What is Phishing? Is There Anything Merchants Can Do to Stop It?
No single innovation of the modern era has changed the face of retail more than the internet.
Over the last three decades, the ability to browse and buy online has transformed our entire concept of shopping. Of course, every silver cloud has a dark lining. Internet fraud attacks, such as phishing scams, have become a serious problem.
It’s bad enough when fraudsters target businesses directly, but in these cases, merchants must also deal with the fallout from consumer-oriented phishing attacks. In this post, we’re taking a look at how phishing affects businesses, what you can do to mitigate risk, and why the whole thing may be largely out of your hands.
Recommended reading
- Address Fraud: How Criminals Swap Addresses to Abuse Victims
- The Top 5 Prepaid Card Scams to Watch Out For in 2024
- How do Banks Conduct Credit Card Fraud Investigations?
- Scammers See Opportunity as March Madness Begins
- Man-in-the-Middle Attacks: 10 Tips to Prevent These Scams
- Card-Not-Present Fraud: How to Fight This Growing Threat
What is Phishing?
- Phishing
Phishing is the act of impersonating a trustworthy party, or sending messages purported to be from a trustworthy party, to trick individuals into revealing personal information.
[noun]/fiSH • iNG/Phishing scams have been around as long as eCommerce has existed.
The term “phishing” refers to a specific type of cyberattack that’s typically done through email. A hacker uses bogus information and fake credentials to trick victims into giving away money or personal information (passwords, login details, credit card numbers, etc), or to deliver malware.
One of the most recognizable examples is the infamous “Nigerian Prince” email. Here, a fraudster poses as a foreign royal and offers to pay recipients to help him recover or transfer his fortune. All the recipient needs to do is provide their bank account information which, of course, is hijacked by the scammer and used to drain their account.
The “Nigerian Prince” scam has long-since been exposed. It’s almost silly to think that anyone would fall for this obvious scam today. Phishing fraud is still out there, though, and cybercriminals have changed with the times. They’ve become increasingly savvy in their methods and technology.
Most Common Phishing Tactics
The ultimate goal of a phishing scam has remained the same over the years. The scammer is trying to trick the victim into giving up access to personal information. The target is typically financial data, but any personal account could be subject to an attack.
As we alluded to, though, the tactics have evolved a lot over the years. Nowadays, there is a wide range of different techniques used in phishing scams. Other tactics include:
Simple: it’s the path of least resistance. Criminals attack consumers using phishing tactics because it’s the easiest way to get usable consumer data. It’s much easier to trick an individual into clicking a malicious email link than to hack into and navigate an organization’s computer system.
Can Phishing Scams Target Businesses as Well?
Yes. Phishing scammers are not limited to targeting consumers; these tactics can be used to target businesses, too.
Back in May 2020, researchers uncovered a spear phishing attack on a German multinational corporation. This company was connected with a German government-private sector task force working to procure personal protective equipment (PPE) in response to Covid-19. The attack targeted more than 40 high-ranking company executives before it was discovered.
This type of scheme typically starts with a legitimate-looking email that appears to be from a high-level executive, or perhaps from an attorney representing a rival or third-party vendor. The email will include a request for some type of payment and stress the need for an immediate response. Unless the recipient is on the ball, they can easily be fooled.
Think about it: what would be your first reaction if the CEO of your company sent an email asking you to take care of a payment “as a personal favor to me”? Or, you got a notice from a lawyer saying you needed to arrange a payment or face legal action against the company? Most people would at least be tempted to simply comply with the messages. This is why the scheme works.
Even if the plan falls through, the fraudster can score several useful assets that can help with future attacks. One response or click-through is all it takes for the crook to get a copy of the company’s latest email signature, for example. A scammer can use that signature to impersonate company figures, making future attacks seem more legitimate.
How Phishing Attacks Impact Merchants
As we discussed before, the majority of phishing schemes are aimed at consumers. The scammer wants to trick individual consumers into handing over their personal information.
But, even when consumers are the target of an attack, it’s ultimately merchants that may end up paying the price in many cases. If a phishing scammer targets your customers, you could end up seeing:
Chargebacks aren’t just “refunds.” They come with fines and added fees, and will negatively impact your chargeback ratio. This is true even if you can prove that you had nothing to do with the attack. You’ll also lose any merchandise you unknowingly shipped to a crook.
In a larger sense, all fraudulent activity increases the cost of operating your business. More fraud means lower margins for you, as well as increased investments in security, fraud mitigation, and identity protection. It can also undermine your ability to stay competitive.
Eventually, all these costs get passed to the customer in the form of higher prices. When that happens, the entire market suffers.
What Can Merchants Do About Phishing?
There’s no question that phishing is dangerous. So, what can you do to protect yourself as a merchant?
For consumer-facing attacks, protecting your brand integrity is key. You need to be on the lookout for scammers that may be trying to impersonate you as a way to target your customers.
For example, URL hijacking (or “typosquatting”) happens when a fraudster buys a URL similar to a legitimate retailer’s. The fraudster then redirects traffic to the fake website to collect personal information from consumers who try to complete a purchase.
If you identify a scammer that’s targeting your customers, you can try sending a cease-and-desist letter. You can also report the activity to the FBI's Internet Crime Complaint Center (IC3). Finally, warn your customers about the activity via social media, to try and dissuade them from engaging with the scammer by accident.
What to Do if Your Business is Targeted
As for scams that directly target your business, there are a few prevention tricks you can adopt. Some organizations are implementing sophisticated “zero-trust” architectures, for instance. This strategy works from the premise that every outside contact is unsafe until proven otherwise. It may help, but it’s a major investment.
The most effective strategy is to simply remain vigilant. Create and adhere to comprehensive employee awareness programs. Teach employees to spot red flags for suspicious emails. Provide detailed instructions for what to do with potentially malicious requests.
Employees should also be cautious of any information posted on social media that references company information. This would include potentially confidential company data posted on personal social media accounts.
Above all, merchants must stress that even slightly unusual emails can mean trouble. If there is any doubt, employees should not reply to an email. Instead they should bring the matter to the attention of superiors, as well as to your IT team.
We also recommend that no company business be conducted through free web-based email services such as Yahoo or Gmail. Any official emails should be through private servers.
The Importance of Cyber Resilience
Knowing that phishing and other fraud attacks will happen, it’s important to think in terms of what experts call “cyber resilience.”
Cyber resilience refers to an organization's ability to anticipate, withstand, recover from, and adapt to cyber-related attacks. In other words, a plan for dealing with inevitable schemes, while protecting online operations and mitigating risk.
Resilience isn’t just about defending against a single attack (such as phishing). It should include multiple layers of protection spread across hardware, software, networks, and data protection. Cyber resilience is like a health plan for your digital presence: a successful strategy enables your business to adapt to known and unknown crises, dangers, and threats.
Carefully designed security protocols give your business the ability to weather all types of cyber threats and data loss. An overarching solution should include:
- Automated and ongoing data backups
- Identity and access management
- Threat identification and assessment
- Employee fraud prevention & response training
- Incident response planning
- Data recovery and reintegration
- Post-crisis business continuity
Cyber resilience can only be effective if it is achieved at all levels of the company. It is an ongoing, collaborative effort to keep your business operating during — and after — an attack.
Fraud Management Requires a Multi-tiered Approach
Phishing scams hit merchants on multiple fronts. You could see loss of funds, loss of intellectual property, damage to reputation, and long-term sustainability threats. This includes attacks directly aimed at your business, but there will also be secondary damage from mass attacks targeting consumers.
While there are several steps you can take to safeguard your company against phishing attacks, you have limited ability to protect against the damage from consumer-oriented attacks.
And remember: phishing is just one of many fraud threats. In the end, what you need is a comprehensive, multilayer approach to fraud and cyber threats. For effective management and prevention, businesses need a comprehensive program that addresses fraud both before and after it happens.
