The most profitable time of year for retailers is right now - between the North American ‘Thanksgiving’ and new-year. When business is booming, cybercriminals are busy too. The holiday season creates a perfect storm for criminals. Retail companies are doing billions in transactions and during the silly season there’s more work to do during the same hours. Everyone is overworked and under pressure, which is the perfect environment for scams to be executed.
I wrote an article recently - ‘Business Owners Hunted’ - about the simple but brutally effective techniques criminals employ to steal from companies. 90% of cybercrime is perpetrated via email, because it is such a ubiquitous channel, and because it is such an effective way to manipulate people. Email is the favourite tool of a particular kind of cybercriminal who use techniques known as ‘social engineering.’
Social engineering is the use of deception to manipulate people into divulging confidential information. When cybercriminals focus on retail companies they almost always use social engineering tactics to get past their security perimeter. Social engineers gather information about companies and the people who work there and use that information to trick their victims into giving them access to the company’s systems.
Social Engineering
(Image: Leonardo DiCaprio masquerading as a fraudster pilot in ‘Catch Me if You Can.’ Image credit: Dreamworks.)
Understanding social engineering as it operates now is easier if we compare it to more traditional scam techniques.
A couple of weeks ago I re-watched that fantastic movie ‘Catch Me if You Can’ with Leonardo DiCaprio. In the movie (no spoilers I promise) DiCaprio steals from banks, scams airlines and gets away with all his misdeeds by using simple tricks. He makes fake cheques with scissors and glue; he wears disguises and stolen pilot’s uniforms to assume different identities and infiltrate companies; he lies; and people believe his lies because he uses small pieces of factual information to make them seem credible.
Social engineers are using the same sort of tricks as Leonardo DiCaprio’s character, but instead of taking the risk of showing up in person, they are doing all their trickery from the safety of some anonymous computer thousands of kilometres away from their victims.
Social Engineering = Fraud
A typical cybercrime scenario involving a retail business goes something like this:
Imagine a medium sized online retail company - let's call it ‘Beds & More’ - with 2 stores, an online shop and about 150 employees.
It’s the day after Christmas; there are thousands of customers buying stuff; the staff of Beds & More are all frantically busy and exhausted from six weeks of relentless work doing long shifts. Karen, a customer service agent in the call centre, gets a new email in her inbox. Karen is flat out and normally she might not pay much attention to her emails when she’s this busy but the message is marked ‘URGENT’ and the sender is Karen’s boss, the owner of the ‘Beds & More’ company.
Karen opens the email. It’s a short and direct message from her boss:
‘Karen: please action this refund immediately. This customer - H Thompson - is making us look v bad on the forums. Want this sorted ASAP - refund the customer the full purchase amount to their PayPal account (below) and email me after you have completed the refund so I can smooth things out on the forum.’
Karen immediately recognises the customer name her boss’ email refers to. The customer bought nearly $18,000.00 worth of products to have delivered, and when the delivery didn’t arrive on time, began a very angry series of comments on the Beds & More website feedback forums. Karen actually had a short phone call with the customer earlier in the day and had listened to them yell at her down the phone for five minutes. This was a very angry customer.
At the bottom of her boss’ email, Karen found a PayPal account ID. She hurriedly opened up the Paypal window on her computer, entered the appropriate ID and amount and punched send. She then quickly typed an email back to her boss, informing her that the refund had been completed, and got back to work on her other customer orders.
If you’ve been reading my blog posts for a while you probably know what really happened here. The email Karen received was not really from her boss. There was, in fact, a real customer called Thompson, who was genuinely angry about their delivery, and they had actually posted angry comments on the Beds & More website, but that is where the reality ends and the social engineering starts...
So let’s imagine this scenario from the POV of the social engineering scammer:
Chris rents a small, anonymous office somewhere in Eastern Europe with no windows and a fast internet connection. Chris is 33, high school educated and making money fast working for a fraud syndicate.
For the last 3 months, Chris has been monitoring the website and social media of Beds & More, along with a hundred other medium sized, high turnover US retailers with online stores. Chris has compiled an extensive dossier on Beds & More including the names, contact info and social media channels of all their management people and customer service agents. All this data was easy for Chris to obtain by doing a few simple Google searches and spending a bit of time clicking around on Facebook. Chris has also recently registered a new URL ‘bedsMmore[dot]ro’ which at a casual glance looks very similar to the actual URL ‘bedsNmore[dot]com’ used by the company.
At 11:14 Dec 26, EST, Chris sees the angry messages from the customer called Thompson start to appear on the Beds & More forum. In their messages, ‘H Thompson’ mentions the amount they spent, what they bought and angrily demands a refund, referring to the fact they have spoken repeatedly with ‘Karen’ in customer service, without getting any satisfaction.
Chris springs into action, quickly typing a short email to Beds & More’s customer service email address.
You can probably guess what the email says; It’s the one Karen receives and thinks is from her boss.
Chris makes the email look like it really comes from Karen’s boss by replicating the boss’ email signature on the footer of the message, and hiding the sender address behind a simple alias based on the fake ‘bedsMmore[dot]ro’ URL.
When Karen hastily reads the email she thinks is from her boss and forwards the $18,000 to the nominated Paypal account, that money actually goes into an account held by the Balkan fraud syndicate. When the funds land, they are immediately withdrawn, and the account is closed. Neither H Thompson or Beds & More will ever see that money again. Chris gets a 10% commission and the rest goes into a shell company in Panama operated by the Balkan gangsters who employ him as part of their extensive network of fraudsters.
The Internet Makes Stealing Easier
The scenario above is fictional, but it accurately reflects the sort of stories I hear from retail business owners who have been impacted by cybercrime.
The details about the social engineering scammer and their methods are also typical of the kind of social engineering tactics that cybercriminals employ.
The most amazing thing about crime like this is that it requires almost no technical expertise at all. Email based scams are not only effective but also simple and cheap to operate.
Conversely, protecting companies from this kind of criminal activity is extremely challenging. Email fraud neatly sidesteps the traditional protective measures companies employ like anti-virus software because the vectors they exploit are leveraging human social interaction rather than technical brute force.
If Catch Me if You Can had been written in the era of cybercrime, Leo DiCaprio would have been using fake email addresses rather than a stolen pilot’s uniform to fool his victims.
We Can Protect Our Businesses
Retailers face some major security challenges that few other industries encounter. When I’m talking to my clients and colleagues who work in the retail world some common themes emerge:
- Retailers are doing online funds transfers and point-of-sale transactions which involve a lot of vulnerable data channels
- Retail businesses are difficult to manage cybersecurity wise because they are public facing and do massive numbers of transactions
- Most retail companies operate multiple locations - often under a franchise arrangement - which adds an extra dimension of complexity to their security situation
- Franchise outlets rely heavily on email to handle their interactions with head-office management, which is a golden opportunity for cybercriminals
The people who handle the day-to-day management of retail businesses don’t usually have access to much IT support of any kind, let alone specialist advice on cybersecurity.
We know that even massive retail companies with well resourced IT divisions can fall victim to cybercrime, so the challenge facing small business owners in the retail sector is truly daunting.
I spend a lot of time educating people about criminal intent emails. The structure of a typical retail business opens them up to exactly that kind of risk.
The responsibility for protecting a business from fraud ultimately rests on the shoulders of management. Frontline people and even IT staff with no special training can’t be expected to identify criminal intent emails landing in their inboxes. To truly protect a company from social engineering type deception requires a holistic, comprehensive defence policy initiated at the highest management level.
I’m making it my personal mission to help retailers fraud-proof their operations.
If you are concerned about your company’s risk around email fraud or you are already seeing suspicious emails in your inbox, please reach out to me.
I’m active on LinkedIn and Twitter, and I’m looking forward to talking with you about the challenges you’re facing in the cybersecurity realm. Click the links to follow me:
Through sharing knowledge and taking positive action we can keep our businesses and more importantly our customers, safe from fraud this Holiday season.
Have a safe and peaceful week.
