The 2004 holiday shopping season is behind us, and retailers are breathing a sigh of relief in the mistaken assumption that once Santa slithers back up the chimney, the risks for fraud go down again until Black Friday, 2005.
Unfortunately, online fraud is not seasonal. Rather, its peak times tend to vary in different types of business. Jewelry purveyors, for example, hit their high fraud points around Valentine's Day and Mother's Day, whereas office supply stores see a spike around the back-to-school season at the end of August and beginning of September.
This month, Internet fraudsters are preying on Americans' patriotism by offering bogus inauguration memorabilia. Auction sites are also feeling the pinch with Super Bowl-related rip-offs. But no business has a safe season when it comes to online fraud, because fraudsters don't take vacations.
The Hurrier They Go, the Behinder They Get
Naturally, savvy retailers take steps to combat Internet fraud, but keeping one step ahead of the latest scams is akin to safeguarding computers from the latest virus. As soon as a fraud-prevention technology debuts, illegally minded computer geeks are hard at work figuring out a way around it. And while the image of a hacker calls to mind a loner frantically tapping at the keyboard, the reality is that there is a community of fraudsters who share information in real time.
"Fraudsters figure out a way to defeat the latest technology, then post the techniques in online newsgroups," said Julie Ferguson, co-chair of the Merchant Risk Council and co-founder of ClearCommerce Corp., a provider of fraud prevention and payment processing solutions for online retailers. According to Ferguson, the locations of the newsgroups or online bulletin boards accessed by the cyber-thieves change daily, which makes tracking them down a real challenge.
The Merchant Risk Council (www.merchantriskcouncil.org), which pursues new technology to enable e- commerce merchants to guard against fraudulent activity, will take a screen snapshot of any site that details ways to circumvent a particular retailer's anti-fraud mechanism and inform that retailer.
The problem of staying ahead of the fraudsters is compounded by the fact that so much of the fraud takes place in foreign countries, where law enforcement is often ineffective in combating this type of theft.
How Scams Operate
Many online scams are variations of brick-and-mortar rip-offs, but there are original ones designed just for the Internet as well. And of course, as technology advances, so do the tools that cyber-thieves have to work with.
A relatively new way of getting credit card numbers for use in illegal online transactions is to take a photograph of the front and back of the card using a cellular picture phone. These phones can be purchased anonymously for less than $100. With a picture phone, fraudsters don't even need to touch the card, and the person to whom it belongs may not know the card is being misused until the bill comes. A snapshot of both sides of the card even gives the fraudsters the CVV2 code, which many e-tailers request to verify that the person placing the order actually has possession of the card.
Scammers also get credit card information through a method called phishing. Phishing involves sending an unsolicited e-mail that appears to be from a legitimate company, such as a bank or an online auction site, and requesting that the cardholder verify credit card information. When cardholders click on the link, they are taken to the cyber-thief's site, where all the information they enter is captured and reused for illegal purposes. Some of these spoof e-mails can be identified by poor grammar or by the fact that the account holder is addressed as "Dear Customer" rather than by name, but many of the e-mails look legitimate.
Even if an account holder doesn't fall for the request to enter credit card information, the action of clicking on the site link can sometimes allow Trojan software to be placed on the user's computer. This software in effect hijacks the computer, allowing the cyber-thief to place orders that look as though they are coming from a legitimate IP address.
Prison inmates are active participants in phishing scams. They have plenty of time on their hands, as well as access to telephones and sometimes computers, and many of them are established thieves. So getting in on Internet scams is a natural. They will often phish for credit card information by calling cardholders directly, and they then use the cards to make purchases that they have sent directly to the prison, a halfway house, or a confederate's address.
Online scammers can escape a merchant's notice by giving a U.S. shipping address, then having the freight company reroute the shipment to a foreign address. The diversion of shipments can also occur by means of the "second address line" scam.
With this method, thieves use a stolen credit card to place an order and give a partially legitimate street address-say, the house number followed by gibberish. Having the correct house number allows for a partial address verification to take place, which lulls the computer program into thinking that the transaction is legitimate. On the second address line, however, the fraudsters place the real address to which they want the merchandise shipped.
Delivery software will pick up the good address on the second line and will ignore the first line. If the thief includes the cardholder's city and state but inputs the zip code that corresponds to the second line address, delivery programs often make the correction automatically and send the products just where the scammer wants them.
There are many more scams that target e-tailers, and fraudsters think up new ones every day. Online retailers will sometimes be victimized, but they can take steps to combat the fraud. According to the Merchant Risk Council's Ferguson, there are three ways to fight online fraud:
- by building an in-house solution;
- by outsourcing the software creation to a service bureau; and
- by purchasing a software package and installing it in-house.
In other words, technology is the solution. E-commerce sites must take advantage of every fraud-fighting tool available in order to triumph over the scammers. Small merchants can scrutinize every transaction for inconsistencies a software program might miss. If something doesn't look right, smaller e-tailers should take the same precautions they would with a telephone order, such as calling the bank or the customer to verify card and order information, or even calling 411 to see whether the customer's listed address jibes with the one given in the online order.
E-tailers should also verify that the delivery address is not one that belongs to a prison or halfway house. An online reverse telephone directory can be consulted for this information.
Medium and large merchants can benefit by using a software program that comes from a company such as ClearCommerce or CyberSource. These companies serve thousands of customers, so they can pick up on fraud patterns that a single retailer won't learn about unless they've been victimized by a particular scam themselves.
A good software program creates a list of IP addresses associated with fraudsters and will not process orders placed from those addresses. However, with computer hijacking, the thieves are beginning to figure out how to get around that list, too.
The ultimate solution, Ferguson says, is that "e-tailers must be as organized as fraudsters."
About the author: Liz Martinez is a security expert and the author of The Retail Manager's Guide to Crime and Loss Prevention: Protecting Your Business from Theft, Fraud and Violence (2004, Looseleaf Law Publications). She is a member of ASIS International and an instructor at Interboro Institute in New York City. Ms. Martinez can be reached through her Web site at www.RetailManagersGuide.com.