Help desk/customer service personnel are some of an organization’s most vulnerable staff members since their job is to provide “help” in a friendly and polite manner.
Attackers will usually obtain the needed phone numbers from an organization’s website in addition to any specific routing emails used for customer support. Attackers may call from a spoofed, blocked, or private phone number. An attacker posing as a customer can usually cull enough information from social media and other sites in order to answer simple security questions. The attacker could also ask for a password reset or try to change something on a customer’s account in order to have access to it themselves.
Chris Hadnagy, CEO and Michele Fincher, COO of Social-Engineer, LLC demonstrate how easy this attack vector is to implement.
“Watch as Michele Fincher, COO of Social-Engineer, LLC pwns the identity of CBC News’ Asha Tomilson live at DEF CON 24”
Opening an email attachment from an unknown recipient is never a good security decision. For the helpdesk/customer service representative, however, it may be a necessary part of their job in providing customer support. The attachment may be just an innocent screenshot documenting order or transaction details. However, there is the possibility that a social engineering attack is in progress; and lurking in the attachment is malware.
In November, 2016, Proofpoint reported that they were monitoring a malware-ridden phishing campaign that targeted customer service staff. As reported on by Proofpoint, “the personalized subject lines of the emails used references to issues with supposed purchases on the company’s website and were targeted at individuals who may be able to provide support for those issues. The lures also suggested that the attached document contained detailed information about the issue.”
Security education can help service representatives to politely do their job without compromising actual customers or company data. Helpdesk/customer service personnel need to have it reinforced that not only is it okay to say “no”, it is often the wisest choice.