Over the last two years, attackers have zeroed in on contact centers and helpdesks because one well‑timed conversation or one compromised agent account can sidestep hardened perimeter controls.
Coinbase’s 2024/25 incident is the clearest example: criminals bribed overseas support agents to siphon sensitive customer data later used in social‑engineering scams. Coinbase rejected a $20M ransom, but the downstream harm touched 69,461 customers, per the company’s state AG filing.
And this is not an isolated case. In the UK, two RAC call‑center specialists were convicted for copying and selling 29,500+ crash‑victim records. In the U.S., prosecutors described a Louisiana ring that recruited Teleperformance call‑center insiders serving USAA Bank, then printed counterfeit checks leading to federal sentences in 2025. And in India this past August, Delhi Police alleged “insider moles” at an authorized CPP call center leaked SBI credit‑card data that fueled a ₹2.6 crore fraud; 18 arrests have since followed (the case is ongoing).
Security teams have seen this movie before. Microsoft’s deep dive on Octo Tempest (aka Scattered Spider) documents systematic helpdesk targeting: impersonation, vishing, MFA resets, and remote‑assist tools to obtain initial access. In 2023, the MGM/Caesars incidents showed just how quickly a “service desk” pretext can escalate into enterprise‑scale disruption.
Zoom out and the macro data says third‑party pathways are rising: Verizon’s 2025 DBIR analyzed 12,195 confirmed breaches and highlights that the share of breaches involving a third party doubled, from 15% to 30% year over year. That’s exactly where many contact centers sit: outsourced, distributed, and permissioned.
Why attackers love contact centers
- High leverage, high pressure: Agents and team leads can view and change customer data under strict time‑to‑resolution goals. Criminals either social‑engineer them (convince an agent to “help”) or recruit/bribe them.
- Fragmented oversight: Voice, chat, email, CRM, and knowledge live across systems that rarely share real‑time telemetry with security. Gaps = gray space for exfiltration.
- Vendor surface area: BPOs and contractors add distance between SecOps and day‑to‑day agent actions - exactly the “third‑party” dynamic DBIR calls out.
What “observability” means in a contact center (and why it reduces risk)
In engineering, observability means seeing internal state from external signals. In contact centers, it means instrumenting every conversation and workflow so you can detect and act on risky behavior in real time:
- End‑to‑end conversation intelligence (voice, chat and email) with searchable transcripts and signals (PII exposure, payment handling, escalations). This moves QA from tiny samples to broad coverage and gives security a reliable trail.
- Real‑time agent assistance and guardrails that push the right next step and block the wrong one (e.g., no sensitive verification bypass scripts; no off‑policy refunds or address changes).
- Behavioral baselining: which agents repeatedly access high‑value records off‑queue? Which teams copy unusual amounts of data after hours? Turning patterns into alerts is how you spot bribery, coercion, or account sharing early. This is exactly the gap exploited in the Coinbase and USAA patterns.
- Unified telemetry across telephony, chat, CRM, and knowledge systems so SecOps can correlate “who said what” with “what changed in the account.”
Where Cresta fits
Cresta isn’t a Security Information and Event Management (SIEM) or data loss prevention (DLP) tool, but our real‑time guidance, conversation intelligence, and QA automation substantially increase observability in the exact workflows attackers are abusing:
- Agent Assist provides in‑the‑moment guidance, knowledge retrieval, AI summaries, and workflow automations. These controls help standardize how sensitive data is handled and reduce risky improvisation.
- Behavioral QM and performance insights on compliance behaviors give leaders a unified view of what’s happening across conversations, making it easier to spot anomalous behaviors, compliance drift, and training gaps at scale.
- Cresta across channels (now including email) extends the same real‑time insight and QA to a channel that’s historically under-leveraged in many centers. That’s critical because many high‑risk account changes and phishing pivots flow through email threads.
- Opera helps security and risk teams surface potential fraud signals and risky behaviors within conversations, enabling agent-driven investigations and workflows to mitigate fraud and account compromise.
- Screen recording speeds up incident response processes and ensures agents and businesses remain compliant with laws and regulations.
- AI Analyst enables analysts and business users to discover and investigate emerging threats within conversational data.
Adding Cresta’s “in-the-conversation” visibility and guardrails to your security stack shrinks the gray space where social‑engineering and insider abuse thrive.
The takeaway
Attackers go where decisions get made fast and verification gets messy–which is exactly what contact centers are built for. You can’t reduce exposure with policy documents alone.
You need observability inside the conversation and the workflow, coupled with real‑time guardrails that help agents do the right thing under pressure. Platforms like Cresta provide that layer unifying signals across channels, guiding agents in the moment, scaling QA, and enforcing responsible handling of sensitive data, so the next attempted scam has fewer places to hide.
