How far will fraudsters go to steal information?
Forget phishing. Now there’s an insidious new tactic: FRAUDSTER chatbots! Before we examine this perverse technique, here’s a brief primer on legitimate chatbots.
Chatbots have been growing dramatically, spurred mainly by the Facebook Messenger chatbot ecosystem that Mark Zuckerberg announced last year. In fact, there are now are over 100,000 bots and more are in the pipeline.
Chatbots are popular because they automate many components of customer service and allow brands to respond to customers at scale. Chatbots combine Artificial Intelligence (AI), Machine Learning, and natural-language processing to respond to customer inquiries quickly and accurately. Chatbots are able to supplement human agents, who can offload routine requests to a chatbot. Or chatbots can be set up to handle those routine requests entirely on their own.
Examples of requests for which chatbots are well suited:
- Is this available in the color red?
- How do I request a refund?
- Where do I find the serial number on my product?
- How do I file a warranty claim?
- How do I recover a lost password?
Advances in technology have made chatbot responses more humanlike, leading to greater interaction and trust by consumers. In fact, due to the one-on-one nature of chat communications, brands have found chatbots to be a valuable tool for collecting customer data that allows them to customize promotions, products, and offerings.
And it is this level of trust that has opened the door to fraudster chatbots!
Basically, there are two types of vulnerabilities involved in chatbot fraud.
- Fraudsters hack a company’s existing chatbot and take it over. Fraudsters then use the chatbot to ask unsuspecting customers to provide highly confidential information, for example, username, password, account number, etc.
- Fraudsters set up a spoof website with malicious chatbots. Consumers believe they are visiting a legitimate website, and willingly provide confidential information to the malicious chatbot on the spoof website.
In both of these scenarios, fraudsters and criminal gangs are able to rapidly collect credentials for a large number of accounts that enable account takeover (ATO), identity theft, synthetic IDs, and other malicious activities.
There are a number of steps companies can take to protect their networks against hackers and prevent hijacking of their chatbots. The blog post “Common Pitfalls of Data Security: Q&A with Brian Poole” is a good starting point. In it, Brian Poole, Security Architect at Kount, provides an overview of the risks and vulnerabilities involved in data security, and the steps that companies can take to guard against hackers and intrusion.
When it comes to spoof websites, online businesses can help customers be more aware of this danger. For example, letting customers know via newsletter, monthly email communications, or website what types of information will or will not be requested in chat sessions, plus warnings not to provide confidential information if asked.
With fraudsters becoming increasingly sophisticated in their practices, it makes having an enterprise-class fraud solution like Kount Complete even more necessary. Learn more about buying or building an all-in-one fraud solution in our whitepaper "Buy Versus Build: A Discussion for Implementing a Fraud Management Solution".