A sampling of e-retailer and vendor announcements from the NRF show floor this week.
E-mail “phishing” attacks, which mimic legitimate brands to lure consumers into providing personal data, claim more than 2,000 victims per day, but many retailers fall short of taking basic steps to prevent the attacks, phishing expert Dave Jevans says.
E-mail “phishing” attacks, which mimic legitimate brands to lure consumers into providing credit card account information, claim more than 2,000 victims per day and steal close to $1 billion a year, but many retailers fall short of taking basic steps to prevent them, Dave Jevans says, chairman of the Anti-Phishing Working Group, tells Internet Retailer.
The APWG estimates that from 2,000 to 3,500 people per day fall victim to e-mail phishing scams, out of 75-100 million phishing e-mails sent every day. After successfully persuading consumers to provide personal information like credit card account numbers, Social Security numbers and passwords, the criminals behind phishing attacks typically either sell the stolen information or use it to make online purchases. The total value of damages is estimated from $500 million to $1.2 billion, according to multiple studies, but Jevans says he figures it’s between $750 million and $1 billion. The average loss incurred by individual victims is about $1,200, he says.
Web site operators and brand owners can take several steps to prevent phishing attacks from occurring and to mitigate their impact on consumers when they do occur, Jevans says. For example, retailers can use software and outside services that monitor the Internet to learn whenever a new domain appears to mimic a retailer’s brand, giving the retailer the chance to warn customers of possible phishing e-mails from that domain and to alert government authorities who investigate phishing attacks. In some cases, such domains have been shut down before they were able to launch full-scale phishing attacks, experts say.
One of the most effective means of mitigating the impact of phishing attacks, Jevans says, is through consumer education. Retailers should place on their web sites information about how to recognize phishing e-mails and about how to contact the retailer to check on a suspected phishing e-mail, he adds.
But not enough retailers are taking such preventive actions, and in some cases are even doing things that indirectly support phishing, Jevans says. He cites one major brand, which he declines to name, that sent out a large amount of marketing e-mails from a domain other than its own branded domain – a format that made its e-mail appear like a phishing attack. “If you keep sending e-mail that looks like phishing, you’re training your customers to respond to phishing,” Jevans says. “We’ve seen quite a lot of retailers doing that.”