When Merchants Are Compromised: How Scammers Are Stealing Your Business’ Account Information

When Merchants Are Compromised: How Scammers Are Stealing Your Business’ Account Information
Topics Cash and Treasury Management

As businesses continue to shift to digital payment systems for in-store and online transactions, fraudsters and financial institutions (FIs) are caught in a game of cat and mouse.

While a layered or multi-step approach is always key to mitigating the risks of payment fraud, and as FIs innovate to protect their customers, so too do the fraudsters, finding new mouse holes to slip through in order to steal the account information of customers and businesses.

The pace of payment fraud protection has quickened in the current Covid-19 crisis but the race to stay ahead of scammers began long ago. Fraudsters have had a serious head-start because businesses generally do not know how to protect against a fraud scheme until it has already happened.

Now in a time when the economic impact of COVID-19 has every business owner keeping a close eye on their financial health, here are some of the most recent payment fraud scams that have hit businesses in our region:

Card Skimming

Card skimming scams are, unfortunately, quite common in the Greater Philadelphia Region, despite Pennsylvania’s ban in 2018 on all card skimming devices used to steal data from customers’ bank card chips and magnetic strips.

It’s not uncommon to see a store’s surveillance video on the evening news showing a suspect placing a skimming device over the top of a credit card reader at a grocery store, or over the top of an ATM card reader, stealing the PIN and account information of the shopper and, in some cases, even creating a fake payment card connected to the victim’s account.

According to Governor Tom Wolf’s Office, Pennsylvania State Police and local law enforcement partners work together on a regular basis to respond to instances of credit card skimming and related frauds. When information is gathered from one case, investigators will use the information gathered from individual cases to see if they “may reveal larger trends, which help law enforcement allocate resources to prevent these types of crimes as skimming devices become more sophisticated.”

Email, Text and Social Media Phishing

As Montgomery and other counties report, the region may have reached its peak in the coronavirus outbreak, customers are using email, text and social media direct messaging to do business now more than ever before. And that means our customers and businesses are at a higher risk for phishing scams.

According to Data Breach Digest, the companion to an annual report on data breaches by Verizon, 90 percent of data breaches are the result of a “phishing or social engineering component,” meaning email, text message and social media direct messaging. Apps like Facebook Messenger and WeChat are among the most highly targeted entry points to data for fraudsters.

Some scams are relatively easy to avoid but only due to the fact that employees and businesses have been educated about some email scams and can easily identify them.

Subject lines that read “Confidential Matter,” for example, or come from an address you do not recognize, are clear indicators of a phishing scam.

But while some phishing scams remain outdated and easy to spot, others have become far more difficult to detect.

In March, Pennsylvania’s Attorney General Josh Shapiro warned businesses and consumers to keep an eye out for coronavirus-related scams, including phishing emails from entities posing as the World Health Organization or The Centers for Disease Control and Prevention.

In addition, the AG warned of scams seeking donations fraudulently for illegitimate or non-existent charitable organizations.

Here are two more email scams your customers and employees will likely encounter this year:

Business Email Compromise – Your boss or colleague is in a meeting but has emailed you asking if you can “help with something, quickly.” The email address is not that of the person you believe is contacting you but that individual is, in fact, in a meeting. If you were to reply, the scammer will email again asking you to select a link or provide personal information. This scam can be unsettling because it means the scammer may have access to an employee’s calendar in order to know when they were in a meeting.

If you believe an employee has fallen victim to this scam, contact the IT department and ask them to make sure phishing filters are installed across the company’s network. Phishing filters can’t stop all scams but they will reduce the attempts.

We often hear from customers who have fallen victim to email frauds. Just recently, a customer I know well fell victim to an email fraud that prompted the CEO of a major company to wire funds. Thankfully, the bank noticed the CEO had sent funds to an account that was out of the country and the bank was able to recall the wire before it had completed.

The Direct Message Scam – This is a very common scam. As social networking has evolved, scammers have found a new ecosystem to exploit. Luckily, in most cases, Social Media scams can be easier to detect. If someone you don’t know sends you a direct message with a link, do not select that link. Just like email phishing, avoiding toxic links that could potentially reveal personal data, or allow the scammer to access data, is key to protecting your business.

Protecting Your Business

These are some of the more and less common online scams. But, in addition to spotting the scams, it is also important to know how best to protect against them.

First, check-in with your FI and ask for their recommendation on how to protect your accounts from payment fraud and scammers. Ask how they can provide a layered approach to mitigating the risk payment fraud and ask about Fraud Prevention Services like online authentication methods, out of band authentication and dual control. There is no one-size-fits-all solution so multiple protections are always the best course.

Before an emergency occurs, have an Incident Response Plan in place so that you know who to contact immediately, including IT, legal and finance.

Unfortunately, fraudsters rarely act just once so it is paramount to thoroughly report the fraud and work with investigators to gather as much evidence as possible.

Until the COVID-19 crisis winds down, stay safe and stay vigilant about your company’s finances. Be sure to check in with your banker too. They will be happy to hear from you.

WSFS Wordmark

Helping you boost your financial intelligence.

Read our financial resources from your friends at WSFS.