A Persuasive Argument for Cybersecurity
Sitel Group’s SVP and Chief Security Officer, Chris Knauer, and Rachel Tobac, the renowned white hat hacker and CEO of SocialProof Security, discuss the methodologies behind phishing and social engineering and the steps individuals and individual organizations can take to keep themselves safe in cyberspace.
When Sitel Group® most recently surveyed the American public regarding online fraud and security, in October 2019 as part of the Preventing Fraud & Preserving CX with AI report, we found that 46% of U.S. adults had fallen victim to fraud and that 92% now believe fraud is a growing risk in their day-to-day lives.
Even though the digital tools and processes used to provide an extra layer of cybersecurity – such as speech analytics and artificial intelligence (AI) and multi-factor authentication – have never been more robust, consumers’ fears around fraud are growing.
Don’t Be the Weakest Link
Some of this concern is born in the realization that the human element could be the weakest link in a security system.
“If you look at the technology of technology, we have firewalls and standard antivirus. Everything has become much more secure,” begins Knauer on the topic of protecting against cyber-attacks and data breaches. “But the technology of humans has not really improved over the last 20 years.”
But, if this growing fear leads people and organizations to take the right precautions before committing to actions such as clicking on links in unsolicited emails, choosing a password or posting personal information in public social media spaces, then it’s a good thing and will make Rachel Tobac happy, even if it will make her job much harder.
Be Politely Paranoid
The goal, according to Tobac, is to be less trusting and start being what she terms “politely paranoid.”
“That means using two methods of communication to confirm that someone is who they say they are, before clicking on a link or sharing sensitive data,” she explains.
So in the case of a potentially suspicious email, visit the website of the company the email claims to represent, rather than clicking on the website link in the communication.
This may seem obvious, but it’s much easier to fall for cyber tricks or to accidentally provide a detail that could aid a hacker to socially engineer a company representative into handing over your most personal information, than you think. Tobic says every hacker she knows has been the victim of a phishing attack.
And these are people who are hyper precautious by nature and who are less prone to making many of the mistakes too many of us make on a daily basis.
Stop Recycling Passwords
“According to a 2019 online security survey, 52% of people reuse the same password for multiple online accounts,” warns Tobac. “For those 52% of people, I can grab your credentials [with a fake email] and use them to access your bank account and steal your money, then access your gmail account and lock you out of everything else too.”
Picking this low hanging cyber-fruit is the aim of the most common type of attack, the bulk phishing email.
“It’s called spray and pray,” says Tobac. “These attackers send out phishing emails to thousands of people hoping five-to-10 of them will click on the link and provide information.”
Within a corporate setting, many of these phishing attempts can be blocked before they get near an inbox through a combination of software and training.
“For instance, you can apply an email blocker that blacklists any address that comes from a domain similar to your own,” explains Knauer. “But we also regularly send out ‘test’ emails to ensure our own people are following protocols.”
In other words, phishing your own employees who are most likely to be tricked by a spurious email that, at first glance, appears to come from a co-worker.
Don’t Get Reeled in by a Phishing Attack
In a civilian setting, a ‘spray and pray’ phishing attack’s success is directly related to fear – tapping into a concern or a worry and it’s why instances of phishing have been climbing this year.
“People are trying to take advantage of the fear, confusion and possibility for manipulation during COVID-19,” explains Tobac. “Phishing is up 350% since January, according to the Google Transparency Report. What’s more, there were 300,000+ new, suspicious, COVID-19 websites in March alone, according to research done by risk ID.”
Sitel Group’s own analysis using speech and data analytics and constantly updated libraries of historical vishing (phone call phishing) and social engineering attempts also shows a huge spike in activities and attempts to gain access or information from contact center agents using COVID-19 as a guise.
“A sick family member money request,” offers Tobac as an example. “If an attacker is targeting customer support they’re going to be in contact pretending they’re scared and need help because of COVID-19.”
This type of social engineering, which Tobac describes as ‘human hacking,’ is her specialty and how she earned her renown. Within 10 minutes of meeting CNN journalist Donie O’Sullivan, she had managed (with his permission, of course) to compromise 10 of his accounts with nothing more than online research, a smartphone and ingenuity.
Don’t Forget Security Training
“Because the best customer service is about human emotion and making customers happy – don’t forget we measure contact center performance with metrics like NPS and CSAT – is its ultimate aim, it can be seen by attackers as a company’s soft underbelly,” Knauer says. “Vishing and social engineering are big risk factors and that’s why solid training factors around security awareness for all agents is so important.”
Without training, and without the right digital tools to support them, agents can be exposed to the principles of persuasion
“These six principles of persuasion are how someone like me convinces you to do things that aren’t in your best interest,” reveals Tobac. “But why would you fall for a scam? The reason is we can’t just turn off these principles of persuasion, they’re part of who we are. We say if there’s an intact nervous system and a person they’re able to be persuaded.”
Know the Principles of Persuasion
The first is reciprocity. If someone reveals something about themselves, you feel indebted to reveal something in return.
The second is commitment and consistency.
“Because we have to make thousands of choices every day, our brain processes that information faster by committing to decisions we made previously. Our brains don’t like feeling awkward,” explains Tobac. “So for example, if I get you talking and we’re 30 minutes into a call or three emails into a conversation, you don’t want to say, ‘sorry, who did you say you are, again?’ because it’s awkward and something we try to avoid.”
Do Question Authority
This is where Tobac’s rule of polite paranoia comes into play. It is absolutely fine to question someone’s identity, and in the best contact center operations, there are protocols in place for these exact situations, such as asking someone to reconfirm a piece of information or calling the person back on the phone number on file.
The next principle is one we see in action all of the time – social proof. Whether it is a recommendation posted on social media by our peer groups or reviews left on Amazon, we are more likely to trust something that is endorsed by someone we trust or respect.
“So, from a social engineering point of view, if I namedrop people (or someone) you know, such as co-workers or even your boss – information I can find on Instagram or LinkedIn – I can get you to comply with a request,” explains Tobac.
Following on from this is liking. We are more likely to trust things that we like and this is true of someone else’s characteristics. When Tobac hacks in person, she mimics the actions and hand motions and delivery style of the person she is talking to.
Don’t Go Off Script
The fifth principle is authority. People tend to respond subserviently to those they perceive are in a position of higher authority. This can be something simple like an attacker telling an agent they’re certain something is true – an account balance, for instance, or it can be more complex by convincing the potential victim that you’re acting under the authority of that person’s ultimate boss.
“Finally we have the sneakiest and last principle of persuasion – scarcity, sometimes also called urgency, because we’re more likely to act under a sense of urgency,” says Tobac.
This is most effective when there’s a ticking clock, an incredibly tight deadline inferred because it can draw an agent off script.
“This is because we’re trying to get someone to do something faster than they normally would. When this happens they’re more likely to do things that are not in their best interest,” continues Tobac. This can mean using sound effects of babies crying in the background or of planes taking off to emphasize the sense of urgency or customer stress. “This is why script adherence is so important,” says Knauer. “It’s also why we need to find the right balance between delighting a customer and maintaining security. The authentication process can cause friction, but using digital tools for authentication before speaking to a live agent can help, for example.”
Use Tools to Support Contact Center Agents
Sitel Group has been using a system built on speech analytics and artificial intelligence that automatically flags phrases that mirror known social engineering attempts and also check the customer’s tone of voice and emotional state against previous contacts.
But Tobac points to the authentication process itself as a possible weak point, even if it is automated or delivered by cutting-edge tools, too often it is built around knowledge-based authentication – a person’s birthday, address, email and phone number, information can often be too easy to glean from social media and other open sources. “I fail in social engineering when the account is protected by multifactor authentication,” says Tobac.
As for passwords, both Knauer and Tobac are in absolute agreement about the use of password managers for creating unique, difficult to crack logins to get people out of the habit of reusing existing passwords.
So, whether in a civilian or corporate situation, don’t be scared of being politely paranoid and if you’re calling customer service, don’t let a long authentication process annoy you – the longer it takes, the safer your data.