For most businesses, contact center employees are the frontline defenders of customer data and security. Their role goes beyond merely providing good customer service – they are guardians of customer data and other sensitive information. They have a critical responsibility to spot and thwart cyber threats and protect the privacy of the information with which they have been entrusted. From social engineering scams to securing sensitive information, security poses unique challenges for those manning the phones. Here are some of the top security threats, scams, and cybersecurity topics contact center employees should be aware of. Being alert and knowing what to look for can help these employees safeguard both the company and its customers against evolving cyber risks.
Phishing, Vishing, and SMishing
Email phishing continues to be the number one way attackers get access to company networks and information. Regardless of where employees sit within the company, if they have access to email, they need to be vigilant for suspicious emails that attempt to trick them into opening an attachment, clicking a link, calling a phone number, or divulging sensitive information. In recent years, attackers have expanded their tactics, using phone calls in voice phishing (or “vishing”) or text messages in SMS phishing (or “SMishing”) messages. Employees should scrutinize suspicious emails, phone calls, text messages or any form of communication that attempts to trick them into divulging sensitive information or taking an action – such as clicking on a link, opening an attachment, or making a phone call. Employees should watch for unexpected requests for personal information, urgent or threatening language, or unfamiliar senders and report any suspicious messages to their supervisor or security team. Employees should receive regular training on identifying phishing attempts and companies should use phishing simulations that involve the latest tactics being used by bad actors. Additionally, all employees should know how to properly verify someone’s identity or the authenticity of a communication before taking any action.
Social Engineering Attacks
Contact center employees should be wary of callers who use urgency, authority, or try other persuasive tactics to manipulate them into divulging sensitive information or performing unauthorized actions. It is common for scammers using social engineering to prey on your emotions and empathy, so they will create a reason they need the information quickly, or they might pose as law enforcement in an attempt to scare you. If you are a contact center employee, and suspect a social engineering attempt, verify the caller’s identity by asking security questions or contact a supervisor. Never disclose any sensitive information until the caller’s identity is confirmed. Companies should have employees report these incidents to their supervisor, and those with mature cybersecurity programs will share stories and train employees on the latest tactics used against those manning the phones. Employees should be encouraged to trust their instincts if a caller’s request seems suspicious.
Data Privacy and Confidentiality
Contact center employees are entrusted with customer information every day and should be vigilant in handling sensitive customer information, ensuring it is not shared with unauthorized individuals and is protected from unauthorized access or disclosure. Companies should only give employees access to the information they need to do their job, and they should have clear expectations and policies regarding accessing and sharing that data. Employees should know and adhere to established data privacy policies and procedures, including securely storing customer information, encrypting sensitive data, and limiting access to it. To prevent data breaches and protect customer privacy, employees should review training on data handling best practices, including how to recognize and respond to security incidents such as unauthorized access attempts or social engineering. Regular reminders to properly verify identity and authorization to information can help reduce the risk of data exposure.
Remote Access and VPN Security
Many contact center employees now work remotely, and should be aware of the potential dangers when accessing company systems remotely. For most companies, this means making sure they are properly connected via a VPN, are not using unauthorized software, and have secured their systems from potential vulnerabilities or unauthorized access attempts. Good security means using long, strong, unique passwords for all of their accounts, and especially their VPN. They should also be warned about the dangers of accessing company systems from unsecured or public Wi-Fi networks. For extra protection, they should also have two-factor (2FA) or multi-factor authentication (MFA) enabled for an added layer of security. It is important to follow the company’s policies and procedures for remote work, including keeping VPN software and security patches up to date, using encryption for data transmission, and reporting any suspicious activity or unauthorized access attempts promptly.
Secure Handling of Payment Information
Customers often make payments over the phone, and contact center employees are charged with handling payment information properly. Payment card information, account numbers, and sensitive information need to be handled with caution. In the industry, you will likely hear the term “PCI DSS,” which stands for Payment Card Industry Data Security Standard. It’s basically a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. So, if you’re handling credit card data, you better make sure you’re following PCI DSS to keep that type of information protected. Contact center employees should only enter things like credit card numbers into the proper fields and should never write them down on paper. Especially when handling payment information, it’s critical to know how to verify the identity of callers and detect and report potential signs of payment card fraud or misuse.
Fraudulent Account Takeovers
Attackers can often do more when they have full access to someone’s account, and with technology security controls in place, they will often attempt to do this by trying to trick a contact center employee. It frequently happens in SIM Swapping attacks, and Amazon has even warned customers about these types of attacks. They should be alert for signs of fraudulent account activity, such as unusual login attempts, changes to account information, or requests for sensitive information from unauthorized individuals. Here are some things to watch out for:
- Unfamiliarity with Personal or Account Details: If the caller has trouble remembering basic account information or something they should easily know, it could be a red flag. Genuine customers usually have some personal information readily available, like their account number or previous interactions, whereas scammers might struggle to provide these details.
- Inconsistent Information: If the caller provides inconsistent or contradictory details about their identity or account, it might signal something is off.
- Unusual Requests or Behavior: Strange requests or behavior, such as asking for sensitive information upfront without proper verification, could indicate fraudulent activity.
- Background Noise or Scripted Responses: If there’s unusual background noise (like from a call center) or if the caller’s responses seem scripted or robotic, it might suggest that they’re not who they claim to be.
- Pressure Tactics or Urgency: Scammers often try to pressure or rush call center employees into making quick decisions or sharing sensitive information. Real customers typically don’t exhibit such urgency.
- Verification Methods: If the caller refuses to go through standard verification procedures or becomes defensive when asked for identification, it should raise suspicion.
Employees should follow established procedures for account verification to confirm the caller’s identity before sharing sensitive account information or performing account-related actions like changing an address, phone number or email address. Employees should know and follow the proper procedures, report any suspicious account activity or unauthorized access attempts, and know how to direct customers to the next level of support if needed.
Secure Communication Channels
When communicating sensitive information with customers, contact center employees should be sure to use secure communication channels. Certain types of sensitive information such as health or other confidential data, should only be shared in an encrypted email or other company-approved secure messaging platform. Regular email and other commonly used communications tools don’t offer the protection needed. To help ensure communications that contain private information are not intercepted, employees should use communications tools and platforms that offer end-to-end encryption and other security features to protect the sensitive information. Employees should never use personal or unapproved messaging apps for work-related communications and refrain from sharing any sensitive information over insecure channels such as public Wi-Fi networks or unencrypted email.
Physical and Workstation Security
You should always be mindful of your physical surroundings and take precautions to protect your information and your money. Of course you know you need to keep a hand or an eye on your purse or wallet, but you should also be careful about the sensitive information you might leave in plain site on your computer or work area. Unauthorized access could be as easy as someone looking over your shoulder (known as “shoulder surfing”) or looking at papers left out on your desk. Employees should always lock their computers when away from their desks, safeguard printed documents containing sensitive information, and report any suspicious individuals or activities to building security or their supervisor. It’s also what’s around your desk. Never keep your passwords written down on your desk either. Criminals know to look for passwords that are often written down on a post-it and are kept under the keyboard or phone, or in a drawer. They will also often look through trash and recycle bins for sensitive information as well, so be sure to shred or properly dispose of sensitive documents.
Incident Reporting and Response Procedures
When something inevitably happens, employees should know what to do. Know how to report incidents when you recognize signs of a cybersecurity incident or scammer or fraudster’s tactics. When you spot unusual behavior or something suspicious, you should know your company’s procedures for reporting it. Follow the proper procedures for incident reporting and report any security incidents or suspected breaches immediately. Be ready to give detailed information about the incident, including what happened, when it occurred, and any relevant details or observations. Those details will be important in the containment, eradication, and recovery process. Most companies take the “see something, say something” approach, and will never penalize you for reporting something suspicious, even if it turns out to be nothing.
By being aware of these security risks and knowing how to identify, respond to, and mitigate potential threats, contact centers can improve their security posture and protect sensitive customer information from cyber attacks and data breaches.