Customer Service

Customer service and help desk personnel are among an organization’s most vulnerable staff members. This is because their job is to provide “help” in a friendly and polite manner. As a result, attackers often exploit this to learn sensitive information.

Customer Service —Phone

Attackers usually obtain phone numbers from an organization’s website, in addition to any specific routing emails used for customer support. Attackers may call from a spoofed, blocked, or private phone number. An attacker posing as a customer can usually cull enough information from social media platforms and other sites to answer simple security questions. The attacker could also ask for a password reset. They may also try to change something on a customer’s account in order to have access to it themselves.

Chris Hadnagy, security expert and CEO of  Social-Engineer, LLC and Michele Fincher demonstrate how easy this attack vector is to implement.

“Watch as Michele Fincher pwns the identity of CBC News’ Asha Tomilson live at DEF CON 24”

Customer Service —Email

Opening an email attachment from an unknown recipient is never a good security decision. For the helpdesk/customer service representative, however, it may be a necessary part of their job in providing customer support. The attachment may be just an innocent screenshot documenting order or transaction details. However, there is the possibility that malware is lurking in the attachment, and a social engineering attack is in progress.

Example

In November, 2016, Proofpoint reported that they were monitoring a malware-ridden phishing campaign that targeted customer service staff. As reported on by Proofpoint, “the personalized subject lines of the emails used references to issues with supposed purchases on the company’s website and were targeted at individuals who may be able to provide support for those issues. The lures also suggested that the attached document contained detailed information about the issue.”

customer service
Figure 2: Example email used to deliver the macro-laden document – Proofpoint

Conclusion

Security education can train service representatives to do their job politely without compromising customer or company data. Helpdesk/customer service personnel need to have it reinforced that not only is it okay to say “no”, it is often the wisest choice.