Fraudsters & Phishing

While essential workers are treating patients, stocking grocery shelves, and providing other vital services during the Coronavirus pandemic, many people are staying home and putting their activities on hold. There’s one particular group that hasn’t let this crisis slow them down at all: cybercriminals. Worse yet, they’re taking advantage of the novelty and confusion surrounding recent events to defraud consumers. Fraud is a problem that changes forms, but never really goes away, and this time is no different. What can merchants do to protect themselves and their customers from fraudsters who will stop at nothing to steal data they can exploit?

Fraud is constantly evolving as its victims learn about new schemes, develop tools and practices to defend against them, and educate others about how to avoid falling for them. It has probably been a long time since you got an email from a fugitive prince asking you to help him wire his fortune out of his home country, but the fraudsters are always out there, inventing and testing new ways to spend other people’s money.

Fraudsters were active before COVID-19 and they will be active after it, but the current situation, unprecedented as it is, has prompted many industries and organizations to relax some safeguards to make it easier for people to avoid social contact. Technologies that can help people now are being released ahead of schedule, before all the potential vulnerabilities have been discovered and addressed. Consumers can no longer rely as easily on past experience to judge the validity of an official-looking message they may receive. In many fundamental ways, everything is different now, and while a great many people are rising to the occasion and finding ways to uplift each other, the fraudsters are taking full advantage of it to phish for personal data and payment credentials.

What Are The Most Common Phishing Attacks?

“Phishing” is when a fraudster sends a communication intended to get their victim to give up some valuable private information, such as a password or credit card number. Phishing tends to rely less on technology and more on old-fashioned deception, although technology can help make phishing attempts look more authentic and convincing. Phishing can happen over any electronic medium, by phone or fax, or even in person.

Email phishing is very common. Typically, the intended victim will get an email that looks like an official message from their bank, employer, or some other institution they’re inclined to trust. The email will ask them to provide the data that the fraudster wants to steal—their social security number, credit card number, account password, or whatever—and will usually furnish a specific website, reply address, or phone number for the customer to use. They will often threaten some sort of penalty, such as account termination, if the victim does not respond.

Of course, hardly any legitimate organizations would ever ask a customer to submit sensitive data over email or any other unsecure channel, but not everybody knows this.

Over time, consumers have gravitated away from email and more toward mobile devices and platforms, which has led to rises in text and social media phishing. These attacks closely resemble email phishing in the general contours, but they tend to take advantage of the platforms they’re utilizing. Text phishers can use URL shorteners to conceal the true destination of their links in ways that victims might gloss over; social media phishers can use fake profiles and friend requests to try to make themselves look legitimate.

Merchants who are more likely to find themselves impersonated by phishers, such as financial services or healthcare providers, should do their best to educate their customers about how and where they will receive official communications, and warn them of some of the telltale signs of phishing fraud, such as:

• Misspellings and a generally poor grasp of the language they’re communicating in
• Threats and deadlines
• No toll-free number or mailing address, just a link or email address
• The sender’s email address doesn’t match the organization they’re claiming to represent

A great piece of general advice is that when a customer receives a communication that seems suspicious, they should always look up the organization’s customer service number independently (in other words, don’t read it off the suspicious email) and call them directly to inquire about it.

What Other Defenses Do Merchants Have?

The challenge with phishing is that there’s little merchants can do to stop a customer from volunteering information to a bad actor, other than educate them and hope for the best.

However, some companies are stepping up and providing assistance in the fight against fraud during this especially vulnerable time. Mastercard is partnering with the Health Information Sharing and Analysis Center, a nonprofit organization that addresses cybersecurity concerns in the healthcare sector, to offer free cybersecurity risk assessments to all healthcare organizations worldwide. Organizations that register for this service will also receive free access to Mastercard’s RiskRecon anti-fraud software through December 31, 2020.

Hospitals and medical facilities can be a prize target for ransomware fraudsters who know that these organizations cannot afford to have their medical records compromised or destroyed by hackers. Merchants who provide healthcare services should look closely into this offering.

Conclusion

Merchants understand the pain of fraud all too well. While their customer may be the primary target, customers have some recourse against fraud in the form of chargebacks. Merchants have no standing to fight back against true fraud chargebacks—after all, this is the chargeback process being used for its intended purpose. Ultimately, the merchant suffers a loss of revenue and reputation when their customer is the victim of a fraudster, and while the customer may get their money back, the merchant won’t. That’s why it is extremely important to make anti-fraud protection a keystone of your chargeback defense plan.

Merchants in fields like healthcare are in a better position than most to communicate to their customers the importance of watching out for signs of fraud and protecting their privacy online. Make sure to reiterate to your customers that while many things are changing during this time, the security around your communications won’t—you will never ask for their password over the phone, verify credit card numbers over email, send them URLs to click, or do any of the other things fraudsters commonly do. Making use of appropriate anti-fraud tools is also necessary. We’re all going to have to work together to get through this, and that includes shutting down the cybercriminals who hope to profit from a crisis.