Debit card/credit card fraud is in steep decline as a concern for retailers, proving that anti-fraud and cybersecurity programs really do work. But like the many-headed Hydra from Greek mythology, cybercrime seems to sprout two new nefarious tactics for each one we mitigate. When it comes to retail, malicious actors are relentless, and we should expect nothing less in 2023.
We saw a dramatic 90 percent drop in stolen cards for sale on the dark web between 2019 and 2022. The number of large credit card markets is also dwindling, and is now in the single digits.
Tighter bank security and the use of harder-to-breach technologies is one reason for the drop. Banks and their regulators seem to understand that the harder we make it for thieves to get in, the more likely they are to turn their efforts elsewhere.
Don’t be lulled into a false sense of cybersecurity, however. Rather than cease their attacks on the retail sector, bad actors have shifted tactics to higher-paying ones such as ransomware. Sidestepping the banks, they’re targeting vulnerable buyers and sellers to trick us into sending our money directly to their accounts.
Fakery is What 2023 Looks Like in Retail Cybercrime
The COVID-19 pandemic made one group, at least, very happy: cyberthieves. As we tried to avoid infection, we shopped online more than ever — and bad actors noticed.
Global retail e-commerce grew 26.4 percent in 2020 and continues to increase today. Cybercriminals are busy, too, finding new ways to take advantage of this surge.
Their tactics vary, but we see the below of particular concern for 2023:
- Fooling legitimate online merchants into sending refunds.
- Faking retail websites and luring shoppers to them, raking in payments from unsuspecting “customers.”
- Magecart-style attacks will continue.
‘I Want My Money Back’
On the dark web we’re seeing an increase in conversations about “refunding.” In many of these posts, cybercrooks advise less-experienced shysters on how to bully or trick retailers and delivery services into refunding money they don’t deserve. To achieve this they exploit loopholes and emotionally manipulate customer support staffers.
Certain vendors tend to attract more attention than others. Last year, the most targeted included Amazon.com, Apple, Target, and eBay. Size matters, yes: these are among the largest online retailers. But underground refunding manuals show us, also, how attuned criminals are to these companies’ weaknesses and protocols. They know which methods work best for which retailers, and how much criminals can expect to gain.
Methods include:
- Did Not Arrive/DNA: claiming a package never arrived.
- Empty Box: claiming that a shipment arrived, but that the box was empty.
- Wrong Item Arrived/Wrong Item In the Box: claiming the retailer sent the wrong item, then return something much cheaper, demand a refund for the pricier item, and pocket the difference.
- “Boxing”: claiming that an item is defective, returning the box without it, then claiming the item got stolen during delivery.
Fake it ‘Til You Make it
Almost any website that accepts online payments can be a target for phishers. Most of us have probably already received at least one email telling us that we’re being billed for a service or are receiving a shipment we never ordered, with a link to a fake site.
The unwitting — or even alarmed — consumer who clicks gets taken to a site that looks real, then enter their login credentials, providing them to the scammer, who can then shop on the retail site using the customer’s payment card or cards.
Snail mail phishing, too, is on the rise. Criminals are sending postcards sporting QR codes — “squishing” — for the recipient to scan. Similarly, they may send these codes via email. This technique allows the scammer to bypass security software.
Be as Smart as the Scammers
Refunding works because social engineers are, at heart, scam artists: they know how to use psychology to get what they want by playing on human weaknesses.
With refunding, they’re complaining about poor service to a person whose job is to ensure customer satisfaction.
With email phishing — which saw a jump during the holiday season — they’re relying on economic anxiety brought on by inflation and the holidays to trigger your customers into clicking on their link.
Investing in expensive cybersecurity tools won’t necessarily protect retailers from these types of fraud. Instead, you need to understand their tactics and change your own accordingly — and keep your employees up-to-date. Using threat intelligence to monitor their chatter on the underground can really help retailers outwit the wily scam artist.
Brad Liggett is the director of threat intel, North America, at Cybersixgill, a provider of exclusive, real-time access to the largest database of deep, dark and clear web threat activity available.
Related story: A New Threat for Retailers: The Rise of the Synthetic Shopper
Brad Liggett is Director of Threat Intel, North America at Cybersixgill, a B2B cyber intelligence company that analyses and monitors the deep web and dark web for threat intelligence. Brad Liggett is a seasoned professional in the cybersecurity industry, with over two decades of experience in the technology sector. Harnessing his significant industry expertise as a data and voice network engineer, Brad advanced to guide companies through the throes of the technological transformation, establishing best practices to efficiently and safely keep up with the rapid pace of digital change. Currently, Brad empowers organizations as they endeavor to stay ahead of the threat curve and secure the next horizon of cyber-resilience, advancing CyberSixGill’s autonomous threat intelligence solutions to keep companies secure in the ever-changing cyber threat landscape.