Language Model Agents Under Attack: A Cross Model-Benchmark of Profit-Seeking Behaviors in Customer Service
Jingyu Zhang
TL;DR
This paper tackles the deployment-relevant risk of profit-seeking direct prompt injection in customer-service LLM agents by introducing a cross-model benchmark covering 10 service domains, 100 injected conversations, and five PI families. It evaluates five widely used models with an end-to-end pipeline that includes dual LLM evaluators and uncertainty reporting, revealing strong domain- and model-level variability in vulnerability. Payload splitting (PI3) emerges as the most consistently effective PI family, while airline-supply domains, particularly Airline Support, show the greatest susceptibility. The authors provide a complete dataset and tooling to enable auditing, defenses, and safer, human-centered agent interfaces, emphasizing practical guardrails, escalation, and transparency as core defenses.
Abstract
Customer-service LLM agents increasingly make policy-bound decisions (refunds, rebooking, billing disputes), but the same ``helpful'' interaction style can be exploited: a small fraction of users can induce unauthorized concessions, shifting costs to others and eroding trust in agentic workflows. We present a cross-domain benchmark of profit-seeking direct prompt injection in customer-service interactions, spanning 10 service domains and 100 realistic attack scripts grouped into five technique families. Across five widely used models under a unified rubric with uncertainty reporting, attacks are highly domain-dependent (airline support is most exploitable) and technique-dependent (payload splitting is most consistently effective). We release data and evaluation code to support reproducible auditing and to inform the design of oversight and recovery workflows for trustworthy, human centered agent interfaces.
