Web and mobile fraud
Target Hardening and Behavioural Change—Tackling Retail’s Insider Threat
Cyber Vulnerability and Social Engineering—This Time It’s “Personnel”
Employing almost three million people to service the needs of 60+ million customers, the UK retail sector is also one of the largest consumers of IT services as part of its ever-evolving digital transformation.
The trend—which began with the rapid shift towards online shopping, which was then supercharged by the pandemic—is not exclusive to these shores, as more than 90 per cent of global retailers are prioritising AI technology as their focus for the next two years, according to research from Gartner.
From customer service to security investment such as facial recognition technology, the sector continues its love affair with IT, as data has become the new critical currency driving sales both in terms of bricks and mortar and clicks and mortar.
But the honeymoon may be coming to an end, as many would argue the haste of the courtship has resulted in an over-dependence on technology and that in the frantic gold rush businesses have failed to carry out the necessary due diligence into the weakest links in this chain of command—cyber security vulnerability and the human factor.
The complete digital transition has meant industrial levels of outsourcing to third parties such as cloud-service providers, POS system providers, and third-party apps used on e-commerce sites, a mission creep that increases the risk of data breaches, particularly if these outsource businesses have their own inherent security weaknesses, including a lack of information security policies, encryption, or web application firewalls (WAFs).
While technology can be agile, data protection rules remain fragile, as relevant regulations such as GDPR can take years to introduce and interpret as the law continues to play catch-up on the ever-evolving risks to the acres of harvested personal data captured on a daily basis.
Indeed, a retail organisation’s vulnerabilities increase incrementally with every third party it uses, yet many businesses lack visibility and a way to perform third party risk assessments to make meaningful decisions about potential cyber threats.
Consequently, according to leading cyber writer Kylo Chin, retail businesses are increasing their “attack surfaces”—the paths, methods, and vulnerabilities that cyber-criminals home in on to orchestrate their attacks.
Currently, according to analysts, there are over nine million online retailers operating around the world, but that is only part of the digital picture. According to some estimates, more than twenty-five million e-commerce sites are operating globally, not to mention the growth in sales through social media platforms.
Many of these online businesses also have brick-and-mortar stores with staff, cashiers with physical point-of-sale (POS) systems, and an extensive, geographically distributed network of payment systems.
According to Chin, “The retail sector attracts cyber-criminals because it processes and handles large amounts of personal data and financial information. The complexity of physical stores with e-commerce sites creates opportunities for cyber-criminals due to the mix of technologies, including cloud-based services”.
Large retailers understand the challenges and take the issue seriously because they are-all-too often the targets of multiple cyber-attacks.
In October 2021, Tesco, the UK’s largest supermarket, experienced its app and website going down for two days after a suspected cyber-attack.
The priority from then on was to retain the trust of consumers. Since the breach, the company has tried to stay one step ahead by trying to measure the potential damage of any future cyber-hack.
As a business that currently deals with more than a million online orders each week and a loyalty Clubcard that has stored details of more than twenty million customers—almost half of whom access it through their mobile phones—it is little wonder the business takes the threat of cyber-crime seriously, not only from a financial perspective, but reputationally.
In its annual report following the suspected attack, the supermarket chain revealed that it had carried out a stress test measuring the impact of a data breach. The test calculated the revenue and reputational losses of such an event could result in a significant financial penalty being levied against the company, in accordance with UK GDPR rules. In this test, management estimated that the fine would account for “2 per cent of Tesco Group revenue”.
It concluded that a data breach would negatively impact trading and result in a decline in customer sentiment.
Robust protection must therefore be in place because it would only take one successful breach from multiple cyber “assaults” or “phishing expeditions” to trigger a far-reaching digital crisis.
Hackers are not necessarily the archetypal hoodie-wearing bedroom keyboard warriors or state actors with geo-political motives.
They may also be middlemen mercenaries seeking to gain financially through ransomware attacks, having executed a successful distributed denial of service attack (DDoS) and then selling the accumulated customer data to the highest bidder on the impenetrably encrypted dark web. They potentially get paid twice, all in cryptocurrency, of course.
Government Figures
According to the UK Government’s own cyber security survey for 2024, half of all businesses (50 per cent) and around a third of charities (32 per cent) report having experienced some form of cyber-security breach or attack in the last twelve months.
The report said: “By far the most common type of breach or attack is phishing (84 per cent of businesses and 83 per cent of charities). This is followed, to a much lesser extent, by others impersonating organisations in emails or online (35 per cent of businesses and 37 per cent of charities) and then viruses or other malware (17 per cent of businesses and 14 per cent of charities)”.
“Among those identifying any breaches or attacks, we estimate the single most disruptive breach from the last twelve months cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this was approximately £10,830. For charities, it was approximately £460”.
But these figures could be the tip of a larger iceberg as many businesses do not report cyber-attacks for fear of the fall-out—the potential prosecution and the reputational damage that would ensue.
Social Engineering
Of course, it doesn’t have to be brute force “villains versus anti-virus software” penetration. It could, in fact, simply be good old-fashioned human guile to be “invited into a business system” through the front door and this is by and large by untrained and unsuspecting employees, many of whom work remotely or from home.
In the high-octane retail space where there is high churn and burn-out, remote employees working in isolation from their colleagues can be more prone to anxiety as a result of fears over job security.
Digital social media platforms such as LinkedIn or Indeed offer connection and solace as well as reach out with CV requests or job offers. In these cases, employees may act before they think when it comes to responding or fulfilling requests that are, in reality, phishing exploits.
LinkedIn is also the weapon of choice of many hackers to target user businesses who identify names and job titles of employees. The platform is one of the best ways to access employee data, titles, and background. Indeed, employee profiles contain all the elements a hacker needs to make an organisational chart of a company, and pinpoint who might be vulnerable to trickery.
To target a company, a hacker may develop and use a fake LinkedIn profile. They may contact employees by posing as recruiters, using fake profiles and false appearances.
Employees may accept invitations from fake profiles because the profiles appear to be people from their local area. The more employees a hacker can connect with, the more knowledge they can collect about names, job titles, and which employees present the easiest opportunity by which to steal information. After hackers connect with employees at a targeted company, they will search for vulnerabilities, such as out-of-office notifications. Hackers know that employees working from home are often easier targets because they may be more eager to act on requests without verifying them.
It is a vulnerability that many companies have not addressed. Social engineering hackers use this vulnerability to their advantage.
Indeed, social engineering is one of the primary attack vectors affecting the retail sector, especially phishing, one of the dangers of which is that a successful attack can lead to further cyber-attacks on the target organisation or individuals and businesses linked to the compromised data.
A successful account takeover using social engineering can allow cyber-criminals to make fraudulent purchases, steal confidential customer information, such as credit card details, or commit further phishing or spear phishing attacks—a specific and targeted email spoof attack.
Those engaged in “spear phishing” have done their research, choosing the target(s) carefully. Before creating the spear phishing email using the information gathered and social engineering techniques aimed at infecting the victim with malware or trick them into revealing sensitive and potentially lucrative information.
Training
Understanding these threats is one thing but putting robust and meaningful training in place is another. Merely establishing a security awareness programme isn’t enough—companies have to ensure that the programme actually changes behaviour for the better.
According to the most recent Verizon Data Breach Investigation, 82 per cent of breaches involve a human element, so it follows that while all employees have a major role to play in the prevention of cyber-attacks, companies have a responsibility to provide regular and robust cyber-security awareness training to the entire workforce. Many companies think annual training is sufficient, but this doesn’t even come close to providing the level of reinforcement employees need.
They need to continuously assess the state of employees’ knowledge, analysing their responses to real-world cyber incidents, and reinforcing what they learn with consistent and engaging educational content. Too many companies treat cyber-security training as a tick box and compliance-driven exercise—a routine form of due diligence that shows clients and customers they’re doing something to address cyber-threats. They may hold a meeting or an event on cyber-security once a year, but that’s about it.
But how do they hold on to this essential knowledge? According to Dr Nicola Harding, CEO of We Fight Fraud (WFF), “Cyber-crime is everyone’s problem, but no ones’ responsibility.”
“It is time to think outside of the tick box,” said Dr Harding, who works alongside WFF founder and chief innovation officer Tony Sales.
WFF is a consultancy specialising in financial crime prevention which includes testing organisations for vulnerabilities that criminals will use to attack. It takes a holistic view of human behaviour and cyber-attacks to help business better protect themselves from incoming scams, including those from the unsuspecting members of their own teams who could have been compromised by a socially engineered scam.
“All attacks are different and should be treated as such because it is about the individuals involved,” said Tony Sales who was once described by The Sun newspaper as Britain’s most prolific fraudster.
“The problem is that we put the issue into a silo, when in fact we should look at the facts of each case—what the member of staff did or did not do—for example, using their personal phone for work or unsuspectingly opening an attachment that allows a scammer in.”
“It could be a little-and-often approach, gathering pieces of information each time, and it is only by understanding how these human vulnerabilities can be exploited that we can help bullet-proof a business,” he said.
Dr Harding, who is also a Criminologist at the University of Lancaster, added: “When we think of digital attacks such as ransomware or denial of service, we immediately assume that the scammers are driven by monetary considerations, but they understand the true value of what they are gaining access to—the data value. They know they can sell this information on.”
“And, once you have been a victim once, it is like having a target on your back because they will come back time and time again.”
She said that a data breach at IBM in 2023 cost more than £4.5 million in total when you consider the cost of rectifying the issue, fines for allowing it to happen, the reputational loss, and the hit on the share price.
“IBM is a large company with deeper pockets, but smaller enterprises with less of a runway could be sunk by such a social-engineered scam.”
“The only way to protect the business is to make your staff your biggest line of defence. By having your employees on point in terms of preparedness, it could save your business millions.”
WFF argues that “tick box” cyber training will not deliver the protection because the complex information cannot be retained.
“You need measurable, and demonstrative changed behaviour,” added Tony.
Gamification
To this end, WFF has teamed up with gamification specialists Ailuna to change the narrative around cyber-resilience education. It achieves this by moving away from a largely ineffective annual compliance training approach to one where they learn through play and their own personal avatars.
The app-based platform uses gamification and rewards to change the habits of users—to better protect employees, customers, and consumers and protect them from the wiles of hackers attempting to influence them through social media, for example.
It’s a little-and-often learning journey that is habit-building and therefore sustainable in terms of new improved behaviours.
“It’s about changing the old habits one at a time rather than trying to boil the ocean by learning everything about cyber-crime in one go,” said Ailuna CEO and co-founder Lars Ronning.
The idea behind Ailuna first came to co-founders Lars and partner Helene in 2018, but back then the focus was not on cyber-crime, but environmental sustainability and learning to protect the planet.
“We’ve always been committed to being good citizens and good inhabitants of the world, but until a couple of years ago we did not think about sustainability as an art form or our journey,” he said.
“So, my wife Helene and I decided to change the diet by going vegetarian. We significantly reduced our single-use plastic, made changes to the insulation in our house, and also purchased an electric car.”
“We couldn’t find an app or platform that could help regular people like ourselves adopt a more sustainable way of living and build better habits. So, we decided to build one. And that’s really how Ailuna came about. Ailuna is Hawaiian and means “upwards, up there, aiming high towards the moon”—so aiming high is what we do.”
“Traditional learning has its place, but after a period of days you will forget what you have learned. The gamification approach builds better behaviours by changing our habits through bite-sized learning.”
“I had read a book called Atomic Habit by James Clear which describes the approach perfectly—we change our behaviours one step at a time,” he continued.
After meeting the WFF team, they realised there were synergies between gamification and nudge training towards more sustainable living and helping businesses to embed better behaviours when it comes to cyber-security.
“This portfolio of actions could be around their use of passwords, tidying their desks before they start work and when they finish, or making sure they are aware of the safe Wi-Fi protocols where they are working. By doing it through this approach, the changes they make in their everyday habits become sustainable behaviour changes.”
“The approach then rewards people for better behaviours through points which can be redeemed against tangible benefits they can relate to—boosting their credit scores, for example.”
“Ailuna is a standalone app, but soon it will also be available as components that can be embedded via APIs in a retail business or bank’s own apps/websites. This solves the hesitance that some businesses could have against deploying “yet another app”. In summary, Ailuna is becoming the platform that protects the individual and the entity they work for,” added Lars.
WFF’s Dr Harding added, “Human behaviour can help or hinder a cyber-criminal, which is why we are excited about the work we are doing with Ailuna. Social engineering means the crime now comes in different packages and those perpetrating it are as likely to be wearing a suit as a hoodie.”
“We need the new guards on the “door” to help everyone protect the business rather, than cyber-crime being put into a silo.”
Mandatory Fraud Repayment
WFF has recently been involved in the making of a documentary around the new game-changing mandatory fraud repayment rules to tackle Authorised Push Payment (APP) scams—probably the fastest socially-engineered cyber-crime across Europe.
Under the new rules which came into force in October, payment service providers (PSPs) such as PayPal and Worldpay will be 50 per cent liable, along with the customer’s banks, for compensating victims of APP cyber-crime—where a scammer manipulates a customer into paying money into a new account controlled by them, as part of a pretence that they are from the bank’s fraud team and the customer’s account has been compromised.
The new reimbursement rules—providing compensation up to a total value of £85,000 per individual—are designed as a game-changer to incentivise the industry to get tougher on cyber-crime by designating the socially engineered crime as a non-acceptable loss.
Fighting cyber-crime is not the preserve of the IT crowd but the job of the entire business—whether they work in the office or remotely.
It is their potential bad behaviours that encourage the bad behaviours of others—the phishers and fraudsters looking to get their hooks into the vulnerable and human underbelly of the business. Cyber-crime is like business itself—it’s not personal, but it is personnel who help facilitate it and must play a role in preventing it
