-text” based on just enough verifiable information so their elaborate lie can withstand at least a minimal amount of scrutiny.

The most effective pre-texts are weaved from legitimate information involving a completely believable scenario. By supplying seemingly factual information at the outset, the criminal can establish the necessary level of credibility needed to gain the trust of the customer service employee.

At this point, the social engineer usually begins “tugging on the heartstrings” through a believable and relatable story designed to elicit empathy and understanding from the employee.

If the con man’s story is good enough, most customer service and call center employees can be manipulated into ignoring policies and procedures in the spirit of providing “exceptional service.”

After all, these employees have the mindset that “the customer is always right” and are constantly in the mode of answering questions and providing information. Therefore, they’re primed for exploitation by a wily social engineer.

Even when alert employees recognize malicious tactics as a potential threat, tracking down a would-be social engineer is incredibly difficult and rarely successful. They tend to get caught only after the breach has occurred and the criminal is attempting to use or sell the stolen information.

By that time, the damage has been done.

Pitting untrained, unsuspecting customer service employees against deceptive, manipulative social engineers is a lopsided fight where the organization is at a severe disadvantage.

Therefore, the best defense against social engineering tactics aimed at customer service employees is to:

DAVID BLAZIER is marketing manager for TraceSecurity, a CUNA Strategic Services alliance provider. Contact him at 225-612-2121, ext. 31062.