Online retail is hot, as consumers and organizations are increasingly turning to their computers and the Internet to buy products and services.
Indeed, out of total 2015 holiday-season sales of $626 billion, $105 billion was from online and other non-store purchases, an increase of 9 percent. That enormous amount of money provides plenty of motivation for retail scammers.
Unfortunately, from worthless gift cards to bogus promotions, the retail industry is hit with fraud at every turn. This blog looks at several different kinds of retail-related scams, many of which are aimed at organizations. You’ll find out why organizations make good targets and how potential victims are fighting back. You’ll also pick up tips to protect you and your employees from falling for such scams
A Sampler of Recent Scams
Let’s look at some of the retail scams that are proving lucrative for thieves. These are the types of scams you and your employees are likely to encounter, including gift card scams, promotion/discount scams, and bogus account credit scams.
Gift Card Scams
Gift cards are a multi-billion-dollar industry in the U.S., reaching about $124 billion in 2014, according to research firm TowerGroup. So it’s not surprising that gift card scams are alive and well.
There are two main types of gift card scams: those that target cards you sell at a brick-and-mortar store, and those that arrive by email or the Web.
Brick‐and‐mortar store scams: In a store, retailers most often display gift cards on a rack. A crook can easily jot down card numbers and the toll-free numbers found on the back of cards, or scan the magnetic strip on the card with a portable scanner. Then all it takes is dialing the toll-free number every day or two, entering each card number, and checking the balance. Once a customer buys a card and loads it with money, and the sales clerk or customer activates the card, the crook can quickly use the card to shop online, draining the balance in minutes.
Unfortunately, retailers must also keep a close eye on sales clerks. A deceptive clerk might keep a stash of used, inactive cards at the register. When a customer buys a card, the clerk takes the payment, activates the new card, and hands a worthless card back to the customer. Or, when a customer attempts to use a gift card, the clerk may pretend the card has no balance and offer to throw it away. After the customer leaves, the clerk slips the card into his or her pocket and shops online later.
Web-based scams: Some clever cyber thieves are taking advantage of gift card exchange websites such as CardCash.com and GiftCardRescue.com. These sites are popular because of the large number of gift cards that sit in sock drawers, unused, every year. CardHub estimated in 2014 that there was $44 billion in unredeemed gifts cards in the U.S. Customers can sell or exchange gift cards for a little less than the value of the card. Seeing an opportunity, scammers have used stolen credit cards to buy a bunch of prepaid gift cards and then flip them on the card exchange sites.
Although gift card exchange scams are pretty run-of-the-mill as far as theft goes, some Internet scams are much bolder and more sophisticated. In recent years, scammers set up fraudulent Facebook pages with phony gift card giveaway offers. These pages use logos from well-known companies such as Best Buy, IKEA, Walmart and Whole Foods to entice victims to become fans in order to win cards. However, the registration links on the pages usually directed users to affiliate marketing sites that collected personal data for marketing purposes. The scammers in a recent Whole Foods gift card promotion attempted to collect sensitive information for identity theft purposes.
Fancy gift card packaging doesn’t always thwart a crook. Depending on how a card is packaged, a scammer can carefully pry the gift card out and then put it back after stealing the concealed numbers.
With more than 1.9 billion users worldwide, and because of its social networking focus, scams on Facebook can be highly successful — and quickly. The IKEA scam lured more than 70,000 Facebook users before the pages were removed. In that case, the scammers created urgency —quite successfully — by stating “only available for one day.”
Another way to draw victims to rogue web pages or sites is to use typo-squatting. Scammers set up a fraudulent site, using a domain name that’s just a character or two different from a legitimate social or company site. When a person mistypes the web address (domain name), he or she is directed to the fraudulent site, which looks very much like the intended site. The user is asked to complete a survey that gathers the person’s name, address, phone number and other personal information. Upon completion, the person is promised a free gift card. The person, now a victim, either never receives a card, or receives one that is worthless.
Promotion scams come in many different flavors. A scammer may send a phishing email offering something very attractive — for example, free tickets on well-known airlines, free meals at popular chain restaurants, or a free smartphone or tablet. Getting this prize just requires clicking the link and registering. But of course, there’s no prize — just harvesting of information.
Promotion scams are sometimes targeted to specific people in organizations, such as the president or CEO. In such cases, the lures include more upscale items, such as flights on private jets or complete vacation packages. The scams generally have the usual result — the victim either willingly enters sensitive information in a rogue website, or the victim’s PC becomes infected with malware that harvests data in the background.
Discount scams work much like promotion scams: They offer products or services — in this case, at a discount — but usually don’t deliver. One of the most prolific discount scams involves office supplies, bilking millions of dollars from organizations every year. In the pre-Internet days, scammers routinely called small organizations and purchasing departments, selling bogus copier and printer toner, paper, and maintenance contracts. Now they send emails. Because consumables often wind up in the wastebasket or recycling bin, or hidden away in filing cabinets forever, companies are motivated to reduce those expenses. When an email arrives claiming to save you 85 percent on printer toner, for example, it’s easy to fall for the trap.
Office supply scams have a variety of purposes. Some are phishing emails, designed to gather personal information, usually for marketing purposes. You can spot these fairly easily because you’ll often get two or more similar emails within 24 hours of each other. The first part of each email address looks like an office supply company. However, neither domain name comes up in an Internet search, nor do they correspond with any supply company.
In other cases, a scammer may accept your order and credit card payment but send nothing in return. Or the scammer might send you your first order, as expected, and after that send inferior-quality products, increase the price substantially, or send and bill you for mystery shipments that you didn’t order. Some scammers simply begin sending regular invoices without sending any products, and they use bullying tactics to get you to pay those bogus invoices.
Bogus Account Credit Scams
It’s fairly easy for criminals to steal an organization’s identity. A person or fraudulent company can usually garner enough information from Yellow Pages ads and an organization’s website to pull off this kind of heist. At a very basic level, the criminal doesn’t need much more than a prepaid cellphone and a post office box number to go into business.
Hiding behind the anonymity of the Internet, such fictitious organizations are able to open credit accounts, buy goods and services, and shut down well before the first credit statement arrives.
According to the CyberSource 2015 Online Fraud Report, the most effective method of fraud management used by merchants within the “validation services” category is the order history check. The next two methods are contacting customers to validate orders and getting the card verification number (CVN) of a credit card.
Financial websites such as PayPal contribute to the problem. Using PayPal is generally a safe way for consumers and organizations to make online payments, and millions use it regularly. However, almost anyone can open a PayPal account, and it takes little time if you have the required information. It’s also difficult for legitimate organizations to know if the company they’re dealing with via PayPal is legit.
PayPal requires some personal information, an email address, proof of identity, a telephone number, and bank account information. All of this is easy for a savvy scammer to provide. For example, a scammer can use a fictitious name and address, and set up a free email account on Hotmail, Yahoo or Gmail. The telephone number can be a prepaid cellphone number or a Voice-over-IP (VoIP) account number, such as a Skype number. Many banks let you set up an account online by simply scanning your ID (which in this case will be fake).The scammer can verify his or her identity by acquiring a fake credit card, a virtual credit card, or a prepaid debit card. It may take some prep work, but the rewards can be great and the bad guys have this down.
How to Avoid Retailer Scams
How can organizations defend against devious and sophisticated fraudsters? Education. The more you and your employees know about the individuals and companies wanting to do business with you, as well as the potential scams you could fall for, the better equipped you’ll be to recognize and control fraud risk. Cybercriminals are global, and many are well organized and experienced. Learning their game plan helps level the playing field.
Gift Card Scam Protection
Comdata, a major processor of gift cards, recommends that retailers run exception reports regularly to uncover “prolific users.” These are individuals or companies that make several calls per month or inquire on multiple cards from the same computer. Retailers can block access to those cards until any problems are clarified or resolved.
Promotion and Discount Scam Protection
As you know by now, it’s important to think before you click. If a promotion or discount is out of the ordinary, it’s probably a scam.
To prevent discount office supply scams, route all purchasing through a designated employee. The employee should issue each supplier a purchase order (PO) with a PO number and manager’s signature. This person should also inform the supplier that all shipments must include the PO number on the invoice and packing list, or the shipments will be refused.
If you find yourself in the middle of a scam, don’t pay the invoice and don’t return any unordered supplies. Contact one of the following for assistance:
* Your state attorney general
* Your county or state consumer protection agency
* The Better Business Bureau
Bogus Account Credit Protection
As mentioned previously, running a credit history check is one of the best methods of authenticating a business-to-business (B-to-B) credit application. An organization should verify and validate all information on an application, including personal guarantors. It’s best to check credit application information against several sources rather than rely on a single resource.
Stu Sjouwerman is founder and CEO of KnowBe4, which has teamed with world-renowned hacker Kevin Mitnick to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. Sjouwerman is also the author of four books including his latest, “Cyberheist: The Biggest Financial Threat Facing American Businesses.”