Even if an account holder doesn't fall for the request to enter credit card information, the action of clicking on the site link can sometimes allow Trojan software to be placed on the user's computer. This software in effect hijacks the computer, allowing the cyber-thief to place orders that look as though they are coming from a legitimate IP address.
Prison inmates are active participants in phishing scams. They have plenty of time on their hands, as well as access to telephones and sometimes computers, and many of them are established thieves. So getting in on Internet scams is a natural. They will often phish for credit card information by calling cardholders directly, and they then use the cards to make purchases that they have sent directly to the prison, a halfway house, or a confederate's address.
Online scammers can escape a merchant's notice by giving a U.S. shipping address, then having the freight company reroute the shipment to a foreign address. The diversion of shipments can also occur by means of the "second address line" scam.
With this method, thieves use a stolen credit card to place an order and give a partially legitimate street address-say, the house number followed by gibberish. Having the correct house number allows for a partial address verification to take place, which lulls the computer program into thinking that the transaction is legitimate. On the second address line, however, the fraudsters place the real address to which they want the merchandise shipped.
Delivery software will pick up the good address on the second line and will ignore the first line. If the thief includes the cardholder's city and state but inputs the zip code that corresponds to the second line address, delivery programs often make the correction automatically and send the products just where the scammer wants them.
There are many more scams that target e-tailers, and fraudsters think up new ones every day. Online retailers will sometimes be victimized, but they can take steps to combat the fraud. According to the Merchant Risk Council's Ferguson, there are three ways to fight online fraud:
- by building an in-house solution;
- by outsourcing the software creation to a service bureau; and
- by purchasing a software package and installing it in-house.
In other words, technology is the solution. E-commerce sites must take advantage of every fraud-fighting tool available in order to triumph over the scammers. Small merchants can scrutinize every transaction for inconsistencies a software program might miss. If something doesn't look right, smaller e-tailers should take the same precautions they would with a telephone order, such as calling the bank or the customer to verify card and order information, or even calling 411 to see whether the customer's listed address jibes with the one given in the online order.
E-tailers should also verify that the delivery address is not one that belongs to a prison or halfway house. An online reverse telephone directory can be consulted for this information.
Medium and large merchants can benefit by using a software program that comes from a company such as ClearCommerce or CyberSource. These companies serve thousands of customers, so they can pick up on fraud patterns that a single retailer won't learn about unless they've been victimized by a particular scam themselves.
A good software program creates a list of IP addresses associated with fraudsters and will not process orders placed from those addresses. However, with computer hijacking, the thieves are beginning to figure out how to get around that list, too.
The ultimate solution, Ferguson says, is that "e-tailers must be as organized as fraudsters."
About the author: Liz Martinez is a security expert and the author of The Retail Manager's Guide to Crime and Loss Prevention: Protecting Your Business from Theft, Fraud and Violence (2004, Looseleaf Law Publications). She is a member of ASIS International and an instructor at Interboro Institute in New York City. Ms. Martinez can be reached through her Web site at www.RetailManagersGuide.com.