1: Where is fraud that affects businesses most prevalent on the web?

As social media and e-commerce take larger and larger roles in our everyday lives, fraudsters are finding that online scams and schemes are paying rich dividends. In emails and through mobile apps, on websites and in social networking groups, fraudsters are lurking everywhere. They are lurking where you are working, playing and transacting business.
 

2: What kinds of businesses are most susceptible to fraud?

There are a few great markers for online fraud risk. First – how popular is a brand, how trusted, how established, and how visible? Second, how transaction-driven is the business? Third, how important are those transactions to everyday living?

It’s no wonder, given these three criteria, that telecoms and financial institutions are frequently targeted by fraudsters; and, likewise, retailers and entertainment companies. But, other trusted companies and institutions are also at risk, for example, insurance companies, universities and colleges, popular charities. In fact all companies that engage in online commerce of any kind should take note.

As businesses become more successful and business brands become recognized and trusted, they become the targets of opportunity for fraudsters. Think about it – banks, credit card issuers, brokers, insurers, retailers, e-commerce sites, auction sites, sports teams, video streaming sites, even sites that sell theater and movie tickets.

These are sites we use every day, and these are sites that bombard us with special deals, limited time offers, and, from time to time, account alerts. Unfortunately, not all of these offers are official authorized offers. Some of them are the work of fraudsters and other bad actors.

3: What can companies do to understand how fraud might be affecting them?

First, understand your exposure. If you work at a highly visible business with an iconic trademark, or one that offers a highly sought after product or service, or a similarly visible and popular business that mediates or services a commonly used transaction account, you need to be on notice:  Fraudsters are probably already at work, co-opting your brand and deceiving the public. Even lower profile companies that manage customer relationships online are at risk.

The easiest way to gain an understanding of your exposure to online fraud is to audit your online presence. By looking at the places that your brands and IP appear online, and looking at how they are portrayed, you can quickly learn how much control you have over that activity. The more you find “unauthorized” activity, the more you are at risk.

Online scams are being launched every day, and the odds are that sooner or later, one of them will use your brand, your products, or you executives to gain the trust of unsuspecting victims. Take steps today to understand how your brand, IP, and other valuable assets are appearing online.

4: What is there to lose for businesses that are affected by social media fraud?

Social media exposure and fraud is becoming a larger and larger issue for the owners of valuable brands. Sometimes the error is a benign one; but, other times, the erroneous information is quickly propagated across social media, creating an online incident that can affect every aspect of your business. When fraudsters are at play, the potential for damage is immense.

For public companies, social media rumors about executives, business partnerships, regulatory approvals, product introductions, potential fines, and business results can manipulate markets. An erroneous online report about a supposed Steve Jobs heart attack once sent Apple stock plunging 10 percent of its book value in 10 minutes. No wrongdoing was ever alleged in that situation, but Apple’s experience makes a strong case study for damage potential from fraud.

The research firm AON attempted to quantify this risk when they said; “Within a five year period, there is an 80 percent chance that a company will endure a social media event that reduced their stock price 20 percent.” With the increasing proliferation of social domains, and the general lowering of the barriers to entry for fraudsters, the risk of damage from online fraud has only gone up.

More recently, fraudsters have enjoyed success infiltrating businesses to steal easily monetized assets, such as account user names and passwords, or network credentials. Many of the recent high-profile cybercrimes and breaches that have dominated the headlines started out with a small incident – someone provided a fraudster with an email address, a password, or access to their phone.

5: What are the major ways that fraud is perpetrated?

All fraud, whether it is online or real time, depends upon the same thing – establishing trust. The online fraudster almost always masquerades as a trusted source, a representative or even an executive of a trusted or strategic brand. They use fake email addresses, counterfeit websites, Twitter accounts, Instagram profiles, video and Vines, mobile apps, Facebook accounts, LinkedIn pages… frankly, they use everything to reach out to unsuspecting consumers, and present them with a seemingly authentic message or set of messages.

Usually the message is built around some kind of urgency, something like the classic “your account may have been compromised” approach or the “this offer expires today – act now” approach. The urgency puts the prospective victim under stress because when someone is under stress they act quickly, perhaps overlooking things that aren’t quite right. It is fair to say that the more urgency there seems to be in an online message, the more likely it is that the message is part of a fraud scheme.

Take the most common online scheme, an email-based phishing scam. We have all received them, “helpful” emails supposedly from banks and credit card issuers, “alerting” us to a “potential problem with our account” and advising us to “click this link” to reset our password.

The email looks legitimate, the logo of the trusted institution appears to be correct, and the layout is clean and professional. But, it’s not from our bank. A criminal is using the bank’s trusted logo to try to make us confident that we should click. No matter the scam – phishing, domain, social media, or mobile app-based – the basic process is the same: the fraudster steals a trusted brand and tries to parlay that brand trust into a successful scam.

6: How have the fraudsters changed the way they are using the Internet?
Basically, online fraud has grown up as the Internet has grown up. Fraud schemes have evolved from simple email-based scams (“I have a wealthy uncle in Nigeria…”) to sophisticated schemes that integrate social media activities with counterfeit websites to harvest user information. Today fraudsters even boldly masquerade as C-level executives from recognized companies, building false relationships with unsuspecting individuals. They take their time to spring their trap, but eventually they do, looking to parlay their “friendship” into deeper access into the company or industry.

Today, online, nothing is out of bounds. Even a mobile app or game can be a platform for fraud, siphoning users away from legitimate applications, serving unwanted ads or, worse, connecting the information on a user’s mobile device – contacts, photos, social media passwords, network credentials, geolocation, and more, directly to the thieves. The bad guys are getting really good.

7: What current technology trends are impacting fraud that affects businesses?

The technology trend that facilitates fraud more than any other isn’t really a technology trend at all. It’s a social media trend. As more and more business, communication, and interaction between people moves online, and increasingly, onto mobile devices, the nature of trusted relationships changes fundamentally. People no longer transact business face to face, or even voice to voice.

Email, tweets, posts, websites, mobile apps, and even text messages have become the primary vehicles for business. And, because business has moved online, the entity that reassures people has changed – today it is a trusted logo, a familiar looking website or app, a recommendation from a friend, or, on a product review site, a recommendation from a stranger.

The change in the nature of trusted relationships has opened the doors for fraudsters. Using professionally-created and designed emails, supported by websites, mobile apps, and social media, fraudsters can take on the appearance of the brands that you trust most. In fact, with the advent of social accounts (such as a LinkedIn profile or Facebook page), it is possible for a fraudster to steal an identity, mimic a person, and use that person’s credibility as an accomplice in their scheme.

As the technology for business and living – everything from shopping to banking to health insurance – migrates to the Internet, the things that are valuable to thieves have changed to. Today, there is a black market for access – stolen usernames and passwords are bought and sold every day.  And there is a flourishing market for personally identifiable information (PII), including addresses, bank account numbers, health care credentials, and social security numbers. The purchasers are criminals who want to use those identities as part of a scheme to defraud consumers, to steal money, to infiltrate businesses, and to misdirect others.

8: What steps can a business take to minimize their exposure? (corporate action, personal responsibility)

To be safe from online fraudsters, the best defense is knowledge and vigilance. So, the first, second, and third most important steps a business can take to minimize exposure to fraud is to educate its employees about the presence and nature of online threats.

As employees become more aware of the kinds of online actions (clicking on an unknown link, opening an strange attachment, friending someone they don’t really know, downloading a mobile app from an unknown publisher, etc.), their exposure to personal risk and compromise is dramatically reduced. And, when a business’ employees are more secure, the business is more secure. All new employees should undergo cyber-threat training. And, all employees should have an annual refresher.

9: What are the steps that companies should take to secure their brand reputation and brand trust online?

There are a few simple steps that all companies should take to secure their brand and brand trust. The first objective would be to understand who is using your brand online. Audit the Internet for brand mentions, logo and IP usage. Then, try to understand which usages come directly from your activities or your authorized partners’, and which uses are from third parties. It is likely that you will be surprised by the number of third-party mentions you find.

Ideally, your threat monitoring would comprise more than just a one-time audit. It should become a part of your everyday routine. You can perform this monitoring in house, or work with any of a number of companies that specialize in cyber threat monitoring, brand monitoring, threat analysis and risk mitigation. At some companies, this work will fall to security teams, at other companies to compliance, legal or IT. But, at the more forward-thinking companies, threat and brand monitoring is something that drives and demands cross-departmental collaboration.