These last few days of the Christmas season are deemed by many merchants as the most profitable online shopping days of the year.
Unfortunately, cyber criminals are also most active during this period, and the incidence of hacking, ID theft, and credit/debit card fraud is also unsually high..
The good news for online shoppers is should they become victims of cyber crooks, they generally aren’t deemed liable — the merchants are.
“Unless intent or complicity can be proven, consumers are not held liable for credit or debit card fraud,” said Jas Anand, Toronto-based product and risk strategy manager at Actimize Inc., a fraud and financial crime prevention services firm headquartered in New York.
Anand said, online shoppers whose card information has been compromised and used for unauthorized purchases, can still recoup the money (if they used a debit card) or have the illicit purchases reversed, if they used a credit card. “The onus is on the online merchant to prove they followed all the rules in carrying out the transaction.”
RELATED STORIES
An Introduction to Privacy by Design
The only security advice you need this holiday season
Card fraud set to rise and what to do about it
Fighting first party fraud in Canada — an expert shows how
Dirty dozen
Despite the dangers of online shopping, buying items over the Internet is steadily growing.
Some 2.2 million Canadians placed about 13 million orders online in 2001, according to Statistics Canada. The number of orders shot up to 70 million by 2007 as some 8.4 million individuals logged on to make purchases. The total value of online orders for that year was estimated at $12.8 billion compared to $412 billion in total retail sales.
But these numbers are still way below those in the U.S., according to Mark Beazley, director of communication for the Retail Council of Canada. “Canadian online sales represent about two per cent of overall retail sales on a annual basis. That pales in comparison to the U.S., where it’s around six per cent.”
This does not however, diminish Canadians’ value as fraud targets.
For example, the Canadian Anti-Fraud Centre, known as PhoneBusters recorded more than 200,000 complaints so far this year. Internet scams shot up from the fourth most complained about scam in 2007 to number one in 2008 and 2009, according to the Better Business Bureau.
Here are 12 of the more common online scams:
1. Credit and debit card data phishing: Fraudsters trick online shoppers into revealing personal and card information. Other criminals use card cloning devices.
2. Scam ticket Web sites: Scammers set up sites capitalizing on events such as music festivals and the theatre. After the consumer pays for the tickets, they are not delivered and any calls and e-mails go unanswered.
3. Health claim scams: Bogus “breakthrough” health claims on the Internet or promised cures. This was a hit during the swine flu crisis.
4. Not-so-free trials: Online ads invite consumers to try a new diet product or teeth whitener, but many Web sites don’t disclose the billing terms and conditions, or list them on another page, where consumers rarely look.
5. ID theft: Online scammers send e-mails that look legitimate, stating that your “account information needs to be updated.” Another tactic called “scareware” has a pop-up message showing that your computer is infected with a virus and you need to visit a Web site to purchase and download anti-virus software.
6. Small business loan and supply scams: Scammers pretend to offer small loans or pretend to be regular suppliers looking to confirm an address in a directory. Once bills arrive for overpriced supplies, aggressive “collection” agents call with threats of legal action.
7. Free government money schemes: Companies offer “free” advice on obtaining government grants. Often social networking sites and online ads will point to blogs that appear to be written by everyday people who are sharing the secret of how they received thousands of dollars in grants from the government to pay off their debts.
8. Business “opportunities”: An example is illegal pyramid schemes, where capital brought on by new investors keeps this imaginary investment afloat.
9. Cashback fraud: A buyer agrees to pay your asking price of something you’re selling online, but sends you a cheque or banker’s draft for a larger sum. You are asked to cash the cheque and send a money transfer for the difference. The cheque bounces a few days after your money transfer has left your account.
10. Hidden cell phone charges: People who sign up to play online games or take IQ tests find themselves also signed up for expensive premium text services for their cell phone through third-party companies.
11. Mystery jobs scams: Mystery shopper ads in newspapers or online are in most cases bogus services requiring you to pay money upfront.
12. Scam letters: You’ve won a million dollars or someone needs your help in transferring a ridiculously huge sum of money into your bank account. Don’t make the mistake of giving them your bank information.
What you can do as a consumer
There are a number of quick tricks that online shoppers can employ to reduce their chances of being victims of cyber fraudsters, according to Justin Folkerts, spokesperson for Fusepoint Managed Services Inc. a database security company with a head office in Vancouver and data centres across Canada.
“Anytime you have to provide your personal, financial or card information, you have to take special precautions,” said Folkerts.
Here’s a list of what consumers should do:
- Make sure the merchant site employs encryption such as secure socket layer (SSL). You can determine if the site has SSL by looking up the site’s URL rather than a plain “HTTP” is will be “HTTPS”. SSL-enabled sites will also have a little locked padlock icon on the bottom right hand corner.
- Make sure you are dealing with a PCI complaint merchant. The Payment Card Industry regulations were set up by credit card companies to help reduce fraud. Essentially the PCI is a set of rules and mechanisms to ensure that merchants encrypt their databases, backup their systems, and take steps to prevent ID theft.
- Use the actual Web site of the merchant — avoid connecting through links on e-mails.
- Check your debit and credit card statement regularly and frequently to detect any purchases not authorized by you. Checking the statements online is faster rather than waiting for one to two months for the paper statements to be mailed.
- If you suspect any unauthorized purchases, report this to card issuing bank. Your bank will dispute the purchase on your behalf. The amount will be credited back to your card and the credit card company will charge the sale to the merchant.
- Keep a record of transactions, either through e-mail confirmations or by writing down confirmation numbers provided by a merchant, and review monthly statements thoroughly.
- Check the site for the merchant’s delivery and return policies before making a purchase to ensure items can be returned if they are not in satisfactory condition.
- Never respond to an e-mail request for personal or account information, even if it appears to be from a trusted source.
- Never send payment information via e-mail since it isn’t secure and outside parties can often read information that travels via e-mail.
How merchants can protect their business
As every vendor on the face of the planet knows, this is the busiest shopping time of the year, says James Quin, senior analyst, for Info-Tech research Group in London, Ont.
“Just as bricks and mortar outlets need to be prepared for the rush with additional staff, online storefronts may need to be equipped for the increase in traffic.”
He noted that few merchants can guarantee 24/7 uptime all the time. “Still to get close to that, vendors must invest heavily in redundancy of computer systems.”
Make sure your system can handle the anticipated spike in transactions. A powerful system isn’t something than can be installed overnight or implemented for only a short period and then turned off again, said Quin.
To ensure data protection, Folkerts of Fusepoint says many merchants can shop around for service providers that offer secure data centres and transaction handling.
Here are more tips for merchants:
- Ensure you are PCI compliant. This limits liability. If fraud should occur on your site and you are not PCI compliant, you could be held financially liable or even lose your credit card transaction license.
- Never store data that you should not be holding. Never store data longer that needed. Doing this will reduce your chances of being a data theft target
- Make sure all your security and operations software are patched.
- Ensure that your security and administration settings are updated and properly set. Many systems that remain on default settings are more easily hacked into.
- Take advantage of security feature and services offered by credit card companies such as account and address verification services and the so-called “three digit verification” checks. These provide an additional layer of security before transactions are approved.