7 Ways to Avoid Live Chat Phishing Scams

Devon Ackerman , Anthony Knutson , Alan Brill


September 1, 2021

A drawing of a person seen from behind sitting at a bay of computer screens on a desk, wearing headphones.

By now, most people know that a significant proportion of cyberattacks stem from malicious email links or attachments. Phishing emails are both common and very dangerous, so most organizations have learned the importance of security awareness training and encouraging all employees to stop and think before clicking message links or attachments. Recently, forensic analysis of cybersecurity ­incidents has revealed a new vector for phishing attacks: live chat platforms.

Particularly since the pandemic drove even more commerce and communication online, live chat systems have become both accepted and expected for website visitors who run into problems or have questions. These systems are designed to provide answers to most questions without human intervention. For example, a generic question like “How can I pay for my order?” can trigger a pre-defined response like “Thanks for asking. We accept all major credit and debit cards as well as PayPal.”

But criminals have discovered that asking a question for which there is no pre-defined answer leads the system to either ask for clarification or send the question to a human agent. The key to a phishing attack in this environment is the criminal’s ability to attach a file to the question and get it to a live agent. Files attached to chat sessions are very common because a photo or scanned document can help in handling the issue. However, these attachments can also contain malware.

Many live chat systems do not try to interpret or analyze attachments, especially compressed files. Once the system determines that it needs to hand the conversation over to a human, it just provides the agent with the compressed file along with the chat session. The attacker’s objective is to get the live agent to open the file. In some cases, the agent may prepare for the chat by opening the file before even communicating with the questioner. In other cases, the criminal might have to converse with the agent to get them to open the file. In either case, unless there are additional defenses in place, the attacker succeeds when the live agent opens the file and the malware enters the target’s network.

Once in the network, the malware can launch a ransomware attack or set up an access path that the attacker can use later to facilitate data theft. Cybercriminals often try to do both—first, they will steal your data and then they will encrypt your systems. They can then push for a ransom payment while also selling the stolen data or they can use the threat of publicly releasing the data as additional pressure to pay.

In one recent case, a criminal engaged a company’s chat system until the automated bot software exhausted its knowledge base and could not answer the question. This triggered a help desk ticket that was routed to the accounting department. (Criminals tend to focus on tickets related to payments and billing, as these are less likely to be resolved by IT professionals.)

As part of the ticket creation process, the system allowed the criminal to attach one or more files as evidence. The perpetrator attached a document with embedded malware, and the assigned accounting person opened the file as part of their normal ticket resolution process. Once the document was opened, malicious scripts (known as macros) executed and malware was deployed to the system. This provided the criminal with credentials and system information that ultimately led to access of the company’s internal network.

With the level of access secured in the attack, the criminal group was able to exfiltrate hundreds of gigabytes of data from the network before encrypting a large portion of the system in a ransomware attack. The company was then doubly extorted to buy a decryptor to restore access to the system and to avoid having the stolen files released publicly. At the same time, the victim’s website was disabled and the resulting flood of social media comments and news coverage further increased the pressure to resolve the incident.

Two key takeaways from this case are that the organization did not have sufficient anti-malware scanning of attachments as part of its helpdesk system and, unlike with traditional phishing emails, the company had not trained the accounting department to be wary of helpdesk tickets. In addition to demonstrating an emerging threat vector, this also reinforces the need for a robust security culture program.

Taking Preventative Measures

Workers assigned to handle live chats are often under pressure to respond to as many tickets as they can and frequently do so by minimizing what is called “average handle-time.” For a busy agent who may be handling multiple chats at the same time, that pressure can be unrelenting.

If a company puts too much stress on the automatically generated handle-time data, it can lead to agents opening attachments more quickly than their security people would prefer. After all, the agent is simultaneously trying to resolve the issue so that they meet low handle-time goals while also striving for good feedback scores in the customer’s post-chat satisfaction survey (a common feature of chat systems). This is especially difficult when the volume of chat sessions requiring human interaction has outpaced the availability of agents to address them promptly.

Cybercriminals understand this pressure and do their part to increase it. If they are connected to an agent, they can act like an angry customer who wants their problem solved immediately. They will say that they have previously tried to get resolution and failed, and they have attached all of the documentation needed to support their request. Rather than applying pressure, some attackers will try to use an agent’s sympathy to shorten the chat time. For example, they might say, “My mom set up the subscription, but she fell ill last week and all I could find was the confirmation email, which you will see in the screenshot I have attached. Can you help me to cancel it, please?”

Since many chat systems (and anti-malware systems) do not look inside compressed files to identify potential problems, the live agent may fall for the attacker’s story and open the attachment, thus inadvertently launching the malware.

Criminals have also learned to raise issues that seem relevant and reasonable. While just putting together random words might cause a chat system to open a ticket and pass the chat to a human agent, it is also likely to warn the agent that something is wrong and raise their level of security concern. Ultimately, these attacks combine malware delivery expertise with excellent social engineering skills because the criminal initiating the chat has to be ready to deal with the live agent in real time.

How can you mitigate the risks of successful phishing attacks coming from your chat system? There are no perfect solutions, especially as it is very possible that legitimate customers have valid reasons to seek help through these systems, provide documentation, and request urgent resolution. Failures to serve these users can threaten that customer relationship or risk broader attention for poor customer service. However, there are key steps you can take to help manage the risk of live chat phishing:

  1. Knowledge is strength. It is imperative to educate your live-chat agents about live chat phishing scams, whether the agents are employees or work for a third-party. The more they understand the way these attacks work, the more they can learn to be appropriately suspicious and avoid falling victim.
  2. Numbers are not everything. If you place undue importance on average handle times or feedback scores, you may be fueling dangerous behaviors from agents trying to improve their numbers. These numbers may be important, but it is equally important that your agents prioritize security. Never put agents in the position of feeling they need to ignore security in pursuit of lower handle times or higher feedback scores.
  3. Know your chat system’s capabilities. Make sure you understand what security-related tools and techniques are available in your chat system. Focus on what security support your system offers when creating a ticket for a chat session with attached files. Some chat systems are better than others, and some offer broad capabilities, but only if they are activated.
  4. Consider the kinds of attachments you will allow. Criminals like to use compressed files because anti-malware tools are less likely to detect malware if it sits in them. If you prohibit attachments that are compressed (like .zip files) and require that attachments be in native format (like .docx or .jpg), your system is more likely to automatically detect problem files. Alternately, it may be possible to use fill-in forms with cut-and-paste options that can provide access to necessary documents without requiring uploaded attachments.
  5. Consider only opening attachments in a secure environment. If the resources are available, it may be possible to divert tickets with attachments to a security workstation where the attachments can be opened in a secure “sandbox” environment and tested for malware issues. However, this would need to be done quickly enough to avoid the external questioner giving up on the chat session, which may not be realistic in every situation.
  6. Recognize that attacks may succeed and plan with that in mind. Keep your anti-malware software updated and use endpoint monitoring to detect problems quickly. Since no preventative solution is 100% effective, it is vital to have endpoint security monitoring to mitigate damage if malware is launched. Additionally, you could create a separate virtual desktop environment for chat agents that can provide additional security measures to mitigate damage if a file is opened and an attack chain is launched.
  7. Trust but verify your chat security and regularly test the chat environment. Vulnerability scans can help to detect problems in configuration, patching and other architectural issues. Penetration tests focused on chats can also help assess how your overall security measures are working since these tests can combine technical challenges with social engineering.

Live chat phishing still an emerging threat. While incident rates are not high yet, it deserves immediate attention from IT and risk management departments. By increasing levels of personnel awareness, system security evaluation and system testing, organizations will be better equipped to block an attack that could otherwise lead to a major data theft or costly ransomware incident.

Devon Ackerman is managing director and head of incident response for North America with Kroll’s Cyber Risk practice.
Anthony Knutson is senior vice president of Kroll’s Cyber Risk practice.
Alan Brill is senior managing director for Kroll's Cyber Risk practice, where he consults with law firms and corporations on investigative issues relating to computers and digital technology.