Warning: Customer service pros need more social engineering training

Amazon is being called out by one customer for having his personal information revealed to hackers by customer service pros … three separate times. 

Eric Springer received an email thanking him for contacting Amazon customer service, a call that he hadn’t made. He did a little investigating and shared what happened on the blogging site Medium.

By reviewing a chat transcript that the hackers had with Amazon customer service, he realized that they had used a fake home address he had for his account and an email address to find out the destination for his last package shipment. The rep then revealed his real home address and his phone number when asked for the information by “Eric.”

The hacker leveraged this information into having a new credit card shipped to him.

Attack Nos. 2 and 3

But that wasn’t the end of it: A few months later a hacker tried the exact same approach in order to get his address once again. Once that was successfully revealed, the hacker tried upping the ante: He or she asked for the last four digits of the credit card used to make the order.

This didn’t go anywhere (fortunately) according to the chat transcript. But the following day, someone made a call to Amazon customer service posing as Eric – and because there’s no transcript, it’s not clear whether this attack was successful or not.

Persistent threat actors

There was certainly a lot of research and effort that went into this attack which may have only netted a physical address and phone number. But that’s just how persistent social engineers and phishers are.

The lesson is clear: Companies need to make sure that their customer service pros are trained to recognize and defer phishing attacks.

This is particularly hard for most service reps: They want to be helpful, and it’s their job to be as helpful as possible. But going too far in that direction could mean big trouble for your company.

Here are some tips to consider:

  • Remind reps that escalating questionable or unusual requests is the safest bet.
  • Have a system in place that requires account log-ins in order to connect to customer service pros.
  • Test your people regularly to see how well they can spot phishing attempts (through either mock attacks or quizzes), and
  • Remind reps to not work around or stretch the rules in an effort to be extra helpful – hackers will try to wear them down with repeated requests or by telling compelling stories that appeal to your reps’ emotionally.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy