Language Model Agents Under Attack: A Cross Model-Benchmark of Profit-Seeking Behaviors in Customer Service

TL;DR

This paper introduces a comprehensive benchmark testing how customer-service language models can be exploited for profit-seeking behaviors through prompt injections, revealing domain and technique vulnerabilities.

Contribution

It provides the first cross-domain, multi-technique benchmark for assessing prompt injection vulnerabilities in customer-service LLMs, with data and tools for reproducible evaluation.

Findings

Airline support is most vulnerable to attacks.

Payload splitting is the most effective attack technique.

Vulnerabilities vary significantly across domains and techniques.

Abstract

Customer-service LLM agents increasingly make policy-bound decisions (refunds, rebooking, billing disputes), but the same ``helpful'' interaction style can be exploited: a small fraction of users can induce unauthorized concessions, shifting costs to others and eroding trust in agentic workflows. We present a cross-domain benchmark of profit-seeking direct prompt injection in customer-service interactions, spanning 10 service domains and 100 realistic attack scripts grouped into five technique families. Across five widely used models under a unified rubric with uncertainty reporting, attacks are highly domain-dependent (airline support is most exploitable) and technique-dependent (payload splitting is most consistently effective). We release data and evaluation code to support reproducible auditing and to inform the design of oversight and recovery workflows for trustworthy, human centered agent interfaces.