Merchants who sell online as well as via brick-and-mortar sites need to be more vigilant than ever before as fraud scams show no sign of abating any time soon.
   Phising and virus attacks using “trojan horses” and other viruses are becoming the fraud du jour of identity thieves, says Naftali Benett, CEO of New York-based Cyota, a company that provides anti-fraud and security solutions.
   While “dumpster diving,” the art of stealing identity information from garbage cans, is cited as a serious risk by companies selling shredders, the potential profit and rate of success is much easier for fraudsters using phising or other electronic means of stealing customer information, according to Bennett.
   “Phishing is the perfect crime; it’s very easy to deploy,” Bennett says. “In about 12 hours, someone can launch a phishing attack.”
   In these attacks, the phisher mirrors the site and e-mail of a merchant or financial institution and requests that the unknowing consumer send personal information, such as credit card account numbers, Social Security numbers, PINS or passwords.
   Once the phisher obtains credit card, bank account or other personal information, it’s relatively easy to run up fraudulent credit card charges or siphon money from a target’s bank account, according to Bennett. Dumpster diving, by contrast, is successful in obtaining useful information in only one of six attempts, and then the “diver” still needs to find a way to use that information.
   While the phisher or perpetrator of the Trojan horse or other virus is most likely to use the information right away, he or she could sit on it for months before using it to access accounts.
   The information may not be used to siphon a consumer’s accounts, particularly if those accounts have their own built-in protections. The fraudster may instead use the information to set up separate false accounts from which he or she can attempt to make fraudulent purchases.
   The merchant subject to these attacks can suffer actual monetary losses from non-payment of goods sent to fraudulent card holders. Perhaps more devastating is the potential reputation loss for the merchant who is subject to such an attack. If word gets out that a site was hacked into and personal information was compromised, the merchant will lose not only the current sale(s), but countless future sales until faith in the web site is restored.
   While big merchants and financial institutions are the most likely targets of these attacks, security experts say that ever smaller companies are becoming the targets of attacks, particularly if they don’t have systems and policies to protect themselves from the crimes.
   Bennett recommends that ISOs advise merchants to take several steps to minimize their risk of succumbing to such attacks.
   To protect themselves from viruses, Trojan horses, etc., merchants should use and regularly update their virus protection, firewall and similar security systems.
   “Merchants need to improve their levels of authentication,” Bennett says.
   The first step for merchants in combating online fraud is to use the security programs offered by Visa and MasterCard, Bennett says. To protect against phishing, fraudulent e-mails sent to customers, etc., merchants should advise customers what they should and shouldn’t expect in an e-mail. For example, if the merchant won’t seek credit card account information after an initial purchase or won’t ask for bank account information via e-mail, customers should be alerted to this. Then they can be wary of fraudulent e-mails asking for this information.
   During the initial order, the merchant can collect customer information that can be used to confirm the purchaser for future transactions. Bennett recommends collecting answers to secret questions (e.g., mother’s maiden name) to help ensure future transactions are valid.
   Some merchants should also monitor a customer’s purchases. A customer who buys $100 items every month, then buys a $10,000 item should be questioned (e.g., call to the customer, delay in the transaction until verified) to ensure that the transaction did indeed come from him and not from someone who had fraudulently obtained the credit card or bank account number. However, such predictive modeling technology is expensive, and some merchants deal primarily with customers who have erratic spending patterns that can’t be easily modeled.
   The merchant also needs to be careful to balance the usability of his web site and online sales capabilities with the need for privacy and security, Bennett cautions. If it becomes too difficult for a customer to make an online purchase, they may abandon the merchant for a competitor.
   However, the merchant can forestall any such movement by letting customers know in advance about security measures, especially if they are presented as a means of providing additional customer service/protection.
   Bennett also cautions that merchants who say they won’t send certain e-mails (e.g., other offers requiring account information) then they should make sure they don’t send such e-mails, even if they are legitimate. If some type of follow-up e-mail with other offers is part of the merchant’s marketing efforts, the merchant should reword any promises about future e-mails. “Implement a clear security policy with customers,” Bennett says. “Let them know what e-mails you will send and not send. Have clear security policies in terms of truncating information (account numbers, etc.). Don’t let account numbers be exposed on the web.”