Social Engineering –Know Your Enemy

I like playing a fraudster. Every time I call one of my service providers, I play a little game of persuading the agent to skip parts of the authentication process just for fun. I am always surprised how easy it is to psychologically manipulate an agent. And I'm not a fraudster.

You might think that all fraudsters are professional hackers with exceptional technical skills. But in fact, most of the fraud in contact centers is perpetrated by fraudsters who master the social skills rather than the technical ones. It is the human interaction with the contact center agent that creates opportunities for these fraudsters.

What is social engineering and how does it work?

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. Because it works so well it is being used in over 65% of all attacks in the phone channel.¹

To protect from social engineering, it's important to understand what you're up against. There are a few typical tactics used by fraudsters to manipulate contact center agents into skipping parts of the authentication process or to give out personal details.

Psychology

Psychology plays a strong role in social engineering. Fraudsters rely on the power of human vulnerability to complete their scam, and often rely on fear to manipulate. If a fraudster can combine an agent's desire to help while introducing fear, they are more likely to have that agent act against procedures built to keep fraudsters away. If a fraudster can impart a sense of authority over an agent, such as saying, "I could have you fired" and "don't you know who I am?" the agent will likely instinctually react to pain or danger avoidance and try to resolve the issue quickly without further complications.

Distraction

One of the most common tactics includes the use of diversions or distractions in the background of the calls, in order to confuse or distract the contact center agent. For example, a fraudster might play the sound of a crying baby in the background of the call. this is an effective distraction, as a baby's cry might subconsciously create sympathy. The louder the baby cries, the faster agents are willing to resolve the call for the "overwhelmed" fraudster calling.

Empathy

Fraudsters are very successful playing off the human capacity for empathy to get contact center agents to empathize with their fake predicaments. A made-up family issue, such as "my husband is very sick, and I need to transfer money from his account to cover the medical bills" will usually get the agent to put themselves in the caller's shoes and help the scam succeed.

Trust

Fraudsters are experts in creating a false feeling of trust with the contact center agents. The fraudster will mask the phone number he's calling from to appear as the number of his target and use a calm and pleasant demeanor that puts the agent at ease. Agents are used to dealing with upset caller, so politeness and sympathy to the agent, such as "yes 'mam…I wouldn't want to take up much of your time…. it's my fault I keep forgetting my password…." , might cause the agent to drop his guards.

Vishing

Vishing is the phone variation of phishing, with a similar goal: to obtain valuable information that could be used for account takeover. By exploiting the agents' willingness to help, the fraudster can obtain personal information of the target, such as email address and phone number.  For example: the fraudster will pretend to be a customer who clicked the "forgot my password" option in the website but did not receive the reset password email. "I am not sure which email address you have on file for me. Is it the Yahoo one?... no? then which one is it?".

Frustration

Another key social engineering tactic is the use of mumbling. When confronted by contact center agents with knowledge-based authentication questions (KBA), such as mother's maiden name or first pet's name, the fraudster will mumble his way through the answer over and over. The goal is to frustrate the agent to the point that they will simply proceed with helping the customer, giving them access to the account.

Understanding some of the tactic fraudsters use for social engineering is only a part of the efforts to stop them. It is also important to understand how they attack. Fraudster use various call flows to exploit contact center agents. Stay tuned for the next blog to learn more on this topic.

If you want to discuss the best practices to keep your customers safe, feel free to reach out today to schedule a demo. To learn more on NiCE Real-Time Authentication visit our webpage.

__________________________

¹The Social Engineering Framework, https://www.social-engineer.org/framework/