Phishing is the term given to a specific fraud, whereby a criminal, using a process of social engineering and/or simply posing as somebody else (for example, an official from the victim’s bank), extracts sensitive data about the victim. The data can be anything from email account passwords to credit card details; anything that could enable the criminal to steal money from the victim or allow the criminal to commit identity theft. What over the past few years has been rare is phishing attacks on merchants. However, merchant phishing attacks are on the rise learn how to minimize them by adhering to a few security rules.
A merchant will, in most circumstances, have more money in their bank than an individual. More money for the merchant to lose means higher potential gains for the criminal, so merchants are increasingly being viewed as viable targets.
Phishing is most often carried out by email, over the internet. The most common “attack” is for the perpetrator to send an email in the guise of one from the victim’s bank/ISP/etc. Advising that their security details have been compromised. It then encourages the intended victim to click on a link to go to the bank’s website and confirm some details to ensure they are adequately protected. However, on clicking the link, they are directed, not to the official website of the bank, but to a clone, which records all details that are entered (passwords etc.) and sends them to the criminal.
The most common attack when a merchant is involved is for an email to arrive advising that the merchant account has been compromised or frozen due to fraudulent activity; in their panic to resolve the situation, sometimes the merchant mistakenly releases secure details.
Reducing the risk is really about taking simple, common-sense actions. When receiving an email of this nature, do not implicitly trust it, and certainly do not click on a link. Instead go to the merchant provider’s site directly.
A less common, but still potential threat, is phishing via phone. In exactly the same manner, somebody will call the merchant and advise that their account is suspected of fraudulent activity, but before continuing, the merchant is asked to confirm their password. Again, an easy way to avoid potential problems is to politely refuse, and advise you will call the provider directly to ensure this call is genuine.
Of course, what may seem like common-sense to you, may not be thought about by a new or inexperienced member of staff. It is therefore important to consider which members of staff really need access to the merchant account, and to remove access from all but essential employees. Of the employees that do retain access, ensure they are thoroughly educated around the dangers of phishing attacks and ensure they are following the common-sense guidelines detailed above.
If you do discover that you are the victim of an attack, ensure you call your provider immediately and change all passwords. However, if you and your employees are vigilant, there should be no reason you need fall into this trap.