Holiday Scams: 'Tis the Season to Be Wary
The holidays should be a joyous time spent with family and friends. But fraudsters see this as the ideal time to steal from consumers and businesses alike. From Thanksgiving to Cyber Monday, fraud attempts in the U.S have remained consistent over the last four years at almost 20%.1
Digital channels and the holidays are the perfect mix for unmerry mayhem.
Criminals follow opportunity. As more and more transactions are conducted online, we can also expect fraud to rise in the channel. Retail e-commerce sales are expected to reach more than $1 trillion in 2022 and close to $2 trillion ($1.7 trillion) in 2023.2 Undoubtedly, fraudsters will find these numbers too tempting to resist.
So, what holiday scams should you look for?
When fraudsters collect (harvest) usernames and passwords stolen from one organization (often during data breaches) to access accounts at other companies, it’s called credential stuffing. This trick takes advantage of consumers who use the same credentials for multiple accounts. In 2020, credential stuffing increased 56% during the holidays.3
In this scenario, fraudsters use stolen or fake identities to create fictitious accounts from which to commit crime. According to Arkose Labs, “fake accounts open the doors to downstream fraud that directly impacts the bottom line of e-commerce firms.”4
According to the FBI, two popular holiday scams are non-delivery and non-payment in which a buyer either pays for goods or services that aren’t received or receives items for which the seller isn’t paid. These types of fraud were responsible for $265 million in losses just two years ago.5
Fraudsters don’t limit their tactics to just two. There are several schemes they use to attack businesses during the busy holiday season.
Bots are independently governed programs that interact with networks or users to perform specific duties. Increasingly, fraudsters are using bots — sometimes entire networks of them (botnets) — to take control of companies’ systems, including websites and applications. Attacks might include:
- Denial of Inventory
In this scam, bots reserve high-value, limited availability items in shopping carts to show low inventory and prevent purchase. Companies not only lose revenue but may also suffer reputational damage when customers are repeatedly denied the products they want.
- Checkout Abuse
Like the denial of inventory, fraudsters will purchase a company’s entire allotment of specialty items, reselling them for a profit.
- Promo Abuse
Sometimes fraudsters will create multiple fake accounts to obtain bonuses, discounts and freebies intended for loyal customers.
Botnet attacks, controlled remotely, infect multiple devices to enable widespread adverse actions within a company. They can be much more destructive than a single bot attack.
Bot attacks are most often targeted at Hardware/Software/Electronics; Health and Wellness; and Sports and Recreation businesses.6
In 2021, bad bot usage increased more than 106% year-over-year. Bot attacks are most often targeted at Hardware/Software/Electronics; Health and Wellness; and Sports and Recreation businesses.6 But any business is fair game.
Fraudsters place malicious code within sites to steal card data. This “card skimming” is an old trick but with some new flavors to exploit popular open-source plugin WooCommerce.7
- Slect Skimmer
Here, the word “select” is purposely misspelled in script to search for form fields from which the fraudster doesn’t want to pull data. Then a listener awaits the click of a button.
- WooTheme Skimmer
Compromises third-party themes and technologies used in WooCommerce pages.
- Gateway Skimmer
Contains an inordinate amount of code and uses the terms “gate” or “gateway” to hide or make malware processes unclear.
Each of these Magecart skimmers work to avoid detection while stealing.
Some thieves aren’t happy with simply stealing, they want to shut down your entire operation and extort a large payment. Their tactic of choice is ransomware. Over a four-year period, Global cybersecurity AI firm Darktrace detected a 70% spike in attempted ransomware attacks during the months of November and December. Incidents between Christmas and the New Year are also increasing.8
Every innovation seems to have a dark side. Phishing-as-a-Service (PhaaS) perpetrators use their skills to recruit and/or assist others to commit cybercrimes. They usually sell their products and services — including kits with code, stolen personal information, fake domain and email templates, target lists, and more — on the dark web. PhaaS enables aspiring criminals to cheaply, easily, and frequently commit cyberattacks. This scam is usually targeted at major brands and is popular leading up to Black Friday. Seventy-three percent of organizations have been victimized in the last two years.9
Brick and mortars aren’t safe from holiday scams either.
Though online fraud is the “crime du jour,” physical retailers aren’t exempt and should be particularly careful to protect assets during the holidays. Tried and true threats include:
Most retailers have come to expect some shrinkage throughout the year. However, shoplifting, fraud and employee theft often rises by more than 15% during the holidays, with 37% of retailers’ annual shrinkage occurring during the holidays.10 Criminals count on employee absences, a more relaxed office environment, and high foot traffic to go unnoticed during this time.
- Organized Retail Crime
Crime rings are also busy during the holidays. Early on, they may confiscate goods anywhere in the supply chain before delivery to the store. This “cargo theft” accounts for up to $30 billion in losses each year.11 “Push out” theft is akin to shoplifting, but on a much larger scale. Criminals cart up larger items and take them without paying. The average loss for this crime is $1,342 and 10% of these acts end in violence.12
Fraud is unbelievably expensive.
To say that fraud is harmful to the bottom line is an understatement. Fraud costs are enormous. According to a PwC survey, of the 52% of businesses with annual global revenues of more than $10 billion that experienced fraud, 20% said their “most disruptive [fraud] incident” cost more than $50 million.13
Early detection and prevention are key to protecting your business during the holidays and always.
The first critical step in protecting your business from criminal activity during the holidays is conducting an assessment. Evaluating your risk for theft, cybercrime and occupational fraud reveals weak spots and vulnerabilities and allows you to create systems and processes to protect your assets.
Every industry has unique fraud challenges, and different channels require different solutions. Seek the advice of professional advisors who can help you identify and reduce fraud risk for your specific business circumstances. Also consider a few best practices.
- Layer fraud prevention tools.
Because there are so many diverse channels and criminal tactics, businesses should adopt a layered approach to fraud prevention. IBM recommends a comprehensive digital security plan that addresses the system, network, application, and transmission levels individually. Then document how the levels will integrate with each other.14
Whatever fraud mitigation steps you take, keep in mind that you don’t want to create additional “friction” – slow or unpleasant interactions – with customers. Fraud prevention tools should be a seamless part of the customer experience.
- Maintain tight internal controls.
Firmly manage accounting controls such as segregation of duties, audits and management review of expenses, bank statements and collections. Set thresholds and limits for customer and employee purchases, with oversight for above-limit purchase and too-frequent return attempts. Examine commission policies to ensure that employees are not rewarded for selling to friends, family or fraudsters who will return merchandise in the post-holiday period.
- Continually update systems and software.
Fraudsters change their techniques and technologies often, seeking new vulnerabilities to exploit your systems and processes. Start with a comprehensive plan, but always test your network, systems, and software to ensure they support a strong security posture. “If-then” logic programs recognize patterns that are already identifiable. Newer technologies with machine learning recognize data associated with fraud patterns and automatically react to new outcomes and patterns via a feedback loop.
- Establish consistent training and processes.
Consistency exposes anomalies. Regardless of channel, with uniform training and fraud prevention procedures, your team will be more likely to recognize inconsistencies that point to fraud and cost you money. Implement training that drives home standardized practices, despite holiday chaos.
- Immediately report suspicious activity.
If you experience application pop-ups, error messages, unfamiliar login screens, suspicious emails, or other unusual activity, report them to your security team right away. Do not click on suspicious links. The FBI hosts a comprehensive cybercrime site, where you’ll find tips to protect your business, news, and instructions for reporting a claim if you believe you’ve been a victim.
- Staff up – especially security professionals.
If you have brick-and-mortar locations, be sure you’re staffed at an appropriate level to protect your store. You might consider limiting the number of customers in the store at any one time. For online retailers, staffing up IT and customer service teams can help relieve holiday fatigue and make it easier to deter fraudsters using web, chat, and phone channels. No matter how you do business, ensure that your employees are properly trained to quickly identify, escalate, and mitigate fraud attempts.
Beware — and be aware
Holiday scams do lasting damage during the holidays, stealing profits at a time when many businesses are counting on their biggest sales of the year. With so much at stake, business owners and executives can’t afford to neglect holiday fraud. Beware of fraudsters — and be aware of the steps you can take to thwart their schemes.
Synovus is on your side in the fight against holiday fraud. Let us help you protect, manage, and grow your business. For more information, simply complete a short form and a Synovus Treasury & Payment Solutions Treasury Consultant will contact you with more details. You can also stop by one of our local branches.
What You Should Know About Employee Theft
Companies of all sizes experience fraud. But it’s not always an external attack.
Automated Payroll Benefits
Managing payroll can be time-consuming and full of inefficiencies. Here’s why automation makes sense.