As technology evolves to support new ways of doing business, it also creates new opportunities for fraud, like botnet attacks and static biometric fakery. In the push to fight back against these new types of fraud, it’s easy to overlook an old-fashioned vector like telephone conversations. Fraudsters know they can sometimes manipulate customer service representatives (CSRs) into giving up information ranging from account access to state secrets, at tremendous cost to the organizations they attack. Sadly, customer service teams may be the most vulnerable part of a company’s fraud-prevention program.
So-called “vishing,” or voice-phishing, is less common than email-based phishing schemes, but it can be very expensive. Forbes reports that the average cost of a successful vishing attack against a business is $43,000 per account compromised. And the stakes can be even higher, as the recent trial of a young British hacker shows.
Compromising national security by phone
Kane Gamble, age 18, was sentenced in April to two years in youth detention for hacking into former CIA chief John Brennan’s emails and documents, including information about “military operations and intelligence operations in Afghanistan and Iran.” How did a then-15-year old get such delicate and presumably secure information? By calling customer service and lying about who he was.
Gamble’s vishing attacks included impersonating Brennan and a Verizon staffer in calls to that company. In those conversions, he was able to get Brennan’s account PIN and security questions changed over the phone, despite giving a wrong answer to the account’s security question. After that, Gamble was able to “gain access to Brennan’s emails and his address book, as well as his iCloud storage. He even managed to remotely access the iPad of Brennan’s wife,” as Newsweek reported. Gamble also conned the FBI help desk into changing then-Deputy Director Mark Guiliano’s database password, simply by calling in and pretending to be Guiliano.
If a teenager can access intelligence emails and law enforcement databases with a few phone calls, why wouldn’t professional criminals try similar tactics to defraud companies? And how can companies guard against these attacks?
Customer service safeguards against social engineering
Most companies require CSRs to ask callers for their full name, address, and date of birth before proceeding with service on an account, but all of that information is easy to find online or on discarded documents salvaged from trash or recycling bins. Some companies go a step further and require the customer to verify their account number and perhaps all or part of their Social Security number. However, stolen SSNs are increasingly available on the black market, and account takeover fraud is so frequent now that possession of an account number may not guarantee the caller’s identity. Moreover, calls to a live person don’t undergo the same digital fraud checks that an online transaction does, like IP address, device identity, and behavioral biometrics.
But there are steps companies can take to tighten customer-service security, like a standardized, multi-step process for authenticating callers and strict rules on what information can be changed or shared on the phone. In the Brennan case, his security question and PIN should have stopped anyone else from accessing his account information. However, customer service reps are trained to keep customers happy, and if they have some leeway they may share information that risks security—either to calm an angry caller or because a friendly caller has built a rapport with them.
To avoid scenarios in which a CSR feels bullied or lulled into complying with an insecure request, companies need a clear flowchart of authentication steps for customer service reps to follow, plus a clear explanation of what to do when the caller can’t provide the required information—with the assurance that managers will support them in those situations. This means customer service managers must also be trained and ready to take over in situations in which a caller demands information without authentication.
Another best practice is to prohibit callers from changing PINs and passwords over the phone. Requiring customers to go online to change account access information means that companies can screen those requests with digital authentication tools, which can raise flags if geolocation, device identity, or other factors don’t match the customer’s history and profile.
By training customer service teams to recognize vishing attempts and giving them the resources and authority to stop scammers from compromising customer data, companies can reduce their risk of losing money, customer trust, and valuable data. Good customer service keeps customers happy, but great customer service keeps customers’ data safe, too.
Rafael Lourenco is Executive Vice President of ClearSale