Imagine there is an angry customer calling your contact center. They threaten to cancel their service. They provide their name and mailing address, but cannot remember their account number or security password. However, they are shouting and threatening to complain on social media regarding supposedly unfair charges to their account.
Eventually, your agent calms the customer down and convinces them not to cancel service. The customer even apologizes to the agent for yelling at them. The customer also asks for their account password so they can use it if they ever need to call back. The agent, happy to have “saved” the customer, gives them the password.
How would you score this call? Many quality assurance programs would give this call a positive grade, especially since the agent soothed the customer and retained the account.
What if this call did not come from a legitimate customer? What if it came from a hacker who found the customer’s name, address and account details on a crumpled invoice in a garbage can? What if the hacker used the password given by your agent to access the customer’s account online and gain confidential information including the customer’s method of payment? That is possible, since many people reuse the same password across multiple devices and accounts.
Now, how would you score that call? More importantly, what is the damage to your company’s reputation from that data breach?
“Sixty percent of large businesses were victims of social engineering attacks in 2016,” notes Katherine Thompson, Founder and Chair of the Cyber Council at the Canadian Advanced Technology Alliance and Co-founder of the Security Culture Institute. “For example, the Apple data breach cost the company $3 million and it was accomplished by a phone call to their contact center.”
What Puts Contact Centers at Risk?
“The customer is always right!” “Be a customer service hero!” “Do whatever you need to do to make your customer happy!” These are common customer service slogans. Compared to that, “Always find an easy mark” is how criminals find vulnerable entry points into your business.
Social engineering involves emotionally manipulating employees into giving out confidential information. Unlike a one-step attack, the goal is to gain information as part of a larger fraud scheme. What department has access to the most customer information? Your contact center!
“The fastest way to breach a company’s security is through customer service,” says Thompson. “The more companies want to please customers, the more that can be exploited by con artists, hackers and other cybercriminals through social engineering.”
Social engineering is made easier by the prevalence of social media. It gives hackers personal details they can use to impersonate one of your customers. For instance, if someone posts a photo on social media about buying their brand-new smartphone from XYZ store, a hacker may be able to see the phone model and carrier. They can then cross-reference the person’s name and use that to discover their address.
The next step is to call the phone company and say, “My elderly father just bought a phone but forgot his account password. If I give you his name and address, can you find it for him? He bought it at XYZ store this morning.” Once a hacker gets that password, they can try using it to crack this person’s other accounts. Contact centers are a perfect target for criminals because agents are trained and rewarded for delivering great customer service. Warns Thompson, “The easiest target for criminals are people who want to make other people happy.”
Balancing Service and Security
How can you take an industry built on metrics such as customer retention and redesign it for both service and security? Frontline training is a start but the entire corporate culture has to change. While CIOs are rightly obsessed with IT hardware and software protection, but who trains your contact center employees on avoiding social engineering attacks? Leaders need to create a culture that protects customer data while providing a great customer experience. In addition, the entire organization needs to understand applicable privacy legislation. They also need to understand how a single social engineering attack can damage your brand.
“Companies need to document and demonstrate what they have done to protect their customer’s information,” says Thompson. For example, train agents on social engineering awareness and add a security/customer verification component to your call quality form. Give your frontline permission to safeguard customer information. Let them be strict when it comes to verifying a customer’s identity.
A common question is: Will verifying a customer’s identity customer make each call longer? The answer is: Yes, by a few seconds. However, what is the cost of a security breach? How much does it cost when your call volume escalates due to publicity surrounding a security breach? What is the cost in bad publicity and loss of goodwill?
“You need to be AWARE before you can BEWARE,” says Sangeeta Bhatnagar, Principal at SB Global Human Capital Solutions, Certified Human Behavior Specialist and Co-founder of the Security Culture Institute. She adds, “If agents are not AWARE, they won’t know how to handle the situation if someone deliberately tries to manipulate them.”
Agents need to be trained to verify a customer’s identity before giving out any information. “Protecting your customer’s privacy is part of a great customer experience,” says Bhatnagar. Customers want to know their data is being protected. “Give agents phrases they can use to give to position WHY they are asking security questions” says Bhatnagar. For example, “To protect your privacy…” or “For your security purposes…” Words matter. Make it easier for your agents by providing them with the phrases they need.
Most importantly, train agents to recognize and deal with a social engineering attack during any part of the customer interaction. Teach them the behaviors hackers use to manipulate customer service teams into revealing confidential data.
Thompson adds, “Instinct is important. What is your gut saying about this interaction?” This training should also be part of every agent new-hire course. Most new-hire programs emphasize that the customer is always right. Agents learn about customer satisfaction scores, Net Promoter Scores and Quality Assurance measurements. However, they do not learn how to recognize imposters using social engineering tactics. They do not learn how to avoid being manipulated by a hacker pretending to be an upset customer or an overly friendly one. Bhatnagar notes that, “Agents are typically hired for their empathy and desire to help people. However, criminals use that against them.” Train them how to balance service and security.
Train Agents on Cybersecurity Protocols
All agents, regardless of tenure, should also be trained on cybersecurity protocols, such as not clicking on suspicious email links or attachments. This can be challenging in a contact center. For example, someone pretending to be a customer can email an attachment, which looks like the photograph needed for the “customer’s” warranty claim. However, the attachment is actually malware that now has access to your company’s network.
Once an attack is identified, “leaders need to create mechanisms to address social engineering attacks and give agents a way to escalate the interaction” says Thompson. Develop escalation procedures and ways to “red-flag” social engineering attacks. Your contact center needs to work closely with your company’s IT department or cybersecurity team. Managers, team leaders and quality assurance coaches also need to spot these attacks so, they can play a role in safeguarding confidential information.
Finally, invest in a cybersecurity audit to find potential weaknesses that need to be corrected. The auditing team should check for all forms of cyber vulnerabilities, including social engineering threats.
You also need to shift your customer’s expectations. For example, agents should preface asking for a customer’s password by saying, “For security reasons, may I please have your password?” That sends a message that security is important. It also displays a benefit to the customer for answering that question. Thompson suggests having an IVR message that says, “We have introduced new protocols to secure your account. This may involve a few extra seconds to verify your identity and protect your privacy.” She also suggests rethinking customer security questions such as home address or date of birth, which are easily available through a Google search.
Train All Customer-Facing Employees
According to Bhatnagar, your contact center is only one potential area of vulnerability. Every customer-facing channel is open to social engineering threats. That means your retail channel also needs training, as does your sales force and delivery people.
Everyone who comes in contact with a customer—and therefore has access to customer information—plays a role in protecting your organization from data breaches.