Information security is an ever-evolving issue for ecommerce sites. Even though technology has done a lot to stop them, fraud tactics are always changing in response to those countermeasures. In some cases, there's just not much technology can do. Take social engineering – when a fraudster posing as their target manipulates customer service representatives into granting access to the target's account or private information – for instance.
Also known as voice-phishing, or “vishing,” the practice is less common than email-based phishing but every bit as dangerous to ecommerce. According to the education and awareness website, social-engineer.org, the average cost of a successful vishing attack against a business is $43,000 per account compromised.
Most companies require customer service representatives to follow a multi-step process for authenticating callers before proceeding with service on an account. However, CSRs are also trained to keep customers happy. Whether it's because caller sounds irate or threatening, or the caller sounds authentic because they passed some parts of the authentication process (usually with information trawled from other areas of the internet), CSRs may share information that risks security with the intent of providing a good customer experience.
Unfortunately, calls to a live person don’t undergo the same digital fraud checks that online transactions do. To prevent scenarios where a CSR feels bullied or lulled into complying with an insecure request, companies need 1) a comprehensive flowchart of authentication steps with clear explanations of what to do when the caller can’t provide the required information 2) strict requirements for following protocols, and 3) assurance that managers trained for those scenarios will provide necessary support.
By training customer service teams to recognize social engineering and giving them the resources to stop fraudsters from stealing account data, ecommerce companies can protect their customers while still providing great service.