Phishing, Fraud, And FUD

Phishers have hit the online world, as Willie Sutton famously said, “because that’s where the money is.” Although phishing has hit the financial services sector the hardest, online retail is the next natural frontier, because it offers phishers several avenues to perpetuate fraud. Buying jewelry on someone else’s credit card is one way, stealing blocks of credit card numbers from a retailer and selling them is another. With the new PCI (Payment Card Industry) data security standard in place, retailers have more reason to be cautious, because the cost of noncompliance is going up. The first step in protecting against phishing is to understand how phishers work and what retailers can do to protect their business and customers.

Understand Phishing To Beat It
Phishers started by sending e-mails out to millions of people per day, claiming to be from a trusted source and asking for IDs and passwords. They send unsuspecting people who trust your company and your brand to a fake site. The phisher is after identity data they can use to apply for a fake credit card and passwords they can use to log on as that user.

Recently, phishers have become more devious. Now that innocent-looking e-mail with your brand on it downloads a very nasty keystroke logger or piece of spyware onto the machine so wherever that person goes, the phisher gets their password and maybe their credit card number. This supplies lots of places the phisher can steal from – including your online store.  

Most retailers have probably not seen an attack yet, but think for a minute. How many marketing e-mails did your company send out today? Do those e-mails have convenient links back to your store? What do you think the first phishing e-mail against your company might look like? Just like your marketing e-mail, of course! And others will follow, many sent by customerservice@yourbrand.com. You’ve spent a lot of money building trust in your brand; don’t let the phishers ruin that equity! Here’s what you can do now, before the damage occurs.

• End User Training. Ideally, we’d all like to keep users from going to phishing sites in the first place, but let’s face facts. That user sees your brand and trusts it. That’s why phishing works. So, start training your customers now to be wary of e-mail that looks like it came from your company, but has grammatical or other errors. Tell them now that you’d never e-mail them asking for their password, credit card number, or Social Security number.
• Use Stronger Authentication. If your user does get lured to a phishing site, make what the phisher gets useless. Look for authentication systems that do not send secrets, but rather prove knowledge of the secret. Your signature works this way – by signing your name, you’re not showing that you know your name, but rather that you can sign it in the special way only you know how to do. Look for authentication systems with some intelligence and forethought behind them. For example, a system that allows you to change the strength of authentication and manage multiple levels of authentication simultaneously is a wise investment. The PCI also calls for better controls on access to end user data, encryption, and activity monitoring and logging. Your authentication system should provide these, as well.
• Don’t Buy Into FUD (fear, uncertainty, and doubt).  Use common sense in thinking through which measures will help with which part of the problem. User education will not keep some people from falling for these scams, and the strongest authentication in the world won’t help if the user types their credit card number into the phishing site. If you start now, you can protect the brand you’ve worked so hard to build.