Social engineering is on the rise, as more fraudsters target a common merchant security weak spot: customer services. Our recent survey revealed that 40% of merchants don’t monitor fraud for orders made via call centers, leaving the gate wide open to attacks.

We speak to Senior Fraud Investigator at Just Eat, Shawn Colpitts, to give his insights on social engineering against merchants and how to stop it...

What is social engineering fraud against online merchants?

“Social engineering is when fraudsters work the knowledge they have of you, against you. They use psychological manipulation to trick people into giving away sensitive information. There's loads of different methods - phishing, smishing, vishing, whaling and so on.

“Against merchants, fraudsters will contact customer services to try and access a customer’s account and often change the details. They may call from a spoofed, blocked, or private phone number. It's scary that people fall for these, but some fraudsters are really good.”

What kinds of fraud does social engineering lead to?

“Any kind of fraud that involves a customer’s account or personal details...

• Card-not-present fraud: fraudsters manipulate customers to get credit card information. They might send you a link offering a discount deal, but once you input your details, they steal them and use your credit card online.

• Account takeover: the same manipulation techniques can be used to take over accounts and order products or sell on customer data.

• Identity theft: if fraudsters can scrape enough information, they can actually steal a customer’s identity to commit more crimes.”

Is this activity increasing?

“Absolutely yes, it's increasing. Since the start of the pandemic, more vulnerable people have been forced online who may be unfamiliar with social engineering tactics. So not only is the activity increasing, but there are more people to scam.

“All types of fraud have increased due to Covid-19. Since the volume of genuine account holders and transactions have gone up globally, fraudsters find it easier to hide suspicious activity.

“Fraudsters will manipulate people's fear of the virus too. Everyone has seen those fake vaccine texts and other Covid phishing scams. It feels so wrong to take advantage of something like this, yet they do.”

Who do the fraudsters target?

"We’ve seen an increase in fraudsters targeting the customer services of merchants. Customer service agents are vulnerable to social engineering attacks because they are trained to think the customer is always right! They are pushed to give great customer service and genuinely want to help, but fraudsters know that."

What kind of techniques are they using?

“Fraudsters have many social engineering tactics...

• They answer security questions correctly: fraudsters will dig around on social media or buy answers to security questions online to pass the customer service GDPR checks. Security systems based on personal questions like address, name and phone number, aren’t good enough any more.
• Use distraction and emotional manipulation: fraudsters can use artificial background noises on the phone like the sound of a crying baby or barking dog to play on the employee’s emotions. If that doesn’t work, they fake emotional distress, either getting angry or pretending they are really sad or anxious.
• Play the victim: fraudsters may pretend that their account has been taken over and that's why they need to change account information or gain access.
• Build relationships with employees over time: some fraudsters will befriend customer services before they ask for details. They build a rapport, often requesting to speak to a particular staff member again and again.
• Call at abnormal times: fraudsters tend to call in the evenings to target temporary or newer staff.”

Why is this a concern for merchants?

“Brand reputation is the big thing. If word gets out that customer service allowed an account takeover, the responsibility falls on the wider business. Want to stop fraud? Close the doorway to social engineering.

“Plus, revenue losses can be massive. A data breach at Apple cost the company $3 million, and that was accomplished by a phone call to their contact center.”

What’s your advice?

“If a fraudster contacts your customer services, you can always use multi-factor authentication to send a push notification or a text message - they should have the phone in their hand. People are now used to 2FA, it's part of our daily lives, so why not utilise it?

“Ask questions about the account, not the customer, so fraudsters can’t easily answer, like: what was the last thing you ordered? Be mindful that some good customers genuinely won't remember their history, so prepare options for the account holder to help them verify themselves.

“Familiarise the customer service team with fraud red flags. Encourage them to say ‘no’ if a customer asks for something abnormal. And beware of fraudsters using old details. A lot of fraudsters have information they've gathered that isn't relevant to that customer any more.”

For more insights from Shawn Colpitts on what social engineers can do with stolen credentials, watch our recent account takeover webinar.