Holiday Scams: 'Tis the Season to Be Wary

In 2021, bad bot usage increased more than 106% year-over-year. Bot attacks are most often targeted at Hardware/Software/Electronics; Health and Wellness; and Sports and Recreation businesses.6 But any business is fair game.

Card Skimming
Fraudsters place malicious code within sites to steal card data. This “card skimming” is an old trick but with some new flavors to exploit popular open-source plugin WooCommerce.7

• Slect Skimmer
  Here, the word “select” is purposely misspelled in script to search for form fields from which the fraudster doesn’t want to pull data. Then a listener awaits the click of a button.


• WooTheme Skimmer
  Compromises third-party themes and technologies used in WooCommerce pages.


• Gateway Skimmer
  Contains an inordinate amount of code and uses the terms “gate” or “gateway” to hide or make malware processes unclear.

Each of these Magecart skimmers work to avoid detection while stealing.

Ransomware
Some thieves aren’t happy with simply stealing, they want to shut down your entire operation and extort a large payment. Their tactic of choice is ransomware. Over a four-year period, Global cybersecurity AI firm Darktrace detected a 70% spike in attempted ransomware attacks during the months of November and December. Incidents between Christmas and the New Year are also increasing.8

Phishing-as-a-Service
Every innovation seems to have a dark side. Phishing-as-a-Service (PhaaS) perpetrators use their skills to recruit and/or assist others to commit cybercrimes. They usually sell their products and services — including kits with code, stolen personal information, fake domain and email templates, target lists, and more — on the dark web. PhaaS enables aspiring criminals to cheaply, easily, and frequently commit cyberattacks. This scam is usually targeted at major brands and is popular leading up to Black Friday. Seventy-three percent of organizations have been victimized in the last two years.9

Brick and mortars aren’t safe from holiday scams either.
Though online fraud is the “crime du jour,” physical retailers aren’t exempt and should be particularly careful to protect assets during the holidays. Tried and true threats include:

• Shrinkage
  Most retailers have come to expect some shrinkage throughout the year. However, shoplifting, fraud and employee theft often rises by more than 15% during the holidays, with 37% of retailers’ annual shrinkage occurring during the holidays.10 Criminals count on employee absences, a more relaxed office environment, and high foot traffic to go unnoticed during this time.


• Organized Retail Crime
  Crime rings are also busy during the holidays. Early on, they may confiscate goods anywhere in the supply chain before delivery to the store. This “cargo theft” accounts for up to $30 billion in losses each year.11 “Push out” theft is akin to shoplifting, but on a much larger scale. Criminals cart up larger items and take them without paying. The average loss for this crime is $1,342 and 10% of these acts end in violence.12

Fraud is unbelievably expensive.
To say that fraud is harmful to the bottom line is an understatement. Fraud costs are enormous. According to a PwC survey, of the 52% of businesses with annual global revenues of more than $10 billion that experienced fraud, 20% said their “most disruptive [fraud] incident” cost more than $50 million.13

Early detection and prevention are key to protecting your business during the holidays and always.
The first critical step in protecting your business from criminal activity during the holidays is conducting an assessment. Evaluating your risk for theft, cybercrime and occupational fraud reveals weak spots and vulnerabilities and allows you to create systems and processes to protect your assets.

Every industry has unique fraud challenges, and different channels require different solutions. Seek the advice of professional advisors who can help you identify and reduce fraud risk for your specific business circumstances. Also consider a few best practices.

1. Layer fraud prevention tools.
   Because there are so many diverse channels and criminal tactics, businesses should adopt a layered approach to fraud prevention. IBM recommends a comprehensive digital security plan that addresses the system, network, application, and transmission levels individually. Then document how the levels will integrate with each other.14
   
   Whatever fraud mitigation steps you take, keep in mind that you don’t want to create additional “friction” – slow or unpleasant interactions – with customers. Fraud prevention tools should be a seamless part of the customer experience.


2. Maintain tight internal controls.
   Firmly manage accounting controls such as segregation of duties, audits and management review of expenses, bank statements and collections. Set thresholds and limits for customer and employee purchases, with oversight for above-limit purchase and too-frequent return attempts. Examine commission policies to ensure that employees are not rewarded for selling to friends, family or fraudsters who will return merchandise in the post-holiday period.


3. Continually update systems and software.
   Fraudsters change their techniques and technologies often, seeking new vulnerabilities to exploit your systems and processes. Start with a comprehensive plan, but always test your network, systems, and software to ensure they support a strong security posture. “If-then” logic programs recognize patterns that are already identifiable. Newer technologies with machine learning recognize data associated with fraud patterns and automatically react to new outcomes and patterns via a feedback loop.


4. Establish consistent training and processes.
   Consistency exposes anomalies. Regardless of channel, with uniform training and fraud prevention procedures, your team will be more likely to recognize inconsistencies that point to fraud and cost you money. Implement training that drives home standardized practices, despite holiday chaos.


5. Immediately report suspicious activity.
   If you experience application pop-ups, error messages, unfamiliar login screens, suspicious emails, or other unusual activity, report them to your security team right away. Do not click on suspicious links. The FBI hosts a comprehensive cybercrime site, where you’ll find tips to protect your business, news, and instructions for reporting a claim if you believe you’ve been a victim.


6. Staff up – especially security professionals.
   If you have brick-and-mortar locations, be sure you’re staffed at an appropriate level to protect your store. You might consider limiting the number of customers in the store at any one time. For online retailers, staffing up IT and customer service teams can help relieve holiday fatigue and make it easier to deter fraudsters using web, chat, and phone channels. No matter how you do business, ensure that your employees are properly trained to quickly identify, escalate, and mitigate fraud attempts.

Beware — and be aware
Holiday scams do lasting damage during the holidays, stealing profits at a time when many businesses are counting on their biggest sales of the year. With so much at stake, business owners and executives can’t afford to neglect holiday fraud. Beware of fraudsters — and be aware of the steps you can take to thwart their schemes.

Synovus is on your side in the fight against holiday fraud. Let us help you protect, manage, and grow your business. For more information, simply complete a short form and a Synovus Treasury & Payment Solutions Treasury Consultant will contact you with more details. You can also stop by one of our local branches.