Phishing and Pharming: Are You and Your Customers at Risk?
Throughout history, people have used fishing and farming as a means of survival. In today’s computer age, cybercriminals are honing their phishing and pharming skills for a different kind of survival: Tricking unsuspecting individuals into revealing sensitive data that the cybercriminals then use to steal funds or identities.
These common cyberattacks can be devastating to customers, but they can be just as damaging to businesses: In 2022, there were 300,497 phishing victims with a total loss of $52,089,159 in the U.S. alone.
To prevent their customers — and themselves — from falling victim, ecommerce businesses must understand how these cyberattacks work, what effect they can have on their businesses and the steps they should take to help secure customer data.
How Phishing Attacks Compromise Personal Data
A form of social engineering and identity theft, phishing scams try to trick individuals into revealing personal information, like Social Security numbers, user names and passwords, or credit card numbers. Fraudsters typically contact victims by text, email or phone, posing as an authority figure or a seemingly legitimate company to get the victim’s confidential data. They may even use actual company logos, authentic-sounding return email addresses and realistic-looking links in their communications to “spoof” unsuspecting customers into providing sensitive data. And these emails work: In its fifth year of testing consumers to see if they were able to discern a phishing email from a legitimate one, KnowBe4 reported that 32% failed.
But emails are just one part of a fraudster’s scam to have victims submit their sensitive data right to a scammer’s database. Phishers may also install malicious software on computers, infect computers with viruses or even steal personal information off of computers.
Although many of these attacks take advantage of software and security weaknesses, they’re essentially still simple con jobs in which fraudsters disguise themselves as trustworthy individuals or businesses. And once they have their hands on a customer’s data, they’ll use it to open new credit card accounts or even commit identity theft.
Nearly 1.4 million new phishing sitesare created monthly and 36% of all data breaches involved phishing in 2022. Phishing, pharming and whaling (phishing targeting senior executives) attacks showed a significant increase in global incidence in 2023, with 43% of merchants experiencing this type of fraud, up from 35% in 2022 — proof that recipients are still falling for them. Just last month, travel booking site Booking.com confirmed a recent phishing attack where hackers were able to steal consumers’ credit card information.
The Widespread Risks of Pharming
Another common fraudster scam is pharming attacks, which also rely on the same fake websites and information theft. The goals of both attacks are the same: steal personal data and use it to apply for new credit cards, withdraw funds from the victims’ accounts, or even sell the data to buyers on thedark web.
But there are two ways in which pharming differs significantly from phishing.
1. Requires No Action by the Victim
Phishing attacks require victims to click a link to take them to the fraudulent website, but pharming attacks automatically install malicious code on a computer.
By “poisoning” the DNS cache — the stored list of previously visited websites — of computers, servers or networks, pharmers can misdirect users to fraudulent websites, even when they type the right address. As users start typing in a web address, like “PayP,” an autofilled suggestion seamlessly redirects the user to the fake website, where the user will log in as usual and unknowingly hand over their credentials.
Because this code requires neither consent nor knowledge to execute, many victims never realize their local DNS server has redirected their request to a fraudulent website.
2. Can Affect a Greater Number of People
Phishers also operate on a smaller scale, sending out thousands of emails in the hopes that a gullible victim will take the bait and click a link. But pharmers can scam anyone who visits a particular website — or even starts to type in the name of a web address — giving them a much wider reach.
These “domain spoofing” attacks are increasing, in part because fraudsters are looking for new ways to collect sensitive personal data from Internet users who are learning how to avoid phishing attacks. One pharming attack hit more than 50 financial institutions and their customers in the United States, Europe and Asia-Pacific. Before it was stopped, the attack infected more than 3,000 computers in just three days.
But it’s not just large companies that are vulnerable. Drive-by hackers can even change the DNS setting on a customer’s insecure home router, allowing for the redirect to fraudulent websites.
How Phishing and Pharming Impacts Your Customers
Phishing is a common tactic used in ecommerce fraud. Fraudsters send fake emails — that look remarkably legitimate — asking customers to provide personal or financial details by clicking a link or downloading something. Once obtained, stolen data like login details and credit card numbers can be misused in any number of fraudulent schemes:
Account takeover (ATO) fraud
Account takeover (ATO) fraud attacks increased 354% year-over-year in 2023 and 73% of consumers believe the brand is accountable for ATO attacks and responsible for protecting account credentials.
ATO attacks often begin with phishing and can lead to high chargeback rates for businesses. Among the most common business targets are subscription services and recurring payments. Once businesses set up the initial payments, they may pay less attention to changes over time. This is where fraudsters can easily attack.
Triangulation fraud
Triangulation fraud happens when innocent customers make purchases on a fraudulent, or pharmed, third-party marketplace that steals their shipment and payment information. The customer receives the item after it has been ordered by the fraudster with stolen payment info on a legitimate site. But their stolen payment information is now likely going to be used in another triangulation fraud transaction.
Triangulation fraud is a growing problem with 17% of online merchants worldwide experiencing such attacks in 2022.
Buy online, pick up in store (BOPIS) fraud
BOPIS fraud is somewhat of a hybrid between ATO and triangulation fraud. This type of fraud has been increasing, with a 7% fraud attempt rate compared to 4.6% with other delivery channels, forcing businesses to distinguish between suspicious and legitimate orders.
The fraudster uses stolen credit card data to make a purchase online to be picked up in store. The fraudster may quickly retrieve the merchandise before the victim sees any charges or cancels the order just before entering the store for pick-up. Without a shipping address to confirm, this type of fraud isn’t easily detected until the business is alerted about a potential chargeback.
As we move into the era of artificial intelligence, fraudsters are taking tactics to the next level.
Spear phishing fraud
Since the fourth quarter of 2022 when ChatGPT was introduced, there’s been a 1,265% increase in malicious phishing emails, and a 967% rise in credential phishing. Cyberthieves are leveraging generative AI tools to generate convincing phishing messages that mimic the style of official correspondence from merchants, yet are more targeted.
Most of the 3.4 billion phishing emails sent daily are automated and aimed at a large audience without much context. Spear phishing, a highly targeted form of phishing, leverages AI to analyze vast amounts of data and craft more personalized and convincing messages aimed at an audience of one.
How Businesses and Customers Can Help Prevent These Attacks
It’s easy for customers to believe they’re communicating with — and providing information to — a legitimate company. After all, the fraudsters are using real logos, legitimate-looking web addresses and realistic-looking links.
One way to help reduce the risk of attacks is for businesses to assure customers that they’d never send any electronic communication that asks for personal data — and for customers to notify businesses if they receive any suspicious communication.
Businesses can also help customers avoid being a fraud victim by telling them to:
- Avoid clicking on any links in an email; instead, open a new browser window and type the company’s web address.
- If they must click on a link, first hover their mouse over it to ensure they’re being directed to a trusted source.
- Report suspicious emails directly to the company from whom the email allegedly came. Many companies, like PayPal, even have a dedicated email address for customers to send suspicious communications.
- Do not respond to data requests from companies with whom you have no relationship.
- Enter sensitive data only on secure websites. Customers should look for website names that begin with “https,” have the lock symbol or have a certificate from a company like Verisign.
When it comes to fraud prevention, it’s also important for businesses to up their cybersecurity game and put tools in place that will work 24/7/365 to identify emerging risk indicators and protect a business’s revenue and reputation.
Online Retailers Need to Protect Their Businesses and Their Brands
When it comes to fraud prevention, it’s also important for businesses to up their cybersecurity game and put tools in place that will work 24/7/365 to identify emerging risk indicators and protect a business’s revenue and reputation. That’s where ClearSale shines.
Utilize AI and machine learning
We utilize an AI-enabled algorithm that leverages trends, intelligence and data gathered from decades of fighting fraud in the most high-risk regions of the world. The client-specific data is also used to “teach” our system which of their transactions should truly be considered fraudulent.
Using this technology, we can automatically approve or decline most orders quickly with a high level of accuracy. Instead of declining suspicious orders, they are flagged for contextual reviews.
Expert contextual reviews
The small percentage of flagged orders (about 2%-3%) are evaluated by our more than 2,000 fraud analysts who have the experience to recognize some of the hardest-to-spot fraud patterns. If necessary, our analysts may reach out to customers, but they do so in a way that is in line with exceptional CX.
Validate customers
Most customers making an online purchase have made one before, and prior purchase history can be used to validate a customer is real, increase trust and reduce false declines. Even if that history is on another site. For example, a customer making their first purchase on Wish.com can be validated by cross-checking their longstanding purchase history on Amazon.
Leverage new data
The additional data gleaned from those contextual reviews is leveraged help our system distinguish valid transactions from fraud with even more accuracy. This continues over time, with our system becoming “smarter” as we process more and more of the client’s transactions – which increases their approval rate and revenue.
Anti-phishing
While avoiding phishing attacks generally involves just healthy doses of common sense and skepticism, that doesn’t mean technology isn’t essential for defending your business against fraudsters. Anti-phishing software can scan emails for suspicious content like disguised links or false requests, marking them as spam or quarantining them. Brand Protection by ClearSale identifies fraudsters that are potential threats to your brand and continues to monitor if they come back online.
If you’re not sure if your fraud prevention solution can keep pace with the quickly evolving world of fraud, contact a ClearSale analyst today. They can help you analyze the different fraud protection solutions available to you and demonstrate why ClearSale’s robust hybrid approach is the solution of choice for vendors worldwide.