Fake Customer Support Scams Target Enterprise Networks

The FTC has recently been involved in taking down a criminal network of “tech support” scammers. These fraudsters were masquerading as Microsoft, Norton, Dell, McAfee, and other technology companies and attempted to phish customer data from fake technical support calls.

A recent Anti-Phishing Working Group (APWG) global report showed that although the number of phishing sites continues to rise (there was a 60% increase in the number of phishing websites in the first half of 2014 compared to the same period in 2013), the time phishing sites stay active online has significantly decreased compared to previous years.

Administrators and hosting providers have been able to quickly identify and take down phishing sites. Phishing sites today last on average just 8 hours before being taken down by server administrators.

Scammers Use Fake Customer Service for a Phishing Advantage

Users today are more aware of the threat from phishing websites attempting to steal sensitive data.

To stay a step ahead of security, hackers are turning to customer service as a way to increase the lifetime of a phishing scam. Fake customer service sites set up by scammers are less obvious to users and administrators since they don’t always ask for financial details and generally aren’t targeting banking customers.

There’s nothing stopping scammers from using social engineering to obtain information from users in your organization. These bad actors frequently contact internal staff members claiming to be from support with an urgent update that needs to take place and end up obtaining remote access to resources in their organization.

Customer service scammers also pose as fake customer support sites and attempt to trick users into divulging personal information in fake online forums, live chat sites, or customer service portals. Like the fake banking sites typically used, these fake services portals appear like legitimate sites. Since many organizations run customer support through alternate domains or subdomains, it’s much more difficult for users to identify a fake support site from the real thing.

Once thieves obtain credentials for online services, they quickly use the credentials to log in and obtain additional details to perform identity theft. Compromised user accounts can be used to access more critical company resources or steal customer data. Employees’ personal online email, social media, and other sites are prime targets for fake customer service phishing scams, which then result in information that could be used to hack corporate accounts.

Educate Users on Security Best Practices

Unsuspecting users are easy targets for hackers and scammers. To prevent attacks, you can start by creating standards for contact channels. If users understand that account verification and security communication will always come from one specific channel and in a specific method every time, they’ll be better protected against online scams. Educating users on account security practices and enabling layers of security with multi-factor authentication is key to enhancing data security and creating greater user trust.

Being a service leader requires constant attention to the user experience. PayPal, for example, handles user security and data protection by frequently notifying its users inside their account, that customers are never notified about account questions by email. Users can be assured that any emails stating “Account Access Limited” or some other security notification by email are scams and should be ignore.

Consistent Security and Trust Indicators

Protecting users online requires internal data security and educating users on account protection best practices. Online security trust indicators help users identify real sites from the fake ones.

Creating a consistent trust indicator is key for ongoing data protection and helping protect users from online scams. Many organizations today rely on the trust benefits that come from using Extended Validation SSL Certificates. The green bar trust indicator is easy to spot and gives users the reassurance that the site they’re on can be trusted.

EV Multi-Domain SSL Certificates offer the perfect solution to secure all customer-impacting websites. The multi-domain feature allows administrators to secure all customer portals, websites, and other sites collecting user data with the green bar of EV with just one SSL Certificate.

EV Multi-Domain gives admins the features and flexibility of the popular Unified Communications SAN SSL Certificate and the greater security and user trust that comes from Extended Validation.

Many customer express the frustration of delayed certificate orders for EV SSL Certificates, so at DigiCert we’ve created a special team and workflow specifically for EV SSL. With the fastest issuance of EV certificates in the industry, customers get all of the benefit of EV in about the same time as a regular SSL Certificate.

Going with EV for website security immediately gives users:

  1. Identity of the organization that owns the website
  2. Encryption of all communications
  3. Assurance that information has not been intercepted or altered
  4. Protection against scams ensuring that the website is not a phishing site

Although more and more organizations have begun using EV SSL online, EV typically only appears on a main website login page or on a checkout page where financial details are being exchanged. Customer service portals, especially those hosted by third party services have a lower level of online security and are often missing the trust indicators users have become accustomed to in online commerce. Not having the EV green indicator on these sites allow fake customer portals to be created imitating the real customer portal customers rely on.

Posted in Breaches, Data Security, Security