People want good deals. There is nothing mysterious about that. But people paying for good deals without verifying the facts? That is more alarming. According to Symantec’s latest Internet Security Threat Report, about 53 percent of its analyzed emails were spam; and the rate of these emails being infected by malware jumped from 1 in 220 in 2015 to 1 in 131 in 2016.
While it is important for consumers to be vigilant of receiving suspicious emails, it is crucial for merchants to be aware of receiving said emails while making sure no one hacked their identity. Without proper protection and management, hackers will have the upper hand to use your credentials as disguises, which can be in the form of a newsletter or direct advertising. And before consumers realize a malicious third party sent this communication, their blame may be aimed directly at you in the form of chargebacks.
This has happened to the best of us. From a persuasive email that describes a dream job to an ad that shows discounts that are too good to be true, hackers manage to phish some unlucky people. But how can you, as a vigilant merchant, protect your internal network while protecting your relationships with customers and potential consumers? We took the time to give you a thorough answer that covers all of the channels that a given ‘phisher’ may use, which can range from emails, text-based marketing to social media advertisements.
I. Business Email Compromises: a Merchant’s Shape-shifting Nemesis
According to Symantec, the most favored form of phishing scams are Business Email Compromise (BEC) scams. A BEC is a spear-phishing campaign that targets specifically your business and employees. For employees who have financial responsibilities, you may want to be more vigilant, as phishers tend to target these employees in about every case of the incident. Furthermore, the sophistication of deception is considered unprecedented from the FBI’s standards.
Along with potential malware, the social engineering involved in making these emails authentic can fool even the most thorough employee imaginable. By the time they realize the transaction is sent to a fake account, or if they realize the email address is not affiliated to its proclaimed business, it is already too late.
So, why are emails still the primary channel for phishers and hackers? While it provides a more direct focus to strike BEC targets, it is also deemed the most credible and most trustworthy channel from the target’s perspective. After all, you may have grown accustomed to handle financial queries through emails, depending on your relationship with the bank or an investor, just to name a few examples. But within the past three years, the FBI estimated that more than $3 billion may have been lost from BEC scams, and the most targeted people work in small-to-medium-sized businesses.
As shown in the images below, the most common keyword used in the subject lines of BEC scams is ‘Request’ (25%) followed by ‘Payment’ (15%) and ‘Urgent’ (10%). One technique that has been more effective among phishers is hijacking legitimate invoices that you would normally encounter from your respective parties.
All it takes to get trapped is to encounter an identical invoice that has the phisher’s account number. And for BEC scams with malware, the most common keywords in subject lines that influences people to open an email are ‘Invoice’ (26%), ‘Document’ (13%) and ‘Scan’ (12%).
This is mainly so in order to influence you to open the email and to allow the malware to download on your computer. With spear-phishing campaigns predicted to continuously grow, and with malicious social media phishing being the next frontier for phishers and hackers, here are some tips to distinguish between authentic emails and fake ones:
- Always have the account numbers of all parties written down somewhere. If the account number is different on the presented invoice, delete the email and inform those who may not know their identity is stolen.
- Make sure to verify the email address that sent the email. If you are aware that you regularly receive emails from ‘email@example.com’ and not ‘firstname.lastname@example.org’, do not open Stacy’s email and alert Stacey that her email is compromised.
- If there is communication within the email seems more hostile than usual, do not respond to this email. Instead, call someone that you normally handle this query. If he or she says she sent no such emails, chances are that you are being phished. Delete it and move on to your daily functions.
One form of identity theft that can be detrimental to merchants is a phisher using their credentials in the form of a newsletter. While there is no direct effect towards you, the phisher can disrupt trust among customers and consumers while draining their bank accounts.
If you have been a victim of this tactic, here are some tips that will educate customers to be more vigilant for their personal sake and yours:
- Offer a thorough disclosure that explains how customers and consumers can spot phishing scams. If your business relies on newsletters to retain customers, explicitly state in the disclosure what information they will and will not need to provide. For example, tell your customers that they will only need to provide their email address to subscribe to the newsletter, but they will not, under any circumstances, be asked to provide their credit card numbers to receive your content.
- Try to send newsletters exactly on the day and time you say customers will receive them. Phishers try to send their newsletters and other tactics close to your timeframe, so that a customer can accidentally think their newsletter is yours. But if you inform them exactly when customers will receive a newsletter on a weekly or monthly basis, this will help customers think more critically whenever they receive a phishy newsletter outside of your timeframe.
- Be consistent with your advertisement, even if your consistency relies on sporadic deals. While most phishers target customers and merchants alike for money, others simply have fun with identity theft alone. For these types of phishers, their objective is to damage your credibility, so much so that they will use false advertisements that either have a fake coupon number or a deal that even you are not able to promise. This leaves an opportunity for customers to have a negative shopping experience, which can lead to chargebacks that may be indefensible until every party realizes it was a scam.
II. Text-based Marketing: From Phishers to ‘Smishers’
Another channel that phishers are increasingly using is text-based marketing, which is dubbed as smishing scams, according to Fortune. The reason for this focuses on two things: customers and merchants are becoming increasingly suspicious of malicious emails and sending a scam via SMS (hence, the term ‘smishing’) can provoke more urgency for the target to respond.
For example, you may receive an anonymous text from your bank, saying that an unauthorized transaction occurred and immediate action is needed to resolve the matter. From a customer or consumer’s experience, a smishing scam may disguise as your business in order to elicit personal and financial information.
Like its email predecessor, smishing scams rely heavily on pretending to be you or any other business that customers regularly encounter in their daily lives. Some examples include a smisher pretending to be Amazon and saying an extra fee is needed for the customer’s package to be delivered.
In your circumstance, one example is a smisher pretending to be you and saying your network has been breached and you need all customers to reinsert the missing information—via text.
So, how can you combat this deceptive channel? We recommend you to consider the following procedures:
- Explicitly state whether or not customers and consumers will receive a text from you at any given time. While there is always the option for them to receive notifications about your latest deals and news, it is not uncommon for people to simply forget if they did or did not give their phone number to you. Smishers rely on that forgetfulness, as people get more comfortable with seamless and instant communication.
- If you use SMS to connect with your customers, insert a unique signature in the message that specifically identifies you and your business. For example, text message services such as SlickText offer message personalization, which allows you to insert a signature that identifies you while providing a personal message to your customers.
- Within your disclosure or your FAQ list, give customers instructions on how to spot deals that do not align with your business. Again, every one is looking for a good deal. But that does not mean every good deal presented is approved by your business, whenever a customer files a chargeback because a discount number is false, or if they unknowingly sent money to a smisher, help them to resolve this dilemma in order to restore your customer’s trust.
III. Social Media Advertisements: Sweet Candy Attached to a Phishing Hook
Fake ads on social media are nothing new; but the way it is deployed and developed is constantly changing can surprise the most skeptical customers. CSO Online gives thorough advice for them to take precaution in engaging with ads that appear harmless but are part of a larger phishing scam.
For example, in an effort to detect phishers using your identity, the social engineering site recommends consumers to remain cautious for businesses that offer help to resolve a complaint they publicly made on social media. The phisher can then directly target those who made the complaint and say they are willing to resolve this issue if they were to pay a fee—that’s an unfortunate problem that can affect you.
As merchants, you want to be available anywhere at any time to resolve any complaints customers may have. But if your assistance is intercepted by a phisher, the customer may accidentally assume they are communicating with you and find themselves in a hostile situation.
In an effort to avoid affected customers and consumers taking action towards you, chargebacks or otherwise, we offer some advice for you to assist them with any queries or disputes they may communicate on social media:
- If you find a few posts that negatively talk about your service, directly communicate with them publicly and first apologize for the unfortunate experience. Make sure to advise them to contact customer service within that same message. An apologetic and resourceful response can have a great impact on customer loyalty while minimizing a customer’s chance to be contacted by a phishing party.
- In order to find out if there are other parties disguising themselves as you or your business, conduct a brand audit in order to know what is being said and who is saying it on social media. You may be surprised to find different accounts that have been created by phishers. While this will not eliminate phishers from the digital landscape, it will definitely inform you how to control your business’s voice in a way that let customers know which post is yours and which ones are not.
- Make sure to inform customers that you will never ask for their personal or financial information on social media. It may seem obvious for some people, being continuously bombarded by different posts from different social media platforms can confuse others to offer information on one platform and not the other. A simple disclosure such as this can be the difference between helping customers avoid fake ads and them clicking onto one, thinking that it is you who made the post.
While chargebacks are commonly caused by merchant errors and friendly fraud, the means that caused chargebacks can involve different scenarios such as phishing scams. We wanted to provide you a broader perspective in how chargebacks can occur with phishers, along with providing you some advice on how to better equip yourself and your customers in order to resolve this dilemma.
As more communication channels emerge, phishers will inevitably be amongst us in order to take advantage of our trust in these channels. However, it is not impossible to gain the upper hand of the problem, just as long as you remain vigilant of suspicious communication being directed at you and communication pretending to be you towards your customers.
Having baseline knowledge of their tactics will empower you and your customers to not take the bait, no matter how persuasive or hostile a tactic may be.