How did your shopping experience differ this past sale and holiday season compared to the ones you have had before? I would wager it was either very different, or it was becoming incrementally changed by circumstances.
I am of a generation that still has an affectionate attachment to the traditional, physical merchants – to the high streets and malls that ply their trade with gaudy window displays and jam-packed interiors – and to the whole experience of “going shopping”. That’s not to say, of course, that I dislike the remote online world, but it is somehow (to me at least) more experientially gratifying to secure that all-important present, or that bargain sale item, and to emerge with it safely packed and ready to take home in the bulging shopping bags, rather than to rely upon some often faceless and occasionally unreliable home delivery process. My kids would roll their eyes and say that I am just old, and they would point to the convenience, accessibility, lower cost and societally friendly process of buying online as being the far better convention. Maybe they have a point. But I would like to think that there is a place for both to coexist and to offer greater choice and variety.
The UK’s Office for National Statistics saw right from the outset of the relaxation of lockdown measures that remote, online purchases remained buoyant and that physical spend, whilst bouncing back, remained significantly suppressed. I evidenced the impact first-hand these past few months with my traditional shopping trips discharged in double quick time because the roads and car parks were far less busy than expected, the physical stores experiencing fewer shoppers, there were less queues and a lack of stock movement meant that even this year’s “must have” items were available without too much hunting.
This shift in how we fill our shopping baskets does, of course, also have a profound affect on many other elements of society. Less travel and reduced in-store demand is impacting and disintermediating traditional employment and supply and support chains; choice of, and accessibility to, goods and services is becoming squeezed; and traditional high street names that have been able to pivot and adapt have been lost forever.
Change has also been seen, though, amongst those with criminal intent. As the flocks of people have abated from the high streets and malls, so have the opportunities for those with nefarious intent become less prevalent in the physical environment, because they can no longer hide in the obscurity of crowds or rely upon the seasonal inexperience of temporary staff. To the fraudster, though, this matters little…… all they have needed to do is to adapt their techniques from the physical to the remote. If one can no longer hope to steal a wallet or purse in the crowd, why not just access and use someone’s payment credentials on-line? If one can no longer distract a staff member whilst pocketing an item, why not just have that item ordered to a delivery address and fail to pay? It may be distasteful to all us right-thinking folk to consider that these things have been planned and, worse, regularly happen, but it is dreadful to note that remote attacks are actually far more prevalent and far less risky for the errant criminal.
In analysing the largest fraud types in the UK, according to the trade body’s (UK Finance) latest report, of the £1.26 billion lost to fraud in 2020:
- 45% related to payment card fraud (79% of which related to the “card not present” remote environment),
- 38% related to authorised push payments (where “losses continue to be driven by the abuse of online platforms used by criminals to scam their victims”), and
- 16% related to remote banking attacks.
That’s a whopping circa 90% of fraud that is committed through or facilitated by remote channels! Buyer beware indeed!
So what can be done to stay safe and thwart these remote attacks?
There are many tips and tricks and best practices to think about when engaging in on-line activity and not all of this is solely limited to being savvy at the point of e-commerce purchase. For example, whilst in a physical context you certainly would not think of putting an advert in your local paper or on your local bulletin board advertising the fact that you have just bought some expensive new electronics or fancy jewellery and that has been left unattended in your empty home, how many people did you see posting on their social media about their holiday presents to one another on one day and then about their few days away in another part of the country on the next!? This is the equivalent of a “please burgle me now” sign!
So here are some elements of general guidance for us all:
- Think holistically and make sure that everyone in your home is aware of the threats and risks of unsafe online activity — If your Son or your Mum is posting a photo of your family meal in the kitchen and the refrigerator in the background has a post-it reminder of your wi-fi router and password, you have just inadvertently become potentially vulnerable.
- Limit who you provide personal and financial information to and make sure that anything you do reveal is the minimum necessary — If you upload your profile or CV to a general access site, are you giving away information that is not relevant (like your full home address) and could be harvested and repurposed by the nefarious?
- Keep all your devices secure — This means maintaining proper up-to-date anti-virus protection; being aware of the availability of privacy settings and keeping these switched on; enabling safe browsing or switching on incognito mode if one needs to undertake a more risky search; limiting the use of public, especially free-to-use, wi-fi and switching to a Virtual Private Network where possible; and getting a webcam cover that allows you to block any attempted unauthorised video access
- Select strong passwords that are not easy to guess — Ideally choose something that exceeds 10 characters and includes a mixture of upper, lower and special characters. Also try not to use people, pet or place names or numbers that can be linked to addresses or dates of birth. W1nche5ter might be categorised by some as pretty secure, but if you were born, were educated, worked or lived in Winchester, then this is a simple task to break for the nefarious. Think about using a password manager or create a phrase that is memorable to you but nonsensical to others. Three unlinked nonsensical words work well for this. R0undSkyBu!!et, for example, may mean something to the person who creates it but is fiendishly difficult to crack! Oh, and above all, please do not use the same password for different accounts (and incrementing by adding another letter or number at the beginning or end is not especially secure either!)
- Think about who you are connecting to and do not click on links or attachments; or otherwise respond, post or publish something unless you would be happy for that information to be seen by a complete stranger. You could be being phished, or smished! — On-line or remote personas are, for the criminally intent, relatively easy to fabricate or misrepresent. That text or e-mail that seems to have arrived from your local parcel delivery firm asking you to click a link and/or fill in personal details to see where you can rearrange a delivery slot could be laden with malware or an attempt to gain your credentials. If you are not expecting the contact be very suspicious; and even if the contact looks legitimate, unless you are sure of its authenticity make a separate, distinct enquiry of the sender using another channel to validate and verify that it is truly from them.
- Only make purchases from secure sites using proper authentication methods — Encrypted connections should be denoted by an https:// prefix (the s being the most significant as it stands for Secure) or by a padlock icon in the address bar. Note that some criminals will also use encrypted connections in order to try to dupe you, so make sure that the site and the purchase have the right “feel” and what you divulge follows acceptable authentication protocols. For example, if your bank would normally text you a one-time code for authentication then do not respond to a request to “put in your PIN” or “download this application” to validate.
As the screens in front of us increasingly become our windows to the world, and the fraudsters become ever more adept at making remote attacks, we all need to be wary and stay up-to-date with these sort of safety techniques such that we can continue to enjoy the choice, convenience, accessibility and competitive value of the online environment. To learn more on how your organisation can implement these best practices with a seamless, customisable solution, be sure to request a demo below.
This blog post was written by Brian Kinch, GDS Link’s Managing Director of Fraud Solutions.