Protecting Your Business from Cyber Security Risks

Protecting your business from cyber security risks

It’s Monday morning, and you are checking your emails to start your week off on the right foot. You see that you have an “Urgent” email from a trusted financial institution requesting immediate action on your part. The email is telling you that they are updating all client files, and that in order to comply with this important undertaking, you have to open the attachment, complete a form with updated personal information and send it back as soon as possible. You notice that the email address from whence the email came is different from the one usually associated with your bank, but because of the alarmist tone of the email, you do exactly what has been requested, no questions asked.

What is wrong with this picture? If you say “Nothing”, then you will run into some major problems. By not being able to identify the security risks in the above scenario, you are putting yourself and your business at great risk for security breaches, and other cybercrimes.

Let’s take a closer look at the scenario, and unpack the red flags:

Red flag #1: First and foremost, a financial institution would never solicit you in this way. They know better than to ask customers to provide highly sensitive information via email or even phone. Normally, they would ask you to go to the website yourself to make any necessary updates; some institutions will not even provide a link due to the potential security risks, such as being directed to a counterfeit website.

Red flag #2: The email address looks suspicious. If your financial institution’s email address is usually “noreply@YFI.org”, then anything other than this should be viewed warily. If you get an email that appears to be from them, but has an email address like this, “noreply@YFI-banking.org”, then there is a very good chance this it is a fraudulent email. Pay attention to the domain name (what appears after the ‘@’ symbol), and how it usually appears in a non-fraudulent email. If in doubt, contact your financial institution to ask if they sent the email.

Red flag #3: The email is asking you to open an attachment. Again, a financial institution would not send you an attachment. Rather they might provide you with the steps to locate the important documentation on their trusted and secure website, and not through email. Fraudulent email attachments from people and organizations that you don’t know are especially risky as they can contain malware.

Red flag #4: The email is requesting highly sensitive personal information. It cannot be reiterated enough that a trusted financial institution would never ask you to provide personal information through email. Providing personal information puts you at risk for identity theft which can seriously harm your finances, credit rating, personal and professional relationships and other aspects of your life.

Don’t feel bad if you did not recognize any of these red flags – now you do, and you will be better off because of it. To further protect yourself and your business, take heed of the following tips:

  • Educate yourself and your team about cyber security risks. Take advantage of learning about what the latest risks are and how you can avoid them by participating in free webinars and reading online articles and insights from trusted sources. IT security organizations like McAfee and AVG have loads of useful tips and tricks.
  • Protect yourself against hackers, viruses and other potential security breaches. Get a good antivirus software, create complex passwords (and change them regularly!), and use data encryption technology to further protect sensitive data from being compromised.
  • Create and maintain internal and customer-facing risk management policies and procedures. This will protect you from the inside out, and the outside in. For internal policies that concern employees and business partners, keep access to sensitive data limited, and do background checks if you feel this is necessary.
  • Make all of your customer-related policies and procedures accessible in writing. Include refund, billing and shipping policies, privacy and security policies, etc.
  • Familiarize yourself with the contracts you have with your financial institutions and other business partners. Know your liability in case of losses through fraud and other security breaches.
  • Remove and destroy the hard drives of old computers and devices (don’t merely dispose of them). Also, it’s good practice to shred and properly dispose of paperwork containing sensitive data.

Just because you have a small or medium-sized business does not mean that you are immune to the countless cyber security risks out there. In fact, online predators specifically target smaller businesses because of their lack of knowledge and training on security. By learning everything you can, you are preventing yourself, your assets and your customers from falling prey to the potential threats lurking in your emails. For more tips on securing your e-commerce business, visit the Security Centre of the DalPay Blog and follow us on Facebook and Twitter.

There is Nothing Friendly about “Friendly Fraud”

Friendly fraud

In 2012, e-Commerce merchants lost more than $11 billion worldwide through debit and credit card fraud. Think about that for a moment… $11+ billion! That’s a lot of money. Among the fraud committed, “friendly fraud” is at the top of the list. Although it may sound non-threatening, it is anything but; in fact, there is nothing friendly about this type of fraud, which is also referred to as “chargeback fraud”.

What is “Friendly Fraud”?

Most of the time, friendly fraud occurs during Card-Not-Present (CNP) transactions, such as online purchases. To break it down, consider this scenario: a customer visits your web store to buy a brand new tablet. They find what they are looking for, follow the steps to pay for their tablet by credit card (either directly through the merchant or through a third-party payment processor), and leave the store happily with their purchase which will arrive on their door step in the next week or so. But when the customer receives their goods, they have a change of heart… about the money they paid. He decides that he deserves this tablet free of charge because why not? He calls his credit card company and files a complaint stating that he was charged for a tablet he never bought or received, and says he has fallen victim to fraud. The credit card company sides with him, as they usually do, and refunds him his money. This customer got his tablet without having to pay for it, leaving the merchant with a bigger loss than just the price of the tablet.

As you can tell from the above scenario, friendly fraud is committed by the customer after they have “paid” for the product. Merchants can dispute, but this does not change the fact that every time a customer does a chargeback, it hits their merchant account hard, raising fees because of the increased fraud risk in their customer base. Furthermore, getting involved in a dispute is draining and labour-intensive, with little return for the merchant.

Who is affected by chargebacks?

The people committing this form of fraud might not realise who they are affecting when they call their credit card provider for a deliberate chargeback. Yes, the merchant is negatively affected, losing money and products, but there are other casualties. Every time a customer commits friendly fraud, the seller’s merchant account becomes riskier, incurring a higher operation cost. This translates into higher fees and more money spent on fraud prevention measures; according to a study conducted by Payments Journal in 2012, retailers spend about $6.47 billion annually on fraud prevention measures. Because of these higher operation costs, the price of the products and services for sale in the seller’s web store increase. This affects other customers – regular people just trying to buy something they want or need for themselves or someone else.

Trustev, an e-commerce anti-fraud company, found that of the 5.1% of people who reported that they have committed friendly fraud, 20% stated that it “didn’t really bother them”. This is upsetting not only because of the fraudsters’ destructive sense of entitlement and lack of empathy, but also because they can often be stealing money from small to medium-sized businesses and from fellow customers rather than from big faceless corporations.

What can you do to combat friendly fraud?

Although it might prove impossible to fully prevent chargeback fraud, you can still take measures to decrease its potential for damage.

Leave a paper trail

In the event that a customer commits friendly fraud, whether deliberately or not, you will have an easier time disputing the chargeback if you can prove that the transaction was authentic. This includes having a record of the transaction with shipping tracking (if your product is not electronic).

Use fraud prevention software

A good software program that matches billing and shipping IP addresses can help you argue your case if you ever have to dispute a chargeback with your banking or payment processing partners. You can also use software that detects the use of hidden proxies (used when customers are trying to hide their IP address for the purposes of fraud and other criminal activity).

Require a card security code upon credit card purchase

A card security code (CSC), also called a card verification value (CVV or CV2) or card verification code (CVC), is a code that the customer enters to authenticate and authorise the transaction. Requiring this as part of the checkout process could not only prevent fraud of various kinds, but also provide you with proof that the customer most probably willingly made the purchase.

Makes returns and refunds easy

Not all friendly fraud is intentional. Some people are just not satisfied with the product. Some folks may have forgotten about the purchase. If you have a dispute resolution process in place, make sure it is efficient and timely so that the customer feels confident in your ability to resolve the situation.

Friendly fraud may exist, but it doesn’t have to be one of your problems. Taking the time to learn about it, how it can affect your business and how to prevent or manage it is a proactive solution that could save you a lot of headaches in the future. For more tips on securing your e-commerce business, subscribe to the DalPay Blog and follow us on Facebook and Twitter.