A fast-growing tactic known as business email compromise ties into another major concern leading into the holidays: gift-card fraud.
If you’re like most retailers, you’re probably looking forward to a hectic, yet rewarding and lucrative time of year, owing to the typical holiday season sales boost. Unfortunately, increased sales also mean increased risk.
Most sellers are familiar, at least to some degree, with fraud tactics like synthetic identity theft. Some very costly threats come from surprising sources, though.
What is business-email compromise?
Business email compromise (BEC) is a form of digital wire fraud. On a certain level, it’s a more sophisticated attack source than some of the cruder identity-based fraud tactics out there which rely on impersonating a credentialed individual.
As the name implies, BEC involves an attacker gaining access to a company email account. The fraudster, impersonating the owner of the account, uses their stolen identity to spoof employees or customers of the company, turning them into unwitting accomplices in the scheme.
This seems like something that would be a concern primarily for institutions involved in a field such as banking or medicine. It’s a serious problem for retailers too, though, as a fraudster can use BEC tactics to accomplish a variety of goals. For example, a bad actor may trick your employees into transferring funds into an illicit account or handing over sensitive customer information. The fraudster may also communicate with third parties on your behalf, like vendors or legal counsel, which could put the business in a very sensitive position.
Of course, fraudsters can’t steal money directly by engaging in BEC. Gift cards, however, offer a perfect opportunity to translate BEC into cash.
BEC and gift card fraud
Fraudsters often use gift cards as a convenient cash-out method for schemes. A criminal might hack an email account from the IRS or other official organization and instruct the victim to purchase a gift card and transfer it to a beneficiary to pay for some made-up penalty.
Gift cards are anonymous, making them hard to track. At the same time, they are ubiquitous, and they hold value just like cash; in 2018, 55 percent of consumers were interested in giving or receiving a digital gift card. These qualities make gift cards very attractive to fraudsters.
According to the newly-released Q3 2019: Email Fraud and Identity Deception Trends report by Agari, gift card fraud now accounts for two-thirds of BEC attacks. Given that BEC tactics have resulted in $26 billion in losses over the last three years, we’re talking about several billions of dollars in gift cards each year.
Both consumers and merchants can end up paying the price for BEC-enabled gift card fraud. For instance, a customer might insist that a transaction was fraudulent and try to recover the money spent by using a chargeback. This is an example of deliberate chargeback abuse (known as “friendly fraud”), as even though it was at the behest of a criminal, the customer did knowingly authorize the purchase.
Preventing and identifying BEC attacks
So, what can you do about BEC-enabled gift card fraud? There’s two ways to approach this: prevent bad actors from taking over your email address and prevent your gift cards from being used as part of a BEC scam.
New technologies make it possible to enforce multi-factor authentication on devices that access your network, though this remains generally limited. Thus, it’s recommended that you abide by PCI compliance standards. For example, this includes requiring employees lock all computers when away even momentarily, and to never use another employee’s login credentials. All accounts should also be protected by strong, unique passwords, which change on a regular basis.
How can you tell if a breach has already occurred, though? Well, one simple tactic is to log and monitor authentication requests for all internal email addresses. That way, if an unfamiliar device or suspicious IP address attempts to access an account, you have a way of flagging and blocking the incident. You can also review the contents of individual emails for suspicious activity.
As for gift card purchases, watch for any with a suspicious transaction value. For instance, an occasional or new buyer who purchases a $1,000 gift card should raise red flags. These transactions should be subject to manual review to try and weed-out fraud.
BEC-enabled gift card fraud is very difficult to distinguish. The only way to prevent it entirely, though, is to cut out gift cards — a decision most would be reluctant to make. The best solution is to embrace gift cards, but only while engaged in the fraud detection best practices outlined above.