A Deeper Look At Phishing Schemes that Target Customer Service Agents
Phishing is the practice of lying and tricking people into taking actions that harm them. These hacks often involve exposing information or providing access to an infectible computer system. Hackers choose phishing targets who are likely to answer messages and do what they ask without checking with supervisors first.
This makes customer service agents a prime target for corporate-facing social hackers. Customer service agents also have a surprising amount of power for giving hackers what they want, with a wide variety of possible goals. Agents can hand out consolation-prizes and refunds to unhappy customers. They can give bonuses to accounts or make account setting changes. They can look up and provide information. These actions are necessary when dealing with real customers and their troubles. These actions become exploitable when faced with hackers and lies.
Every customer service team needs a system to bounce social hackers out of the que as soon as they are detected. The first step is understanding how customer service phishing works from the inside out.
Phishing with Fake Customers and Real Customers
There are two greater categories of customer service scam. There are scams involving real customers and real accounts, and there are scams where the customer’s existence in your system is irrelevant. Sometimes, a hacker will pretend to be a customer in order to gain access to your customer services. We’ll explain what they get out of this in a moment.
Alternately, hackers who really are customers (or have access to customer accounts) will call customer service to take advantage of the company more directly. These tend to be return-item or online-point scams and similar.
Phishing Scams and Fake Customers
Let’s talk first about hackers who pretend to be customer to call or chat with your service agents. Fake customers mostly don’t need to have accounts. For them, the conversation is the thing. Their goal is to get someone on the phone (or chat or email) who is in the “Customer is always right” mentality. They are counting on either the agent having no cybersecurity training or a willingness to go around that training if a “customer” insists enough.
If a scammer is not really a customer, then their scam likely doesn’t require them to have a real account or order to reference. They might claim, for a few examples, to be:
- A booking customer
- A lead with a pressing question
- Someone whose information or account was lost
- Someone who “can’t remember” their login details
- Someone who is getting in touch “on behalf of” another person
- Malware Exposure
- Data Extraction
- Account Access
From there, the hacker will have a stated goal and a real goal. Their stated goal could be to ask a question, book a service, or access a locked account. Their real goals, on the other hand, will either be to expose your computer to malware or gather information. They mey try to get you to tell them things about someone else’s (supposedly their) account. Or they might ask you to download something like paperwork or “evidence” of their issue. They may also try to gather information about you, for example, demanding to know your name and supervisor’s name while feigning anger could be information used to hack you later.
Phishing Scams with Real Customers
Not all phishing scams are fake customers. Some are either hackers who use your service, hackers with a stolen account, or hackers who have created an account/order for the sole purpose of pulling this scam. Phishing customer service with a real account is extremely common, as a real order (and being a real customer) make a great cover for the scheme.
This is why customer service teams need to be constantly on their toes. Any customer could be a hacker or a hacker’s agent.
The goals when dealing with a real account are far more diverse than goals that don’t require an account. To start with, their influence to get service peronnel to click something infected is greater. Beyond that, however, are the many scams that relate to services and products.
Some of these schemes will be familiar, some you may want to take notes and watch out for.
- With problem with product/service
- With trouble accessing their account
- With bullying attitude problem
- Malware Exposure
- Refund or Replacement of non-damaged items
- Points or Awards on their Account
- Access to Someone Else’s Account
- Known ‘consolation prizes’ handed out by customer service
When dealing with customers, keep your red-flag ready for any of the mentioned goals. If a customer seems to want you to click, download, or link-follow on their command, don’t. Use a cloud service so that no files are ever directly downloaded (or web pages opened) on your computer.
Phishing scams of this nature are also why companies must require proof of damaged items before shipping a replacement or offering a refund. Scammer customers will often report an item damaged or not-delivered to see if they can get one for free, either via refund or replacement.
Modern reward points can be worth money, so watch out for customers who are too keen to get points in return for their complaint, whatever their complaint may be. A common phishing scheme-of-opportunity is to simply attempt to bully a service person into giving a digital reward just because “the customer is unhappy”. This leads scammers to fake unhappiness, even to the point of yelling at agents, to try and “shake” a few digital rewards out of the company.
The phisher might be trying to gain access to someone else’s account to make purchases or steal information. In this case, they may claim that they can’t access “their” account. Additional verification will be necessary.
Finally, if your company is known (even in very small circles) to give consolation prizes (things to soothe unhappy customers) then some hackers will try for them. This is why to move all real complaint-resolutions to a private space where real customers can be soothed without onlookers and hackers can be weeded out.
Are you in customer service or feature a customer service portal for your clients? Then protecting against phishing scams is a must. By understanding how these schemes work and their ultimate goal, you can build comprehensive defenses and train your team to bounce non-legit calls efficiently. Contact us today for more social hacking insights and prevention strategies.