Con artists are as old as business itself, but the internet provides a whole new platform for unscrupulous individuals to try and steal from you. What kind of scams are people trying online, and how can you arm yourself against them? Angus Kidman investigates
The rise of the internet has been of great benefit to most businesses, making it easier to communicate and opening up potential new national and international markets. According to the Sensis e-Business Report, 90 percent of Australian businesses now have an internet connection, and almost 60 percent make use of the channel to buy and sell goods.
But there's also a darker side to the e-commerce era. As well as providing a communication channel for legitimate customers, it also provides a new mechanism for scammers and con artists to try and fleece money from businesses, using a mix of approaches that combine technical savvy and old-fashioned criminality.
Computer security experts are in no doubt that such scams are on the rise. "It is very prevalent. There are all kinds of scams out there," says David Freer, senior director for consumer and small business at software developer Symantec. "It's the fastest-growing threat online."
Anecdotal evidence suggests the gifts and homewares industry is being particularly targeted. "Based on the spam that I've seen, the novelties and gift industries seem to have rich pickings for the mule scammers," says Paul Ducklin, head of technology for Sophos business security software, Asia Pacific. (Mule scamming involves finding someone willing to process a stolen credit card or otherwise participate unknowingly in some kind of scam.) "The business lends itself to net distribution and these scams are done largely online, so it's an obvious target."
While hackers once used to try and break into computer systems purely to prove their technical savvy, these days they are entirely driven by the ability to make money. "It's gone from a fame-based approach to pay for profit," Freer says. "It's a profit-driven business these days."
Disturbingly, it seems that internet scamming is now a full-time profession for many unscrupulous people. "It has become an industry," says Freer. "It isn't just individuals, there are factories generating code and writing scams. These are nine-to-five jobs being done." While certain countries are often singled out as common sites for scams, including Eastern Europe, the US, Africa and China, the reality is that internet scammers can be based anywhere.
Scamming involves a mixture of techniques. Specially created malicious code can be used to track transactions on individual computers, making it possible, for instance, to secretly log credit card numbers being used by consumers when they make purchases online. That information is then used in customised scams aimed at businesses who have credit-card processing facilities, providing the opportunity to utilise those stolen cards without being directly implicated. Such scams are frequently distributed via spam email, often unwittingly sent using other consumer machines that have become part of an infected 'botnet' (a network of machines which have been secretly infected with code to make them usable remotely for criminal purposes). While the technologies used vary widely, the end goal remains the same: making money.
Email-based scams are particularly common, reflecting the fact that (according to Sensis) 97 percent of internet connected businesses regularly use email as a form of business communication. No business wants to risk turning away a potential customer, a fact which scammers are all too willing to take advantage of.
Victoria Johnson, managing director of South Australian jewellery wholesaler, Silver Treasures, was a victim of such an email scam. Johnson received an email from a business apparently based in Indonesia asking if she accepted credit cards to pay for orders. She then received an email order for a large quantity of goods, and while waiting for those items to come into stock, the scammers asked if she would be willing to order a $12,000 camera for them, which was unavailable in Indonesia. In return for her help, they offered a 15 percent commission—a potentially lucrative deal. "I didn't see a problem with that provided their credit card went through," she says.
The buyer asked for the deal to be paid for on multiple credit cards and via several smaller transactions, claiming that he wasn't sure what the balances were on his cards because he was in hospital. Johnson successfully processed the transactions, purchased the camera and shipped it.
"The day after I sent it the bank rang me demanding the money back," explains Johnson. "The cards were stolen. And because I'd taken off $1,000 at a time it looked like I was not the victim but the criminal. So the bank froze my merchant facilities and bank account until they were satisfied that I wasn't the crook—a week after I'd given $12,000 cash back to the bank."
Such scams remain common. "Probably once a week I get an email from another country that says that someone's interested in my product and asks if I take credit cards," says Johnson. "These days, I just delete them straight away." Banks generally don't protect merchants against credit card fraud on mail orders, and the lack of any central international policing makes it almost impossible to prosecute fraudsters operating across international borders.
To avoid such scams, Johnson now checks all emails requesting orders to see if they are specific to her company or merely a generic request. "If I am offered more than one credit card on a large first order, I ring the bank first to see if it is stolen. The cards will generally be from a US bank. If it is and the goods are not going to the US, then I reject it."
Scams involving abused credit cards are common, both indirect ones like that experienced by Johnson and more direct selling scams where products are ordered and dispatched but the transaction is subsequently cancelled, leaving the supplier out of pocket.
Not all scams involve direct credit card purchases, though. Other common approaches include requesting updated details for an international business directory, but then invoicing for inclusion in the directory; offering a commission to help transfer a large sum of money, but then requesting funds to cover ‘operational expenses’ (a trick often associated with Nigeria and hence frequently known as the 'Nigerian scam'); or suggesting that a stock is about to rise in value, encouraging people to invest in it and then profiting by shorting the stock in question.
Even if you're not directly involved in a scam, your online presence could be unwittingly serving to help scammers carry out their work. "If you're a small business with a website, our current measurements suggest that over 70 percent of web-hosted malware is on legitimate sites that have been compromised," Ducklin says. "In other words, two-thirds of the sites that have people panicking are sites that would otherwise be legitimate."
Quite apart from the impact on individual businesses that get scammed, the growth in online con tricks is also having a worrying impact on the willingness of individuals and companies to carry out transactions online. "It's generating concerns about doing business on the web," Freer says.
The best defence against such attacks appears to be a high degree of cynicism. "Particularly for smaller business who might get emails apparently soliciting their help, you need to remain righteously sceptical," Ducklin warns. "If it sounds too good to be true, it probably is. Watch out for people claiming that they can partner with you from overseas."
With the rise in hacker 'professionalism', it's dangerous to assume that your business is too small to be a target. "You don't have to be a massive player to be targeted by organised crime," Ducklin says. "If you get an email from somebody and you go 'Obviously, it can't be a scam because it's so w
ell-focused', remember that they probably have sent a million of these things and they're hoping one will match up. Probabilities involving big numbers can deliver."
Quite aside from the direct loss of money inherent in many of these cons, your business reputation can be permanently damaged if you become unwittingly involved in an online scam. "It's the sort of reputation you can only lose zero times," says Ducklin. "The internet has a long memory, even if it's an innocent mistake."
You can also protect yourself by developing a more rigorous attitude to online payments. "You've really got to look at all your internal processes," Freer suggests. Individually checking all overseas credit card payments, or implementing a standard waiting period, can help protect against many types of fraud.
{mospagebreak}
Strategies for Protection
Treat email queries with suspicion. Read any email query about your products carefully. For overseas purchasers, ask yourself why they feel it necessary to source goods from Australia.
Consider implementing a query form on your site rather than a simple email link. While this won't defer all spammers, it will make it clear if someone has harvested your address from elsewhere and is sending random queries to try and find victims for their latest scam.
Make your credit card policy clear. If someone emails you to ask if you accept credit cards, but you've already mentioned that fact prominently on your site, it's obvious that they haven't investigated your business. Ideally, don't accept credit cards via email; use a proper and secure process on your site.
If in any doubt about a credit card, check with the issuing bank. Stealing credit card details is a lucrative business online, so it always pays to double-check. For new customers, consider implementing a waiting period after processing cards before actually dispatching goods.
Investigate companies that want to do business with you. Bear in mind that it's relatively easy to create a legitimate looking website, so merely being directed to a site doesn't prove that a company is legitimate. Contact the business directly by phone, and seek references if you're unsure. Also conduct a search on the business name along with key words such as 'scam' or 'fraud', to see if other companies have been caught in the past.
Ensure you have up-to-date anti-virus and security software. An unsecured PC connected to the internet can easily be hacked into, providing business information which can be utilised in subsequent scams. Spam detection software will help identify many dodgy emails (though these change so frequently that no protection scheme can be absolute).
Once you have installed software, make sure it's set to update automatically. An out-of-date security software package is just as useless as having no solution at all.
Ensure that your business website hasn't been compromised. Ensure that your hosting provider is conducting regular security audits.
Remember, the bottom line: there's no such thing as easy money and if it sounds too good to be true, it's almost certainly a con.