Social engineering is a tactic where attackers manipulate people into giving away access or sensitive information. It can show up in customer support scenarios as someone pretending to be a legitimate user who is locked out of their account.
Even with good authentication practices, it’s difficult to entirely prevent these cases — so it’s important to train your team and configure your workspace defensively.
This guide explains how you can use Intercom’s features to reduce your exposure and help your team respond effectively when a conversation might be suspicious.
1️⃣ Secure your Messenger
If you're using Intercom for logged-in users, you should always authenticate your users with a JSON Web Token (JWT). This ensures that the Messenger only boots for real, authenticated sessions for your users. Any attempts to spoof identity (e.g. starting a conversation as another user) will fail if the JWT isn’t valid. For more information see: Authenticating users in the Messenger with JSON web tokens (JWTs)
Check if your Messenger is in a secure state in your Messenger security settings
Note that this only works for users, with user_ids, read on for how to protect your team against suspicious lead conversations.
Differentiating between Leads and Users
When viewing conversations in the Inbox:
Leads are people who start conversations while logged out. They often appear with minimal or no identifying information.
Users are those who are logged in and authenticated, or who become authenticated during the conversation.
Leads and users are identified in the side panel within the Inbox. It’s useful to note how they are identified. Here is a lead who has started a conversation on the Messenger without entering an email address:
Here is the same lead after entering an email address into the Messenger.
ℹ️ Intercom does not verify leads own the email addresses provided in the Messenger.
If the user is logged in, they will instead show as a user.
If a user logs in within the same browser after starting a conversation as a lead, as is shown in the screenshot, they will be upgraded to a user.
For more information on the difference between leads and users see: How do visitors, leads and users work in Intercom?
To learn more about user and lead merging, see: Merge lead and user profiles
Set up automations to collect identifying info
Automations and Workflows are very powerful ways to configure Intercom to fit your processes. Depending on the lead, user or message content, you can take specific actions.
Using Simple Automations, you can configure Intercom to:
Ask leads to provide their email address before they start chatting
Prompt for extra context like name, company, or account ID
Assign those chats to specific inboxes or teams for extra review
Build tailored workflows for risky scenarios
You can create workflows that respond differently depending on who starts the conversation
🟡 Is it someone just browsing? Ask light questions or route to self-serve content.
🔁 Is it a real user who forgot to login? Prompt for login and verify email.
🚨 Is it a real user who is locked out of their account?: Route to a secure flow with data verification, notes for teammates, and clear reply time expectations.
You can configure Fin to:
Ask leads to log in before continuing
Offer account recovery options (e.g. “I’m locked out” button)
Escalate to a human if needed — and tag the conversation clearly so your teammate knows to be cautious
Here’s an example workflow setup for Leads. In this case we are trying to account for all 3 scenarios above:
Have separate inboxes and views
For extra protection, you could also separate conversations with unauthenticated leads to a different inbox so it’s clear that everything in that inbox deserves extra vigilance.
You can achieve this with Team Inboxes. See more in Organise team inboxes
Stay vigilant against social engineering
Even with the best automations, human agents play a key role.
Prepare your team by:
Training them to always verify user details before making account changes
Encouraging them to check for matching user records, email addresses, and login history
Adding internal notes and tags to communicate suspicions internally
FAQ
How can I verify that leads own the email addresses they enter into the Messenger?
We do not currently have a feature to verify email addresses entered in the Messenger. If you would like to see this feature, please lodge a feature request with our support team. In the meantime, we’d recommend setting up workflows to either push for leads to sign up, login or treat the conversations with more caution.
That said, you could potentially use a Data Connector to verify addresses if this is functionality you have elsewhere.
Need more help? Get support from our Community Forum
Find answers and get help from Intercom Support and Community Experts