Three mistakes companies make when dealing with hacked customers

At The Cyber Helpline we have supported hundreds and hundreds of victims of cyber crime. In many of these cases there is a touch point with a service provider – such as email, social media, online gaming, online shopping, banking or ISP. We get to see a lot of the communications back from these providers and see common issues that cause more confusion or force the victim to simply disengage from the process entirely.

We see lots of mistakes made in this area, but I have picked the three major issues that I think do the most damage. Others I could have added are 1) making it difficult to find where to report, 2) blaming the user for the issue, 3) having a team that deals with security issues that is separate from the wider business and can’t access the right systems and 4) having people who don’t understand cyber security best practice handling cyber security issues.  

Ok, here are my three main issues.

Letting your IT/security/legal team write your customer communications

The majority of your customers probably don’t understand technology, never mind IT security. When a customer comes to you to report an issue or you are telling them about a breach you simply must talk in non-technical language. Here is a real example of a response to one of our users reporting a potential phishing scam using the companies brand.

Thank you for your email.

To assist us with our investigation, we need the full unedited header information for the email mentioned in your original complaint. This serves two purposes, as evidence to support the complaint and the information enables us to try and locate the source of the problem. When sending multiple complaints, please make sure you only send  one complaint and the related headers per email.   Headers will contain several ‘Received’ lines, which will contain IP addresses, dates & times. This is the information that we investigate as the senders emails address is usually spoofed/harvested.   Headers are not the ‘To’, ‘From’, ‘Sent’, ‘Date’ or ‘Subject’ lines.   Please do not send the email source code as this is the language used to create the email content.

If for you cannot provide us with the header information , we will not be able to investigate and the case will be closed. Please be aware, for security reasons we can only except txt attachments. If you have sent an email with any other type of attachment, you will need to resend with the relevant information in the body of the email.
— ISP Security Team

I like this example because there is so much wrong with it. Here are my observations:

  • Most people don’t know what an email header is, never mind how to find one and send it over.

  • Most people don’t know what spoofed or harvested means in this context, so why add this in?

  • Email source code? How are they supposed to a) know what this is and b) differentiate it from the header?

  • Ultimatum – provide the header or case closed.

  • Spelling mistakes and typos – “we can only except txt attachments”. We talk a lot about these types of mistakes being a sign of phishing emails!

  • Most people would struggle knowing what a txt attachment is never mind converting what they have to one.

Now imagine you are 74 years old – can barely use your email account to send email - and have just received this response. For most it is time to give up.

Here is another example from an individual reporting a potential phishing scam:

If you mouse over the links provided within the body of the email, you will notice that the domain is a genuine domain of ours.
— Online Store Customer Support Team

Ok, I can probably let “mouse over” slide, but do we expect users to understand a) what a domain is and b) which domains you legally own? To add context to this the domain used to send the email was different from the domain used for the companies main website. For the average user this is technical jargon that doesn’t get the message across.

Why not say, “We have checked the email and it is safe. We sent it to you. Would you like me to get the team who sent it to you give you a call so you can [enter email call to action here]”?

Lesson: It is critical that someone writes your communications internally who can communicate effectively with your audience.  This is very unlikely to be anyone from IT, security or legal. Bring in your marketing team to review your communications and repurpose them for your customers. Also, why not really review the user experience to make it as easy as possible?

Not having a single view of customer interactions

If a customer gets in touch to verify an email, text or phone call you need to make sure you have an accurate view of all interactions with that customer across your organisation. If not, you risk creating a fake incident and at the same time creating a very unhappy customer.  

Imagine this scenario:

You get an email from your home broadband provider offering an engineer visit to make your Internet speed better. You click the link and get a call back from the provider as promised. On the call you book an appointment, but realise after the call something wasn’t right. The person on the phone was a bit vague about the problem they were going to fix and asked you for a lot of details. You start worrying that this might be a scam, so you call the provider directly.

The customer service agent confirms that no email was sent, no engineer visit is booked and there is no log of a recent phone conversation. Nightmare! You have been scammed. You immediately call ActionFraud, forward the email to the provider’s phishing email address suggested by the customer service agent and you start figuring out how to minimise the damage of the scam.

However, two days later the security team respond to you forwarding the scam email and confirm that it has been sent from a legitimate domain the provider owns. You call back customer service and they confirm that no engineer visit is booked and they have no record of the call or email.

A day before the booked visit you get a call from someone who says they are a the providers engineer and will see you tomorrow. You call the provider and they categorically tell you that they do not have an engineer coming.

Have you been scammed or not? Is someone going to turn up at your door tomorrow at the discussed time? Are you in danger? What is going on?!

This is a real issue that we helped with and this kind of thing happens on a pretty regular basis. Just imagine the impact on that customer on their perception of your competency and security. Think of the stress and expense you have put them through.

Lesson: It is critical that you have a single view of all interactions with your customers, partners and prospects. This needs to be real-time and accessible to those on the front line. If you are going to confirm or deny a specific communication you need to be 100% sure before communicating with the customer.

Taking too long to respond

In so many cyber security incidents facing individuals time is critical. The social engineering scam will pressure you for time. The ransomware on your device might give you 24 hours to pay. The video your ex just shared is being liked and shared across social media.

Sending an auto-response and setting an estimate for response of 7-10 days doesn’t cut it. The incident is either over or got much much worse by then. Your internal security team probably have an objective to detect and start responding to security incidents within minutes, why are your customers waiting weeks? 

You will likely have an overview of the security risk facing your users – or at least a list of most common support issues. These need to be prioritised for urgency and suitable SLAs set with the customer support team. This response time must fit the typical timeline of that type of attack.

Lesson: Do the analysis of what type of cyber security issues your users might face on your platform or where you might be a part of the problem/solution of a wider issue. Understand the impact on the individual and the timescale they will be under and then plan your response time appropriately.

Why correct these mistakes?

When a customer reports to you that their account has been hacked - or that they have been targeted in a scam where your brand was imitated - it is a great opportunity to support them and increase the loyalty of that user, but also to thank them for reporting because you now have the ability to investigate and limit damage to the wider customer base.

Any good incident response plan will cover the people, process and technology around communication and breach notification. However, how many organisations have truly explored a customer’s experience of reporting an issue or communicating with you once you have breach notified?

Any organisation that can avoid these mistakes is likely to provide a great user experience post cyber security issue and really improve customer loyalty.