To keep a step ahead of the bad guys on the Internet, Ezzie Schaff tries to greet them coming and going. Schaff is vice president of risk management for jewelry retailer Ice.com, where the average order value is close to $200, and he’s come to realize that it’s best to engage criminals at multiple points-wherever they try to steal customer identities, for instance, or use that information to make fraudulent purchases. Because if he doesn’t, the thugs will win and consumer confidence in online retailing will sink.
“Twenty-four hours a day, seven days a week, we’re constantly searching out new methods to prevent fraud,” Schaff says. His methods so far include using software that monitors the web to find spoofed Ice.com domains before criminals can use the brand in e-mail phishing schemes that try to steal customer account information,
and using a system that flags suspicious transactions and requires the credit-card-wielding would-be purchaser to answer questions that only the authentic credit card holder is likely to know.
On constant alert
Ice.com has already used its risk management tools and policies to thwart one attempted phishing project before it could do any damage using its brand, and it has identified and halted more than 300 orders suspected of fraud this year alone, Schaff says. But though Ice.com has so far avoided an effective fraud attack, it isn’t taking anything for granted. “It’s never happened yet, because we’re on our toes constantly,” Schaff says.
Welcome to the new age of cybercrime. The Internet is no longer just a place for garden-variety crime in which criminals use stolen credit card accounts to make fraudulent purchases, or usually honest consumers dishonestly deny they made a transaction, or whiz kids get their kicks by proving they can crack into consumer databases.
The web has become a base for organized criminals who use the open nature of the web and e-mail systems to steal, or phish for, consumer account information while posing as legitimate retailers and banks, mimicking well-known web sites like eBay.com. They sell the information they gather to other criminals or use it themselves to make fraudulent transactions. Though top of mind recently among many retailers and fraud-fighters, e-mail phishing is only one of several new-age forms of cybercrime. Criminals are also finding ways to plant malicious software onto web sites and computers to capture information, including keystrokes that enter passwords, for use in future fraudulent transactions. Ken Leonard, CEO of ScanAlert Inc., a company that tests web sites for network holes that can let hackers steal information, says that 30% of his clients have network vulnerabilities when they first sign up for service. “The hackers are very busy,” he says.
Evidence is mounting that the new age of cyber- crime is having an impact on retail e-commerce. Research and advisory firm Gartner Inc. reports that one out of three online shoppers in a survey of 5,000 U.S. adults is buying fewer items due to concerns about online fraud, and that 75% are more cautious about where they shop online.
Another study released this summer by the Cyber Security Industry Alliance found that 48% of consumers are avoiding shopping online due to fears that criminals might steal their personal financial information.
“Consumers are rightfully nervous and that will definitely impact online commerce,” says Avivah Litan, vice president and research director at Gartner and author of its online fraud study. She adds that retailers can’t take for granted that surging growth in online transactions will continue. “Security by retailers will have to tighten up,” she says. “They need to spend more on security and prove to consumers that their sites are secure.”
The Anti-Phishing Working Group, a security watchdog organization that monitors phishing
and other forms of cybercrime and works on related security measures, estimates that 2,000 to 3,500 people per day fall victim to e-mail phishing scams, out of 75-100 million phishing e-mails sent every day. The total value of losses is estimated from $500 million to more than $1 billion, according to multiple studies.
Dave Jevans, chairman of The Anti-Phishing Working Group, narrows it down to $750 million to $1 billion. The average loss incurred by individual victims is about $1,200, he says. Gartner’s survey shows losses of a slightly different scale: in the 12 months prior to the May 2005 survey, 1.2 million consumers lost $929 million due to phishing e-mails, for an average of $775.
Whatever the precise number, criminals are stepping up their efforts to make the losses even bigger. In the 12 months ended in May, 73 million consumers received e-mail phishing attacks, up 28% from 57 million during the 12-month period ended in April 2004, according to the Gartner report.
The relatively new phenomenon of phishing attacks, however, is not necessarily consumers’ biggest worry regarding online security, the Gartner study says. It notes that nearly twice as many consumers worry more about thieves stealing private credit reports and other sensitive financial data from consumer databases. In a major recent attack, criminals broke into computer records of more than 40 million credit accounts held at the Tucson, Ariz., credit card processing center of CardSystems Solutions Inc. Security vulnerabilities in the processor’s network allowed criminals to access cardholder data for MasterCard, Visa and other credit card accounts.
While consumers may worry more about hacked databases, criminals are quick to link together multiple forms of cybercrime-often starting with e-mail phishing. CardSystems said it took immediate action to fix its network security breach. But within days after the breach was publicized, consumers began receiving phishing attacks purportedly from legitimate credit card companies advising them to re-submit their account information to guard against fraudulent use of their accounts. Phishers were clearly playing off consumers’ fears that were raised by the thefts.
Key to the motivation and success driving the criminal element is the scale of the Internet: with millions of targets that can be instantly hit through e-mail, criminals need only a tiny percentage of responses to reap substantial rewards. And because they can change their targets and attacks so easily and quickly, they can usually avoid having their own identities and locations discovered by authorities before moving on to new attacks.