Fraud Trends for November 2011

Fraud losses cost the financial and retail industries over $250 billion annually, and cybercrimes get more sophisticated every year.

Here are some new fraud trends and how to respond to them:

Card Skimming

Here, thieves install undetected skimmer devices inside the card reader of terminals and capture credit card data. To safeguard against this, keep your credit card terminal accessible to employees only, and watch for signs of tampering.

Malware Attacks

Malware, short for malicious software, gains access to and damages a victim’s computer without the victim’s knowledge. In 2009 the frequency of this type of attack was 10 times greater than in 2008. Most malware attacks today are designed for financial gain. The malware escapes detection while collecting and transmitting sensitive data such as the user’s bank account information, passwords and credit card details. To protect against malware, always keep your virus protection up to date, because vulnerabilities are usually found in older or out-of-date virus definitions. Never store unsecured credit card details on your computer.

Card Testing

This involves software that automates the testing of stolen credit card numbers using an eCommerce website. We saw two cases of this last year, where a non-profit organization’s website was used to run hundreds or thousands of transactions for small amounts ($1.00) so the card numbers could be tested. This caused the non-profit to incur the authorization fees until they caught it and took the website down or the thief finished testing all of the cards. To prevent your site from being used for card testing, set the “Daily Velocity” filter under the Account menu in Authorize.net, and monitor your transactions daily.

Fraudulent Returns

Here, someone with access to a credit card terminal will run a return transaction on their credit card, putting a credit on their card, when there was no original sales transaction to be returned. The thief will often do this first thing in the morning and then batch out the terminal so there is no record on the closing report. To protect against this type of fraud, keep the terminal in a protected area and consider putting a password on the return function.

Whaling

First we had phishing, where emails prompted users to reply with sensitive information to confirm they are the actual owner of specified accounts. This evolved to SMSishing, where the solicitation was sent via text. Now there’s whaling, where profiles on LinkedIn and Facebook with descriptors like vice president, chief executive officer, chief financial officer, etc. are targeted. Google was hacked in 2010 via a PDF file sent to executives that, once opened, caused vulnerability on each user’s computer so hackers could steal information. If you have one of these profiles on Facebook, LinkedIn, YouTube or other social media outlet, keep your private information private and watch out for requests for sensitive information.