USA TODAY International Edition
Yikes! Online phishing attacks up 297 percent
It’s no question that online shopping has continued to grow over the past few years, making it easy to order anything you like from practically wherever you like.
But what’s not so convenient is the slew of cybercriminals who have come along for the ride to steal your data and charge your credit card for goods you’ll never receive. As retailers increasingly focus on selling merchandise through a variety of online channels such as Facebook and SnapChat, fraudsters are discovering new avenues to lure in unsuspecting victims.
“It is the most common way to obtain stolen credit-card numbers,” said Itay Kozuch, director of threat research of IntSights, a cyber-risk analytics company. “Instagram has become one of the leading vehicles for fraudsters to execute phishing (illegally capturing passwords and credit-card numbers) attacks, as it is still a relatively new and uncharted channel for merchants.”
In a joint venture with Riskified, an eCommerce fraud-prevention company, IntSights collected data on hundreds of thousands of illegal online purchases. The companies found that there was a 297 percent spike in the number of fake retail websites designed to phish for customer credentials from July to September 2017 to that same period in 2018.
❚ How do the scammers do it? Most online retail fraud involves a simple two-step process: First, steal credit-card information. Then, order goods from a retailer.
The retailer fulfills the order and gets stuck with the bill after the real owner of the credit card disputes the unauthorized transaction. The bank reverses the charge.
❚ Why are online retailers easy targets? For one, there’s an abundance of merchants to target, many of which have weak security, experts say. The risk is relatively low, but the potential payout is high. If one doesn’t work, scammers can just move on to the next.
Fraud, scams and theft have always been challenging for brick-and-mortar stores to deal with. But eCommerce complicates the landscape since people can use an IP address from one country, pay with a credit card from another and have a shipping address virtually anywhere on the planet.
Also, these online tricksters often build authentic-looking websites to fool shoppers. “Scammers can register a domain for pretty cheap that looks like some everyday retailers you might be familiar with,” said Kevin Mitnick, a former computer criminal and founder of Mitnick Security Consulting. “Today, if they wanted to look like J.C. Penney, they could purchase JCPenny.US.com for just $21.”
❚ How can I protect myself? “The first step is to be aware these online attacks exist,” Mitnick said. “Stop, look and think before you click that link.”
The experts also suggested using anti-virus products that can detect malicious websites, along with two-factor authentication. When two-factor authentication is enabled, a user will receive a special code sent to their mobile device once they’ve entered a password.
“Be aware of spear phishing,” cybersecurity expert John Sileo said. Spear phishing is a tactic used to trick the target into giving more information. “They might say they have your password so you trust them. But it is just bait.”