How businesses can protect their brands from online fraud

In the internet era, brands are often under attack by fraudsters, phishers and scammers, but businesses can protect themselves, says author David N Barnett.

In today’s digital world, the internet presents criminals with an unprecedented opportunity to commit untraceable fraud with a degree of ease that is not possible in the physical world. Recent research suggests that the UK loses almost £11 billion a year to cybercriminals, with a financial scam estimated to have been perpetrated every 15 seconds in the first half of 2016. Fraud can also be relevant to companies outside the financial services industry; for example, in November 2014 the travel reservation company Booking.com was forced to refund around 10,000 customers who had lost money in a targeted attack. These facts highlight the importance of brand owners carrying out pro-active programs of online brand protection, to monitor and protect themselves and their customers from online fraud.

Common online fraud attacks

One of the most common ways in which online fraud is carried out is via phishing, where a fraudster contacts a third party in an attempt to acquire confidential information. Nearly 450,000 distinct phishing attacks were identified in 2013, resulting in a total estimated financial loss of almost $6 billion. This type of scam is frequently carried out by copying the ‘look-and-feel’ of a legitimate website for the brand under attack and encouraging customers to log in, so the fraudster can collect the credentials entered. In many cases, customers are directed to these sites via embedded links in fraudulent emails. However, fraudsters have also been found to purchase sponsored-ad space from popular search engines, so advertisements for a fake site appears in response to customer searches for the brand. Some of the most convincing attacks occur when the fraudster registers a brand-specific domain name to construct the phishing site.

Figure 1: Example of a fraudulent banking website using a brand-specific domain name (hsbcprivatebank.org.uk)

There are a number of steps which can be taken by businesses to mediate the risks associated with phishing:

• Monitoring the registration of brand-specific domain names which may be used to host fraudulent sites
• Internet searching and crawling to identify suspicious sites
• Using ‘spam traps’ to monitor for the appearance of emails directing customers to phishing sites
• Deactivating phishing sites by sending notices to the domain registrars or hosting providers
• Educating customers on how to avoid scams (eg. checking the domain name used in links, looking for the presence of https URLs, and use of security software)

Another type of scam to be wary of is the advance-fee fraud, usually perpetrated via the use of an email promising a sum of money, prize, or employment. Following correspondence with the sender, the recipient is asked to send a ‘fee’, which is then retained by the fraudster. As with phishing scams, many of these make use of brand-specific domain names to create an associated fake site or a plausible email address.

Figure 2: Example of a scam email comprising an advance-fee (‘419’) fraud and making use of the email functionality of a non-legitimate, brand-specific domain name (cocacolagroup.co.uk)

In other cases, fraudsters may make use of malicious software (‘malware’), which can be spread to users’ computers by convincing them to open an infected attachment to an email, or by visiting an infected site (and usually clicking on a hyperlink). Two common types of malware which are relevant to the perpetration of online fraud include:

• Keyloggers, which record sequences of keypresses (such an entered passwords) on a user’s computer and transmit this information back to the fraudster
• DNS-poisoning malware, which affects the technical configuration of a user’s computer, causing the user to be directed to a fraudulent site – even if the correct (legitimate) domain name is entered into their browser

Protection against malware generally falls under the responsibility of individual internet users, through an Internet-security product. However, brand owners can also:

• Monitor for the online appearance of brand-specific material in conjunction with malicious content, and instruct the hosting providers of any such sites to deactivate them
• Educate their customers to avoid opening attachments in unsolicited emails or visiting unfamiliar websites
• Make use of additional technical ‘work-arounds’, such as the use of ‘virtual keyboards’ (on which text can be entered via a series of mouse clicks) on log-in pages, to circumvent keyloggers

Credentials or private information stolen by criminals is often then ‘traded’ online as a commodity. This frequently takes place in private forums (such as password-protected chat channels), but can also occur in other environments such as social media or dedicated websites. In many cases, it may not be possible to have these websites deactivated (for example, in cases where the sites are hosted in geographies where enforcement is difficult, or where the domain-name registrars or hosting providers are non-compliant to takedown requests). However, it is important to monitor these environments carefully so that compromised accounts can be identified and ‘locked’ as quickly as possible.

Figure 3: Example of a ‘carder’ website on the Dark Web

In addition to the monitoring and enforcement strategies described above, businesses must also employ other strategies (such as investment in digital security products and insurance) to protect themselves and their customers against the threats of fraudulent activity, brand damage and financial losses.

GMA readers can save 20% on ‘Brand Protection in the Online World’ with discount code PMK20 at: www.koganpage.com.