With the continued proliferation of cybercrime in 2017, it appears 2018 will be another year of the “good guys” trying to keep pace with the “bad guys”. The data breach environment is one of continual change. It is anticipated that breaches will be bigger and more prevalent, driven by ever-increasing sophistication of hackers and their persistent nefarious activities. As protection techniques improve, cybercriminals are finding more creative ways to circumvent security measures.
It is important to note the holidays (including post-holiday return periods) represent a prime time for cybercriminals – targeting businesses and consumers. Industry statistics indicate cybercrime increases by about 20% during the holiday season. Consequently, we are expanding on our usual business commentary to the families of business owners as well.
One of the most trusted resources to stay current on the latest cybercrime issues and preventative measures is The Center for Internet Security (CIS). CIS is a global non-profit organization dedicated to developing, promoting, and sustaining best practices for cyber defense. The organization has published several guidelines for conducting holiday purchases online, which can be subject to identity theft, malicious software, and other scams.
The following are a few of the CIS guidelines that business owners and their families should be aware of:
- Public computers or the public wireless Internet. Don’t use these systems for online shopping, as they can be corrupted with malware or viruses that can enable data theft, identity theft, or financial fraud.
- Secure computing devices. Computers and mobile device software should be updated with latest security patches. Also, up-to-date antivirus software protection should be utilized.
- Strong and unique passwords should be used to increase security. Generally, passwords should have at least ten characters, including numbers, special characters, and upper and lower-case letters.
- Make online purchases only through reputable merchants that are known and trusted. If needed, check the merchant’s physical address and phone number.
- Use one credit card. A credit card should be utilized rather than a debit card, due to better consumer protections through the Fair Credit Billing Act. One credit card with a low credit limit is preferred to limit exposure and potential for financial fraud. Check credit card statements carefully.
- “https” Internet address (URL). The “s” in “https” refers to “secure”. It indicates that communication with the webpage is encrypted, which ensures your information is transmitted to the merchant safely.
- Pop-ups. If a pop-up promises cash or gift cards for answering a question or survey, close it using the Control + F4 keys on a Windows computer. On a Mac, press the Command + W keys. Pop-ups can be a social engineering vehicle designed to get you to open a malicious link.
- Personal information. Personal information should not be auto-saved when purchasing online. Having a credit card and other information saved for future use with a merchant can increase the chances of theft of that information.
- Avoid scams. Avoiding scams often comes down to common sense. Personal information or financial information should not be provided via email or text. The websites for the Internet Crime Complaint Center and the Federal Trade Commission provide information on many current scams.
- Privacy policies. The privacy policies of online merchants should be reviewed to determine what personal information is being collected. Also, understand how it will be stored, used, and shared.
As mentioned above, sharing personal or financial information over a public WI-FI network can be risky. A virtual private network (VPN) is recommended to establish a secure connection utilizing encryption, which prevents access by hackers. VPNs can be purchased as software for desktops, laptops, and mobile devices.
Consumers should beware of deals that appear to be “too good to be true”. Offers of extremely low prices on items, such as electronics, can be a method to lure potential victims.
Business Owner Precautions
In addition to consumer precautions, business owners should take steps to ensure the best possible IT security. The following are some of the actions business owners should be taking:
- Businesses should be protected with appropriate enterprise-level firewalls and associated secure WI-FI networks that are professionally installed and configured to ensure proper operation.
- Similarly, Cloud services should follow security and compliance rules and should be set up and configured with correct security settings.
- Systems should be secured with enterprise-level antivirus software and malicious software protection.
- Business websites should be scanned with a commercial vulnerability scanner. This should provide an indicator for web application security.
- Staff should be educated in terms understanding social engineering, which tricks employees into revealing sensitive information that can enable security breaches.
- Office environment should be secure (consider professional network security services), including locking computers when not in use. Local area networks and WI-FI access must be restricted to authorized users. Written notes on computers should not reveal passwords, which could be compromised by anyone in the office area during normal or off-hours.
- Databases should be encrypted with the latest algorithms and encryption keys need to be stored safely. Encryption will ensure any stolen information cannot be used maliciously.
- Databases should be backed up periodically and saved to an offsite location, in an encrypted format.
Post-Holiday Refund Fraud
Many leading retailers have refund policies that favor the consumer, particularly in the fashion industry. This enables shoppers to make purchases, knowing that they can try on the clothes first. This contributes to refund fraud being one of the most prevalent revenue threats to retailers. Industries most vulnerable to refund fraud include fashion, electronics, consumer goods, and cosmetics. It is estimated that retailer losses due to holiday return fraud exceed $3 billion annually in the U.S. with approximately 4% of holiday returns being fraudulent.
A typical fraud scam starts with the fraudster publishing a post designed to attract dishonest consumers. The consumer cooperates with the cybercriminal, requesting a refund from an online retailer. Once the refund is consummated, the money received is split between the dishonest consumer and the cybercriminal. The false refund is facilitated due to not having the required inspection of returned products prior to issuing the refund. Generally following Christmas, nearly half of online shoppers return their clothing purchases – setting up the retailers as targets. Also, the relatively high cost of electronics makes that industry a prime target as well. Often retail scams originate from countries outside the U.S., especially Europe.
It is imperative that retailers, especially the smaller ones, hire more fraud specialists during the holiday season to impede cybercrime losses. Additionally, they should avoid hiring fraudsters through background checks and training on ethical standards.
Holiday and Post-Holidays Highlight Security Awareness
In summary, the holiday and post-holiday seasons highlight the need for both business owners and consumers to take necessary precautions to protect their businesses and personal information. Despite increased security protection technology and methods, fraudulent scams continue to proliferate and grow each year. Therefore, our cautionary comments carry through for the rest of 2018 and beyond. The “next big thing” in terms of seasonality will be tax season, which sets the stage for another round of cybercrime intensity. These peaks seasons for cybercrime exploit businesses and consumers that have not implemented proper security systems, procedures, and habits.
We wish everyone a happy and cybercrime-free new year!