E-commerce, fraud and identity theft: Is it safer to shop offline?

It has never been so easy to consume and shop. Now, with virtual shopping online, retail is fast and frictionless – an act that can be completed in mere seconds or even milliseconds. But in the digital age it has never been so easy for consumers to be defrauded.

There is nothing new to consumers being lulled into fraudulent scams. In the past scammers made contact with their victims via the phone or the post or they even physically turned up at their homes. In the digital epoch potential victims of scams are easily reached, and with growing speed. The digital age is also responsible for generating a growing amount of personal data left by users’ digital footprints, which are growing increasingly deeper and longer. This type of information can be exploited to great effect by scammers. Crucially, in the digital age, the pool of potential victims has swelled to a global population of 2 billion online shoppers – up from 1.6 billion online customers in 2016. And e-commerce is spreading and growing across the globe. And so is cybercrime.

One of the most common e-commerce frauds is the phantom goods scam. Shoppers are tricked into buying goods or services that are fake. In the UK, one consumer advice group saw a 17% increase for 2017 in the number of people reporting fake sales – with these reported scams costing consumers on average £1,100. The most common deals where shoppers are conned involve cars, flights and furniture. In 2018, US consumers alone were robbed – according to reported complaints – of $1.48 bln by online fraudsters pretending to sell bona fide goods.

The vulnerability of online shoppers is more far-reaching than being duped into buying fraudulent products. Cybercriminals are also trying to ransack consumers’ personal details. They are especially interested in stealing the bank accounts logins belonging to online shoppers. Highjacked accounts are used by the cyber crooks to make fraudulent purchases by debiting the victim’s account.

Criminals are also interested in pinching personal identifying information, so called identity theft. This includes information specific to an individual’s identity: a person’s name, government or security number, place of birth, driver’s license number, PIN, passwords, electronic signature, or even biometric records. Inevitably, in the course of online shopping, consumers are divulging all manner of personal data. The frequency and density of online transactions by nearly 2 bln online shoppers means there is a bonanza of personal information waiting to be intercepted and stolen. Cybercriminals are all too willing to accommodate.

Whilst personal details can be used to commit fraud, a common practice is for cybercriminals to repackage these personalised data and for them to be sold on popular social media platforms. Hackers often compile breached information and accounts into large spreadsheets to resell in bulk on sites like Discord – a digital distribution platform designed for video gaming communities.

There are various methods cyber thieves use to steel personal data from online shoppers. These ‘cyber heists’ vary from the rudimentary to the sophisticated. One of the most common strategies is to infect the computers used by online consumers through malicious software – or more commonly known as malware. Over 90% of malware arrives via ordinary looking emails with .exe files attached, which recipients are duped into downloading. Once the malware is downloaded, it can, amongst various destructive capabilities, spy on computer activity without the owner’s knowledge or permission.

In the last couple of years malware attacks have been on the decline but social media and email hijacking has been on the increase. Also, these days fileless malware, which attacks software already installed on the victim’s computer, rather than by external attacks, is being used to target online consumers and users.

Phishing is another well-known online hoax. Phishing emails or fraudulent and fake websites act like bait luring online consumers into giving up passwords and all manner of personal data to criminals. Once cybercriminals have a password this opens up all sorts of personal information. Another ruse for stealing the identities of online consumers is known as ‘pharming’ when common browsers used by customers are manipulated to direct unsuspecting online shoppers to fake websites. Once the hapless consumer is diverted to these fake sites, the identity hack takes place.

For greater ingenuity there is ‘the man-in-the middle’ manoeuvre. This simply works by criminal hackers intercepting communications between online customers and businesses or banks to obtain login information. Or there is what’s known as the ‘info-pull method’ – a scam where credit card accounts with flimsy passwords are pursued by cybercriminals. Once the credit card details are stolen, these are not used directly as this would alert the owner but the criminals will use any loyalty points awarded to the account to purchase gift cards, or items on sites like Amazon.

Online shoppers are also indirectly vulnerable to identity theft; for hackers will target those‘e-tailers’ or other companies that deal with online consumers. Once inside these databases, the personal data belonging to millions of consumers are in danger of being stolen. The reason being that organized cybercriminals will hack into the secure databases of companies to obtain customers’ bank details. One very worrying statistic is that it takes organizations an average of 191 days to identify data breaches.

The San Diego research group the Identity Theft Resource Center (ITRC) identified 781 data heists in 2015 in the US. Nearly 10% of these breaches occured in financial institutions, with more than five million customer account details being compromised. The financial institutions targeted in these attacks included some household named banks in the US – Capital One, Citibank and M&T Bank. No institution is safe, it seems. Take for example the auction giant eBay which became the victim of a cyber-attack in 2014, where the personal data (names, addresses, passwords) of all its 145 mio users were exposed. The thieves did not get away with finically sensitive information like account details as this was stored in a separate database.

It would be grossly negligent for online consumers to ignore cybercrime. The threat of being defrauded of money or being robbed of an identity is not a remote statistical probability. In the UK, a prolific e-shopping nation, nearly a third of the population is affected by cybercrime. Losses from such crime total around £4.6 bln across the UK. And so, we’re left to ponder whether the safest place to shop is offline – in the physical environs of big box retailers. Here shoppers can be safe in the knowledge that money and credit cards transfers cannot be hacked or stolen. However, the relative safety offered by the offline shopping is something of an illusion. Both online and offline consumers face security menace of identity theft.

The e-commerce industry expert Marc Summe comments how using credit and debit cards in shops, even cash, is not necessarily safer than shopping online. His appraisal of the security systems used by large offline retailers is disquieting. A physical retailer will store customers credit card details used to buy goods on a computer system. The computers used to keep this sensitive information are generic Windows PCs – which is bad enough. But these PCs are running, according to Summe, ‘old-school’ point-of-sale software that are insecure and potentially vulnerable to hacking. When payments are made using credit cards, sensitive financial details are constantly pinballing between terminals and processors. This information is vulnerable.

It would come as little surprise to find that retailers payment terminals have been subject to security attacks to acquire customer details. The US company Home Depot revealed in 2014 how malware attack on its payments systems had exposed 56 mio credit cards over a period of months before it was discovered by the company. The CEO of the anti-virus company Malwarebytes Marcin Kleczynski was astounded to find how companies tend to invest in a single anti-virus software solution. He called this a reckless and naïve policy. But such neglect is driven by financial concerns. For an offline, physical retailer with premises to upkeep, investing in extra security measures is highly expensive and resource intensive.

Online retailers in theory should be more security conscious, for any major security breach for an online retail business would potentially mean the end of their business. And so those companies that trade solely online are known to deploy a variety of sophisticated, difficult to hack, security tools, using different levels of encrypted systems that protect customers when they are logging into their accounts. And they use additional secure systems when making online transactions to protect data when in transition, floating around cyberspace.

The continued growth and survival of e-commerce depends on maintaining these secure systems. We shouldn’t naively trust that the security systems are future proofed and completely secure.

If anything, the criminals are somewhat ahead of the mainstream businesses. As e-commerce grows so will the threat of fraud and cybercriminality aimed at online consumers and e-businesses. The UK Office for National Statistics estimates British citizens are more likely to be victims of cybercrime than physical violence or robbery. The cost of cybercrime is predicted to be $6 tln per annum by 2021. Cybercrime is becoming the new ‘war on drugs’. The main reason for this is that the fraudsters and thieves attacking online consumers are not operating in a separate, subterranean area of the internet but are increasingly operating and using mainstream social network platforms. This really is the era of platform criminality. The internet not only made it easier for us to be consumers, it’s also made it easier for all of us to be criminals, or victims of crime.

By Dr Michael Marinetto, Senior Lecturer in Public Management, Cardiff Business School

Previous ArticleNext Article