Cyberfraud and the growing threat of organized retail crime

It’s not just individuals who are worried about phishing attacks and other forms of cyberfraud. Businesses are also increasingly worried and are looking for better ways of protecting themselves.

It wasn’t that long ago when the term “script kiddies” was coined to describe individuals who thought they were unskilled in computer programming, they could nevertheless utilize and modify scripts and programs developed by others to try and hack into computer and networks or deface websites. As an aside in case you’re interested, a good source of information concerning the origin of the term “script kiddie” is this YouTube video created by the site LiveOverflow which showcases free IT security videos developed by cybersecurity professionals.

Today, however, hacking has almost become its own industry, with players ranging from nation-state actors to gangs of organized criminals selectively targeting different parts of the retail sector. For example, a recently released research report from the global threat intelligence firm IntSights titled “Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives” indicates that organized retail crime and cyberfraud (ORC) costs retailers approximately $30 billion each year. With ORC being one of the top challenges that retailers faced in 2019, the report also assesses what may be yet to come in 2020. You can download the report here.

Cyberfraud and organized retail crime may be the biggest challenge that doing commerce on the Internet faces yet. To try to get a handle on the nature of this problem and what businesses and law enforcement agencies are trying to do about it, I talked recently with Charity Wright, a former NSA agent and now a cyberthreat intelligence adviser for IntSights.

MITCH: When I think of ORCs, the first thing that comes to mind is Tolkein’s “Lord of the Rings.” But I guess ORC is something different when it comes to cybersecurity, right? Can you explain to us briefly what organized retail crime is all about when it comes to the realm of e-commerce?

CHARITY: Organized retail crime is the practice of professional retail theft, shoplifting, and fraud. It is organized crime in the retail environment. These days, most retailers offer their goods for purchase on the Internet, so naturally, criminals followed the money to the cyber environment. Oftentimes, the criminals steal from stores and then sell the products on the Dark Web.

MITCH: Who exactly are these criminals and what are they doing?

CHARITY: The criminals that conduct organized retail crime all have financial motivations. Otherwise, they have little in common. There are organized retail crime groups and members in every country where retail exists. The U.S. FBI has sophisticated operations to catch and investigate these cases, and some notable cases revealed groups that had stolen millions of dollars of goods. The most common products stolen include high-value merchandise that is easy to hide and shoplift. This includes cosmetics, baby formula, pharmaceuticals, razors, smoking cessation products, apparel, and more.

Another popular criminal activity in retail that contributes to this problem is “carding.” Carding is the use of stolen gift cards and credit cards to purchase merchandise in stores. The stolen goods can then be resold on underground markets. Carding makes theft difficult for retailers to catch because criminals can walk into a store or log on to an e-commerce site and purchase thousands of dollars’ worth of merchandise, pay for it with activated gift cards, and it looks like a legitimate purchase so it doesn’t set off loss prevention alerts.

The most common products stolen include high-value merchandise that is easy to hide and shoplift. This includes cosmetics, baby formula, pharmaceuticals, razors, smoking cessation products, apparel, and more.

MITCH: What are e-commerce companies doing to try and thwart the cyberfraud activities of these criminals?

CHARITY: Retailers are struggling to stop organized retail crime. Oftentimes, they know it’s happening and they can identify the threat actors in stores when they’re making large purchases, but if they are using a gift card or credit card that goes through, it appears that they are making legal purchases. In order to stop this, retailers are using cyberthreat intelligence to stop the theft and distribution of gift cards. By identifying this criminal behavior in the underground markets, they can narrow down who is conducting these fraud transactions, and in turn, enable law enforcement to catch them.

MITCH: What are government agencies doing to help defend our digital marketplace from these criminals?

CHARITY: Law enforcement has an important role in investigating large-scale organized retail crime. By reporting it, retailers enable law enforcement like police and federal agencies to track criminal activity and try to catch them in their tracks. This includes suspicious activity on e-commerce sites. Indicators of compromise (IOC) can help cyberthreat intelligence analysts and researchers track down where the crime originated and enable retailers to defend themselves against those outside threats.

MITCH: If I am considering launching a new e-commerce business, what should I do from the start to get ahead of the curve and protect my business from such criminal activities?

CHARITY: Launching a new e-commerce business is a big endeavor. Retailers need to be aware of the threat landscape and what they are up against. Staying compliant with PCI data standards, encrypting all web traffic to and from their websites, and hiring web application security specialists are great ways to build a solid foundation for security in your Internet business. Retailers should keep these security standards in mind when choosing who manages their websites and which credit card processors to use. Hire a cyberthreat intelligence company to help you stay aware of outside threats to your organization and your industry. They will enable you to set up proper cyber defenses to keep the hackers out of your network and hands off your product.