Roger, owner and CTO of Mutare, drives innovation and leverages technology to launch innovative enterprise security solutions.
Imagine you’re in sales and you discover a magic phone number that guarantees a prospect’s unwavering attention and an extended conversation on the other end of the line. Sounds like a pretty nifty setup, right? That is, essentially, what a contact center is to someone in the business of scamming. Any time, any day, bad actors can prey on contact centers, where agents are expected to be accommodating, engaging and helpful. A 2020 study by Neustar found that 45% of unwanted calls are scams.
Contact center employees can be trained to look out for suspicious behavior, and policies can be set to try to prevent sensitive information from being released. At the end of the day, however, the fundamental aspect of the agent’s job is to be available to answer calls and do their best to help callers, leaving them vulnerable to those who seek to take advantage of the situation. This makes them ideal targets for bad actors who want to exploit the circumstances through vishing, or voice phishing.
Contact Centers And Vishing Attacks
Despite the growth of omnichannel communication, voice is the preferred method of contact for most customers. Chatbots and other automated systems are fine for quick fixes, but many people still prefer to speak to a live agent. It’s only natural for us to want to be listened to, heard and understood. Regardless of impressive technological advances and the fact that customers may be thousands of miles away from customer service representatives, nothing compares to good old-fashioned human-to-human voice communication.
For their part, contact center agents must try to do their job and act in good faith that the people calling in to speak with them are genuine customers who need assistance. Agents work with a variety of different people from a wide range of backgrounds, so they can’t make assumptions or generalizations about who’s calling. There’s no standard customer profile that can be applied to filter calls when someone deviates from the norm. On top of that, legitimate callers who are distressed will often take their frustrations out on agents, but they still need assistance. Once again, the agent’s role is to try to solve the customer’s problem, even in the face of hostility. This wide spectrum of behavior gives bad actors a great deal of room to work with as they seek to manipulate contact center staff in what’s known as social engineering.
Types Of Vishing And Telephone-Oriented Attacks
Vishers employ a variety of tactics, often using spoofed phone numbers where the caller ID has been manipulated to resemble a trusted source. Here are some examples:
Direct Call Enhanced By Social Engineering
A caller may target specific employees and pose as a customer or colleague within the company to access sensitive information. These callers may be friendly or intimidating and often use publicly available information to give themselves credibility. Data can be found on company websites, social media and other sources and then used to impersonate someone with ties to the organization. It’s important to note that scammers have practiced and honed their skills, making them experts at impersonation. What’s more, they’re employing artificial intelligence (AI) and voice-altering technology to bolster their deception.
Response-Based Vishing
Scammers have found that making people feel more in control can make them open to taking a risk they might not take otherwise. Workers may know they’re not supposed to open unknown links in emails or engage with unsolicited callers. But scammers can get employees to let their guard down by sending an email from an official-looking source asking for a callback. The recipient might not understand the risk if they receive a phone number and may feel safer if they’re the one making the call. This ruse ends with the worker calling a threat agent co-conspirator who will try to trick them into giving out sensitive information.
Hybrid Phishing/Vishing
This one-two punch can be particularly effective because it combines tactics to lend credibility to a request. A worker will get an email requesting certain actions or information, and then a follow-up call is made asking for the same. The two-pronged approach makes the request seem more legitimate and urgent, which makes it easier for the visher to use social engineering tactics once on the phone with the employee.
An Ounce Of Vishing Attack Prevention
It’s a sad fact that those most willing to help others are, by nature, more likely to be victimized by bad actors skilled at detecting and exploiting human vulnerabilities. With their obligation and desire to help and support their callers, contact center agents are now in the crosshairs of vishing attackers worldwide.
Protecting employees and organizations from these criminal intruders requires a multifront effort. Employee training is a good start but should be paired with technical controls that address the problem on the front end. It behooves organizations to explore next-generation call filtering and analytics solutions designed to detect, and deflect, nuisance and nefarious callers before those calls even enter the agent call flow. Not only do these systems help reduce time wasted on unwanted calls, but they can also reduce the opportunity for would-be scammers and vishers to reach and exploit their intended targets. And that, in the end, means better service for legitimate callers and greater protection for agents and the organizations they serve.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here