Security Through Education

A free learning resource from Social-Engineer, Inc

Home

The Social Engineering Framework

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering. Please use the index below to find a topic that interests you.

Framework Sections

Section Articles

General Discussion

Select a topic from the index below

Customer Service

Help desk/customer service personnel are some of an organization’s most vulnerable staff members since their job is to provide “help” in a friendly and polite manner. This is often exploited by an attacker to learn sensitive information.

Customer Service —Phone

Attackers will usually obtain the needed phone numbers from an organization’s website in addition to any specific routing emails used for customer support. Attackers may call from a spoofed, blocked, or private phone number. An attacker posing as a customer can usually cull enough information from social media platforms and other sites to answer simple security questions. The attacker could also ask for a password reset or try to change something on a customer’s account in order to have access to it themselves.

Chris Hadnagy, security expert and CEO of  Social-Engineer, LLC and Michele Fincher demonstrate how easy this attack vector is to implement.

“Watch as Michele Fincher pwns the identity of CBC News’ Asha Tomilson live at DEF CON 24”

Customer Service —Email

Opening an email attachment from an unknown recipient is never a good security decision. For the helpdesk/customer service representative, however, it may be a necessary part of their job in providing customer support. The attachment may be just an innocent screenshot documenting order or transaction details. However, there is the possibility that malware is lurking in the attachment, and a social engineering attack is in progress.

Example

In November, 2016, Proofpoint reported that they were monitoring a malware-ridden phishing campaign that targeted customer service staff. As reported on by Proofpoint, “the personalized subject lines of the emails used references to issues with supposed purchases on the company’s website and were targeted at individuals who may be able to provide support for those issues. The lures also suggested that the attached document contained detailed information about the issue.”

customer service

Figure 2: Example email used to deliver the macro-laden document – Proofpoint

Conclusion

Security education can train service representatives to do their job politely without compromising customer or company data. Helpdesk/customer service personnel need to have it reinforced that not only is it okay to say “no”, it is often the wisest choice.