A former fraudster and a former merchant took their show on the road today at CNP Expo. Brett Johnson, who served time in federal prison for defrauding e-commerce merchants, and Karisse Hendrick, a consultant in the space and fraud fighter for various merchants, teamed up as keynote speakers today at CNP Expo in San Francisco.
Over the past year, Johnson and Hendrick have together streamed their views and advice on fraud from divergent perspectives on an increasingly popular podcast. The odd couple met at CNP Expo two years ago and have collaborated since. On Wednesday, they recorded an episode of The Online Fraudcast live on the event’s main stage.
The main focus of the episode was social engineering. According to Johnson, criminals go about getting information on the companies they defraud in many ways. The more experienced ones will simply call the companies they are targeting to get the data they need and accomplish other things that make cashing out easier. They know the job of Customer Service is to make customers’ lives easier and they leverage that fact. But how?
“It’s all about building a rapport, causing a diversion and getting them to do something they wouldn’t usually do to give up information, access, data, cash. That’s the way social engineering works,” he said.
Hendrick noted that there are four general ways companies are getting socially engineered: grooming (fraudster targets a specific agent with several get-to-know-you calls), creating sense of urgency, being accommodating, or using emotions (sympathy or anger).
The duo ran through a typical social engineering call for the audience that ended in Johnson being able to change the address on file for a bank account.
For merchants wondering how to stem the tide against accomplished social engineers, Hendrick said establishing strong rules for customer service agents (as well as communicating to other departments why they are important) is key, along with proper training, not telling them too much about fraud controls and, if CSAs have sales incentives, including a clawback on those incentives if there is a chargeback due to fraud.