The Social Engineering Framework

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering. Please use the index below to find a topic that interests you.

Framework Sections

Section Articles

Customer Service

Help desk/customer service personnel are some of an organization’s most vulnerable staff members since their job is to provide “help” in a friendly and polite manner.

Phone

Attackers will usually obtain the needed phone numbers from an organization’s website in addition to any specific routing emails used for customer support. Attackers may call from a spoofed, blocked, or private phone number. An attacker posing as a customer can usually cull enough information from social media and other sites in order to answer simple security questions. The attacker could also ask for a password reset or try to change something on a customer’s account in order to have access to it themselves.

Chris Hadnagy, CEO and Michele Fincher, COO of Social-Engineer, LLC  demonstrate how easy this attack vector is to implement.

“Watch as Michele Fincher, COO of Social-Engineer, LLC pwns the identity of CBC News’ Asha Tomilson live at DEF CON 24”

Email

Opening an email attachment from an unknown recipient is never a good security decision. For the helpdesk/customer service representative, however, it may be a necessary part of their job in providing customer support. The attachment may be just an innocent screenshot documenting order or transaction details. However, there is the possibility that a social engineering attack is in progress; and lurking in the attachment is malware.

Recent Example

In November, 2016, Proofpoint reported that they were monitoring a malware-ridden phishing campaign that targeted customer service staff. As reported on by Proofpoint, “the personalized subject lines of the emails used references to issues with supposed purchases on the company’s website and were targeted at individuals who may be able to provide support for those issues. The lures also suggested that the attached document contained detailed information about the issue.”

Figure 2: Example email used to deliver the macro-laden document - Proofpoint

Figure 2: Example email used to deliver the macro-laden document – Proofpoint

Conclusion

Security education can help service representatives to politely do their job without compromising actual customers or company data. Helpdesk/customer service personnel need to have it reinforced that not only is it okay to say “no”, it is often the wisest choice.