Last year, Cyber Monday reached a new record of $6.6 billion in sales. Black Friday and Thanksgiving Day were close behind at $5.03 billion and $2.87 billion respectively. No doubt it’s the most important season for retailers and for some, the sales generated from holiday shoppers gets them through the rest of the year. While retailers may have visions of sugar plums dancing in their heads just thinking about their upcoming success this season, cyber criminals are planning to generate a nice bit of revenue from retailers’ campaigns too.
Let’s unpack three facets that cyber criminals are using to defraud retailers and consumers.
Face 1 – Stealing Money from Online Retailers and their Customers
The most popular fraudulent activities in this facet includes refund scams, carding, eGift cards, credit card leaks, and customer accounts for sale.
- Refund scams – retailers want to make the refund process simple for online shoppers so they are not deterred from making a purchase online. Cyber criminals take advantage of this by finding ways to exploit the process to get a refund without returning the item, or without even ever purchasing an item. Sometimes the fraudster is an employee of the business and has access to facilitate a fraudulent refund. These frauds are usually sold on the dark web as a service, where the fraudster processes the refund for a percentage of the total refund, or they sell tutorials so the buyer can submit the refund themselves.
- Reselling eGift cards and barcodes – Cyber criminals use illegitimate means to obtain barcodes, vouchers, and gift cards; items are generally stolen or purchased from an employee and resold for a profit.
- Credit card and customer accounts for sale – customer accounts are also money makers for cyber criminals. This may include the hacker who unlawfully accessed a database of customer accounts or purchased a dump of accounts and is reselling them. Access allows the cyber criminal to login as the customer and purchase items using the credit card information stored in the online system.
Face 2 – Streaming / Hijacking Entertainment Sites
During the fall season, many folks are gathered around the big screen watching football games whether it’s rooting for their favorite NFL team, college football team, or tracking their favorite players in their fantasy football league or other types of online gambling sporting events. Since most football fans want to watch games that are not broadcasted in their area, many fans turn to online streaming sites, and also gambling sites for an upcoming game.
Of course, it’s not just football; it’s hockey, soccer (the World cup), basketball; the list of sports events is endless. Die-hard fans trying to watch games will assuredly come across bogus websites offering free streaming; all they have to do is click on “start watching for free” which then redirects them to a payment portal. Impersonating as a legitimate website streaming games, eager fans proceed to enter their credentials. At this point, the cyber criminal has that person’s credentials whether it’s their Facebook or Gmail credentials, or something they made up altogether. Either way, it’s something they can use to attempt to hack into bank accounts, email accounts, and other online accounts.
This same scheme is used for the bogus gambling sites. In this regard, the faces of fraud in the entertainment industry are practically endless.
Face 3 – Phishing
Copycat phishing sites, websites that try to match the design, images, login page, etc., are rampant on the Internet. In fact, researchers have found more than 12,000 copycat domains aimed at the top 20 US retailers. That means that for each legitimate retail website there are 600 look-alike sites! These sites are designed to steal customer traffic away from the legitimate site, steal customer and credit card information, and inject malicious scripts onto the customer’s device. Many of these phishing sites try to fool customers by substituting a couple of characters in the URL to match closely to the legitimate site. They also use SSL and TLS certificates to make consumers believe the site is safe for online shopping.
Another facet to this type of attack is mobile apps. Growth in e-commerce today is primarily driven by purchases made using mobile devices. In 2017, 58.9% of e-commerce sales were purchased using mobile devices, and that is expected to increase to over 70% by 2020. Cyber criminals are aware of this trend and lure unsuspecting consumers with malicious mobile apps that impersonate legitimate apps. These malicious apps have the same goals in mind as the copycat websites – steal traffic, customer data, and inject malware. Once the malware is installed on the phone, it can be used to harvest personal and financial information.
Finally, sites that are not authorized to sell brand products create issues for brand owners and authorized sellers of those brands. Some retailers have strict pricing policies for their products that authorized resellers must adhere to. If an unauthorized seller is offering products for less, this can impact the authorized seller’s ability to compete as well as undermine the value perception of the brand. This problem also extends to counterfeit products. Perfume and fragrances are common counterfeit products as well as sporting goods, bags, purses, shoes, and other fashion apparel. Sketchers, a popular footwear brand, recently took Flipkart, the online marketplace, and four other sellers to court on its platform over counterfeit products.
Protect Your Holiday Campaign
Businesses rely too much on revenue from the holidays and put too much effort into preparing campaigns to let cyber criminals steal revenue and customers and do nothing about it. It’s a matter of making a plan and be ahead of the curve. These three faces of malicious activity are rampant on the Internet and most definitely have intensified in past years during the holiday shopping season. And this year will be no different.
The good news is there is something you can do! Don’t just hope for the best, contact Cyberint and find out how safe your e-commerce site is.