Know Your Fraud: Phishing and Its Kin

“Do not tell fish stories where the people know you. Particularly, don’t tell them where they know the fish.”
– Mark Twain

“You [demagogues] are like the fishers for eels; in still waters they catch nothing, but if they thoroughly stir up the slime, their fishing is good; in the same way it's only in troublous times that you line your pockets.”
― Aristophanes, The Knights

Fraud takes many forms. Managing and preventing fraud requires an understanding of those forms. For ecommerce merchants, one of the most common and dangerous forms of fraud is phishing, as well as its variants. Merchants should understand how phishing works, who it targets, and how its dangers can be mitigated in order to protect their businesses and their customers.

What Is Phishing?

Phishing is a form of fraud attack in which a fraudulent actor tricks their target into revealing sensitive information by impersonating some sort of trusted entity known to the victim. The classic form of phishing is a spam email, often sent in bulk, in which the attacker spoofs the identity of a bank, major retailer such as Amazon, or other such institution in hopes that the victim will enter payment credentials and other personal information into a fraudulent website. This allows the fraudster to withdraw money from the victim’s account or make fraudulent purchases and transfers with the stolen credentials. Often, the criminal who steals the personal information and payment credentials in a phishing attack will then sell that information on the darkweb to other criminals who will actually carry out the additional fraud.

The use of the term “phishing” to describe these sorts of fraud attacks dates back at least to 1996. It represents the analogy of fishermen using lures and bait to attract fish, with the fraudulent emails being the equivalent to the bait/lure and the stolen identity information and payment credentials being equivalent to the fish. The most notable and impactful phishing attack was when Russian hackers successfully impersonated Google in order to gain access to the personal email account of John Podesta, the chair of Hillary Clinton’s 2016 presidential campaign. The contents of those emails were later leaked to the public and may have had a significant impact on the results of what was a close election.

There are multiple phishing variants, including:

• Spear-phishing, which is when a specific individual is targeted rather than sending mass emails
• Smishing (SMS phishing), which is when phishing is perpetrated via text messages rather than email
• Vishing (voice phishing), which is when phishing is perpetrated via telephone calls, sometimes with prerecorded messages, avatar technology, or text-to-speech devices
• Whaling, which is spear-phishing specifically targeted at senior executives and high profile figures (such as Podesta in the example above)
• CEO fraud, which is when the fraudster impersonates an executive in communications directed at that executive’s employees
• Clone phishing, which is when a legitimate email is cloned and sent with a malicious link in the place of the previously legitimate one
• Calendar phishing, which is when phishing is conducted via calendar invitations

Phishing is also frequently used in tandem with fraud techniques such as pharming and page hijacking, in which the fraudsters manage to insert some malicious links or redirects on a legitimate website in order to steal credentials and personal information.

How Does Phishing Affect Merchants?

Merchants can be affected by phishing in both direct and indirect ways. The most frequent and obvious phishing risk for merchants is criminals using phished credentials to fraudulently purchase items from a merchant. This is a common source of true fraud and often leads to chargebacks.

Merchants may also be indirectly roped into phishing schemes if their identity is the one being spoofed in the attack. This may also lead to criminals using the stolen credentials to make purchases from the merchant. Or it may just be the first step in a scheme that involves selling those credentials on the darkweb.

Merchants may also find themselves as the target of a phishing-related pharming or page hijacking attack. In 2019, British Airways was fined £183 million for a data breach resulting from a scam in which hackers inserted code onto their website to create a link directing consumers to a spoofed web page. This scheme eventually led to 500,000 consumers having their credentials stolen.

How Can Merchants Protect Themselves and Their Customers from Phishing Attacks?

The ways that merchants can best prepare for phishing threats to their businesses and customers should be tailored to the specific nature of the threats. When it comes to criminals using phished credentials to make fraudulent purchases, merchants would be well served to keep track of potential fraud indicators such as:

• Unusually large orders
• Repeated attempts to order after declined transactions
• Multiple orders from different card numbers originating from the same IP address
• Multiple orders from a single card number with different shipping addresses
• Multiple orders from different card numbers with the same shipping address
• Conspicuous mismatches between IP addresses and shipping addresses, particularly if the IP addresses are in locations known for high rates of fraud
• Multiple small orders in a short timeframe, which may be an indication of criminals testing stolen credentials
• Multiple orders from different cards with conspicuously similar numbers
• Multiple orders from countries from which the merchant had not previously received orders
• Mismatched or unusual new shipping information or IP addresses for existing customers

Other security measures unrelated to fraud indicators include using Address Verification Services (AVS), setting limits on purchases, requiring Card Verification Values (CVV) for purchases, and generally monitoring their sites for any suspicious activity. Fraud scoring and other fraud detection technologies may be particularly helpful in separating the signal from the noise on indications of potential phishing-related fraud.

In order to prevent their identities and websites from being used in phishing attacks, merchants should implement other fraud prevention techniques such as:

• Actively monitoring their business’ name and identity online to make sure there aren’t any spoofed emails or dummy sites being used for phishing
• Having strong password requirements for customers, including potentially implementing two-factor authentication if the phishing risks seem high enough to warrant it
• Decrypting customer login details at the database level with adequate security procedures
• Conducting regular security audits of their site, paying particular attention to shopping cart software, third-party plugins, malware, encryption in communications with customers, PCI-DSS compliance, SSL certificates, and password strength and security for any admins with access to consumer information
• Using HTTPS, the secure version of hypertext transfer protocol, on their websites to protect customer data
• Only collecting whatever customer data is necessary

The technical side of preventing phishing can be complicated. If merchants are unable to manage it on their own, there are technological solutions that can be purchased and security experts that can be hired.

If merchants have reason to worry that their own employees may be the targets of phishing attacks, there are solutions such as using a secure email gateway for company email hosting, isolating web and email use for any employees with access to customer data, security training for employees, and even phishing simulations to test for vulnerabilities.

Conclusion

While it is one of the older forms of web-based fraud, phishing remains one of the biggest risks to ecommerce merchants. In 2019, Avnan estimated that one out of every 99 emails was a phishing attempt. And merchants remain among the biggest targets of phishing attacks. In the first quarter of 2022, ecommerce and retail were the targets of almost 15% of phishing attacks. Successfully combating phishing is an essential part of running an ecommerce business.

Of course, that can be easier said than done. Phishing fraudsters frequently change their techniques and, almost by definition, attempt their attacks in large volumes. To mix different animal metaphors, preventing phishing-related fraud can feel a bit like a game of whack-a-mole. But there are valuable techniques that merchants can use to protect their businesses and consumers from phishing attacks and phishing-related fraud.