WEB AND MOBILE FRAUD
Top Ten Internet Threats to Retailers
By John Wilson, Executive Editor
The U.K. continues to lead Europe in e-commerce sales, with website purchases representing €207 billion according to the latest figures. This represents a 33 percent increase over 2013 - a fact that continues to make these sites a destination target for online fraudsters and scammers. Retailers are at the vanguard of learning that society's move towards digitalisation equates to fraud and theft becoming more complex and harder to defend against.
The Internet has made fraud easier, faster, cheaper, more globalised, and virtually anonymous. Localised crime is becoming a thing of the past and organised large-scale, cross-border crimes are becoming more the norm. This presents a great number of issues with how to investigate, prosecute, and convict organised criminals. Being able to identify and detect the threats the Internet now poses to retailers and suppliers alike has become the number one priority for increasing numbers of retail crime analysts whose job it is to spot and decode the latest cyber-attack scams.
In response to this growing concern, LP Magazine EU has provided a list of ten of the top Internet threats to retailers in Europe:
1. Crimeware Toolkits
Crimeware was the cause of more than 12,000 security incidents in 2013 alone, according to Verizon's Data Breach Study. Crimeware is a type of malware, or malicious software, designed to automate cyber-crime. It takes on a great deal of forms, with some of the most common being viruses, worms, trojans, spyware, and ransomware.
Much of crimeware is spread via spam messages with malicious links that are designed to mislead people into downloading the dangerous malware. It can also be activated just by visiting an attack website. Malware is designed to steal account credentials and drain bank accounts or damage, delete, or erase individual files or complete disk drives. These cyber-crime toolkits make it easy for criminals to distribute malware with a high degree of success, which is why this is so common.
Malware operates in the background on a computer. It runs automatically and is designed to replicate itself to multiple files on the computer or network. It is commonly spread through emails, instant messenger file transfers, or downloaded files or software.
Worms, another form of malware, cause computers and networks to run slowly enough to be a severe nuisance, with the possibility of deploying malware later on.
Trojan horses are also a dangerous form of malware, being as they are completely hidden. They are disguised, typically in the form of a game, joke, or even a tool to rid your computer of viruses. According to Panda Labs, three quarters of all recent malware strains were Trojan applications.
Keystroke logging is a form of spyware, which operates quietly on a computer while keeping a log of the keystrokes typed. This information is then transmitted to a hacker. Hackers then use this information to obtain usernames, passwords, account details, and other sensitive information. They can then access accounts or computers to obtain the information they are seeking.
In August 2012, Qatar-based RasGas saw attacks from malware that shut down its website and email systems. Saudi Arabia's Aramco also experienced this after a virus knocked out 30,000 of its computers. 'Shamoon' and 'Disstrack' are two of the viruses seen targeting the oil and energy sectors. The emergence of a malware called 'Energy Bear' has also been seen targeting energy companies, allowing hackers to have access to energy consumption in real-time. This gives them the ability to control and inhibit power plants, gas pipelines, and wind turbines. According to theolivepress.eu, of the eighty-four countries affected by Energy Bear, Spain has been seeing the highest amount of activity, followed by the United States. They believe the culprits of these attacks to be a group called Dragonfly based in Russia.
2. Social Media
In 2013, social media was identified as one of the key emerging trends in retail. It works two-fold, allowing the public to gain information on companies as well as allowing companies to gain information on its customers. It has the power to help businesses identify and investigate crime, but at the same time can harm them by casting a negative light with bad public relations.
According to a recent poll in the United States, 74 percent of employees believe it is easy to damage a company's reputation through social media. With over 300 different outlets today, companies are embracing social media as a loss prevention and investigative tool.
There are 1 billion Facebook users in the world today. This coupled with the ability to research what people are saying about a company or a product has given social media the power to influence company approaches. A staggering 90 percent of consumers believe the reviews they hear from their peers on social media, proving the degree to which people believe what they hear, read, and see.
If social media is left unmonitored, people have the capability to destroy brands no matter how reputable or well known. For example, in 2009 Domino's had a video linked on YouTube of an employee violating health and safety laws by sneezing on a pizza. This led to over 100 million views and the posting of more than 300,000 comments.
By violating the brand's trust with its customers, it severely damaged the company image.
Employees also need to be made aware of the risks associated with over-communicating, which may discredit the brand as well. Accidentally releasing confidential or proprietary information is a real threat and can potentially affect stock prices, profits, or sales revenues. It may be as simple as disclosing information about a manager's behaviour, misdeeds involving the employees, or valuable information about store morale. Such disclosure of information has a wide array of potential consequences.
Lastly, responding and reacting with customers on social media builds brand loyalty, but may also present a potential risk. Another example of social media going wrong occurred in 2011 involving ChryslerÕs twitter account. Their account was hacked, and a tweet was sent out with explicit language in it to its 7,000 followers. This tweet became viral and tarnished the brand.
Attacks of this nature on social media have a variety of reasons behind them, but according to research 51 percent occur for financial gain, 46 percent involve accessing proprietary information, 40 percent involve attempts to gain a competitive advantage, and 14 percent are acts of revenge. All of this shows how social media may not only serve as an effective tool, but also as a potential weapon.
3. Phishing
Fast, cheap, and out of control, phishing attacks continue to plague businesses large and small. Phishing is a type of crime that involves individuals posing as legitimate accounts or services in an attempt to trick a victim into disclosing personal information. They often look official, authentic, and reliable, making it quite hard to distinguish real from fake. Phishing attacks may take on a variety of forms. Some of the most common include companies threatening to take action on an account, pressuring for a reply in a certain time frame, or fraudsters claiming to verify or protect security by asking for confirmation of personal details or account information.
PayPal, the popular online payment service, is the most targeted in phishing scams, with almost 50 percent of all phishing emails in March 2013 targeting PayPal users. Credit card and banking details are still the number one target for criminals; and the most used method of attaining this information is threatening to limit or deny access to a user's account if the information is not submitted.
These attacks can be specialised to target a specific demographic or geographic. For example, phishing attempts using German language fraudulently abusing the PayPal name have been seen in a significant number of instances, according to commtouch.com.
The company EMC fell victim to one of these schemes in 2011 when an employee opened up a malicious Excel file, which allowed external attacks to create a beachhead in its network. This cost the company $66 million as a result of the fallout from this attack. CNN also fell victim to an attack when its social media accounts and blogs were compromised this year. Their primary Facebook account, Politics Facebook account, and their Twitter pages were attacked. The attacker did this by targeting CNN employees to gain further access to the compromised CNN blogs and third-party publishing platforms based on Wordpress and Hootsuite.
Twitter also saw a large-scale data breach from phishing attempts in 2013. Britain's Guardian newspaper was the latest high-profile news site to fall victim to the attacks on Twitter. GuardianBooks and GuardianTravel were affected in particular. They believe these attacks were carried out by the Syrian Electronic Army (SEA). Earlier this year many BBC accounts were targeted as well. This was as a result of a number of fake tweets released from an unofficial Associated Press Twitter account that claimed the White House had been bombed, causing panic and chaos online. As a result, the American stock market stumbled.
In another example, Target was the victim of a malware-laced phishing attack. They believe the malware used was called 'Citadel', a password stealing bot programme derived from a previous banking Trojan malware. A total of 110 million consumers had their data leaked as a result.
4. Online Auction and Fraudulent e-Commerce Sites
Organised Retail Crime (ORC) has been around forever, however with the introduction to online auction sites, gangs are able to dispose of stolen merchandise in quicker, safer, cheaper, and, seemingly, more anonymous ways. They can do this through online auction sites, such as Gumtree, Amazon, eBay, and others.
Before the Internet, retail theft was a more localised issue with criminals disposing of the goods quickly and locally, making it easier to track and prosecute. However, thieves now have access to a limitless, global consumer base that they can reach quickly and cheaply, maintaining anonymity along the way. This also makes investigations and prosecutions more complex, with crimes stretching across many countries, each with their own rules and regulations.
Today online auction sites have become the more preferred platform for Internet-based retail crime. There are believed to be more than 25,000 auction sites in existence today. eBay, the most successful and well-known site, used to be where thieves went to sell stolen or fraudulent goods, but in more recent times, its Global Asset Protection team has been working closely with retailers and law enforcement to disrupt criminal activity on the site, resulting in a number of high-level international prosecutions.
Criminals are also disposing of stolen goods via their own fake e-commerce websites, posing as the legitimate company. Goods sold via these sites range from small amounts of merchandise and gift cards stolen by employees and petty shoplifters to large scale ORC heists. Online auction and fraudulent e-commerce sites make retail crime more complex, mixing both authentic and fraudulent goods.
5. Data Breaches
According to Verizon's Data Breach Study, 2012 yielded 2,644 data-breach incidents worldwide. This is believed to only account for 10 percent of the actual cases, with 97 percent of these breaches considered unavoidable. In total 267 million records were exposed. With an average cost of $4.2 million for each breach, the total impact was more than $6.1 billion. It is believed that most of these breaches go unreported due to the companiesÕ hesitation to admit why they keep so much information about their customers in the first place.
Data breaches typically occur in two phases. The first being technical, which involves gaining access to companies' systems to gather their data and software applications. The second phase being the actual exploitation of the data, or using the data to commit fraud. These actions can include theft of data, hijacking of systems, denial of service, and everything in between.
A breach of data can destroy the relationship between a customer and the business due to the perceived betrayal of the customer's trust. This can lead to devastation of the company's reputation as well as data loss and fraud.
One of the biggest data breach examples we have seen in the past ten years is Zappo's incident in January 2012. Unequipped to handle such a blow, Zappo responded with poor internal communications, coupled with unprepared phone lines and employees not equipped to handle such fallout. This response proved quite pricey, as the breach ended up costing them an average of $214 per customer, for an estimated total consequence of $5billion.
6. Identity Theft
Nowadays, Internet-based fraud is virtually paperless. It removes boundaries, making it easier to morph into various identities. One can mask their true identity and stalk the web with a variety of guises. This has led to a dramatic growth in identity fraud.
Identity theft can be as easy as looking over someoneÕs shoulder at an ATM, or it can be as complex as fraudulently obtaining credit cards and driver license numbers online. Recently, retailers in the U.K. have been reporting an increase in tutorial videos available on YouTube that provide instructions on how to purchase credit card details online.
7. Machine Error
M2M, or machine-to-machine, services remove human users from the equation. It may eliminate human error, but may instead lead to technical errors and can result in hacking and takeovers. An example of machine error might be a computer-generated fridge accidentally ordering 1,000 eggs. This could prove costly and could cause a lot of damage and confusion, whereas a human is highly unlikely to make such a mistake.
As society moves more towards machines taking over some tasks rather than relying on actual employees to provide the service, fraud control, customer services, credit and collections, and security teams will have to greatly adapt to take on these challenges. M2M transactions are projected to outstrip conventional mobile network transitions by a significant factor in the upcoming decade according to Mark Johnson from The Risk Management Group.
8. Human Error
Verizon's Data Breach Study suggests that there were 412 confirmed breaches and more than 16,000 security incidents due to human error in 2012. Many of these incidents were associated with a lack of communication, poor controls mitigating business partner risk, as well as process failures. The top three errors seen were mis-delivery of information, publishing mistakes, and disposal errors.
9. Mobile Financial Services
According to Mark Johnson at The Risk Management Group, mobile financial services (MFS) represent the next generation of 'mobile payments' or the 'mobile wallet'.
They offer a wide range of possibilities, from managing money transfers between customers and providing full banking services, including lending and credit. New to our technological society, MFS is still constantly evolving with the heavy influence from mobile providers, mobile operators, and banks. The SIM card in mobile devices now serves as a credit card that not only supports mobile payments of sorts, but also supports phone calls, texts, multimedia streaming, as well as web browsing.
Experience suggests a variety of possibilities regarding how fraud comes into play with the technology, which is still fairly new. Experts believe we will begin to see fraud by consumers in the form of credit card top-ups using stolen credit cards. We will see repudiation fraud in the form of denying responsibility for MFS transactions, and we will also see incidents of identity theft in setting up fake MFS accounts. In addition, organised financial crimes and technical attacks, such as hacking, pose a threat. When an increase occurs in the chain of payments, the percentages for money laundering, terrorist funding, bribery, and corruption increase as well.
10. e-Receipts
As we shift more towards a technologically advanced, paperless society, the way we approach security and loss prevention must evolve as well. In the past decade e-receipts have become more popular in stores; saving money, resources, time, and effort for the retailer. Retailers no longer have to print out a receipt when it can just be as easily emailed to the recipient. Although easier, more convenient, and more cost efficient, these can pose a series of problems.
When a customer leaves the store, they no longer have a physical receipt with them, making it harder to distinguish between valid customers and shoplifters. It puts employees in uncomfortable situations, being unable to distinguish between the two and not wanting to confront customers as a result. It brings in a great deal of variability to proof of purchase. It also places the customer's word versus the accuracy and reliability of the technology. A return without an e-receipt can be either a fraud scam or simply a technical error. It leaves the decision up to the employees' discretion, which is a lot more variable than solid proof of purchase.
Tomorrow's Challenges
Technology and the Internet pose many new loss prevention challenges to retailers. It complicates the crime, blurring lines of boundary, identity, and type of offence committed. Criminals are becoming more tech-savvy; in turn further complicating crime and its prosecution. These top ten threats are being seen around the world, and are what experts and analysts of trends suggest the future holds. In order to combat cyber-crime, loss prevention must grow and mutate as well in order to better understand and prevent it.