Social Engineering: How Scammers Trick Customer Service Reps To Get Access To Your Accounts

February 2016: It can be frighteningly easy to fool an untrained customer service rep. With a few pieces of information and a convincing presentation, a scammer can get into your accounts in a matter of minutes. It’s a growing problem — customer service reps are prime targets! — with a high success rate for scammers.

Here’s how vishing (voice phishing) the gatekeepers to your accounts works, how companies can do a better job of protecting you and how you can protect yourself:

Some of the ways they pull it off

  • Call the same customer service center again and again until they figure out the call center protocols
  • Practice a lot with their cohorts using role-playing exercises
  • Impersonate you
  • Impersonate someone from another department in the same company
  • Spoof the caller ID number so it looks like the call is coming from the correct area code
  • Target companies going through transitions, like mergers, because reps are more likely to be confused
  • Call during extremely busy times or natural disasters
  • Use emotion to manipulate reps, like saying there’s a serious health issue or other emergency
  • Use outsourced callers who speak the right language and dialect

Entire businesses are built around helping criminals fool customer service reps by making the scam calls for them for a fee. Need someone who speaks Russian? Da. The Queen’s English? Cheerio. Italian? Ovviamente. South Philly? Yo.

Of course, the goal is to get a good payoff, like access to cash, credit card purchases or new identities. The scams are run against regular people and targeted marks, too. If it can happen to cybersecurity expert Brian Krebs and Wired senior staff writer Mat Honan, it can happen to anyone.

Organized fraud rings are responsible for vast the majority of call center fraud. The volume of fraud calls increases each year (by a lot) and the success rate is pretty high — one in five calls is successful, according to tech company NICE (infographic).

How companies can do a better job of protecting you

  • Make two-factor authentication available to customers
  • Train their reps — often
  • Test their reps — surreptitiously
  • Use special software with tools that block robocalls and help detect fraud in real time
  • Use voice biometric technology in the call center
  • Offer apps that use voice biometrics and only allow account access when the call is coming from the phone with the app
  • Record calls and maintain suspicious caller lists with voice prints
  • Identify new social engineering fraud patterns and integrate them into protocols and training

How you can protect yourself

  • Set up your accounts to require two-factor identification. This means you’re asking the company to require a second piece of identifying information in addition to your login credentials before granting access to your personal account, like a one-time code that’s texted to your phone or sent to your email address. It only takes a few extra seconds of your time and the extra protection is exponential.
  • Don’t do business with companies that have lousy security protocols. If you get the sense that a customer service department or call center isn’t on top of their role in your cybersecurity, take your business elsewhere. They don’t deserve you.

So the next time you call customer service and the rep asks you a bunch of questions so you can prove you’re you, remember they’re doing it to protect your account, not annoy you!

At Leapfrog, protecting our clients and not annoying them is right at the top of our to-do list. We train our Help Desk technicians like crazy, have documented controls to identify callers and are SSAE 16-certified, which means we operate based on industry best practices. Scammers need to go elsewhere.

You may also be interested in: