Tools and tactics to help retailers avoid getting hooked   From March 2008 By D. Gail Fleenor

Sponsored by

We’ve all received e-mails purportedly from our bank, credit card company or other institution asking us to verify our financial information. Although not as well publicized, the practice of “phishing” is an all-too-real threat in the retail world, as well.

The recent purchase of Albertsons made Supervalu the third-largest supermarket chain in the country. Headquartered in Eden Prairie, Minn., the chain deals with a multitude of suppliers on a daily basis. Recently, Supervalu received two e-mails — one purported to be from Frito-Lay, the other from American Greetings. Both claimed the companies wanted to have payments directed to new bank accounts.

Supervalu sent more than $6.5 million to the phony American Greetings account and nearly $3.6 million to the fictitious Frito-Lay account before realizing the e-mails were a form of phishing, according to Associated Press reports. Fortunately, the FBI was able to capture the money before the phishers could grab it.

“Due to our internal controls and processes, we were able to quickly discover and report this to the FBI,” Hayley Meyer, a spokeswoman for Supervalu, said in a statement. “As a result of the quick work of the Boise FBI office and the U.S. Attorney, any funds lost are minimal.”

Frito Lay confirmed it is helping with the investigation; American Greetings declined all comment for this article. Both companies, as well as Supervalu, have laid claims to the wired funds, resulting in litigation.

Where to get help To help determine how other retailers can avoid a similar incident, STORES consulted government agencies charged with fighting cyber crime and technology experts who develop protective solutions to keep cyber thieves out. The Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center (NW3C), was established to receive Internet-related criminal complaints and to

research, develop and refer these complaints to appropriate branches of law enforcement for investigation.

Retailers and consumers “should always report questionable scams to their local, federal or state authorities, as well as the IC3 at www.IC3.gov,” says Donna Gregory, FBI supervisory management program analyst of the Internet Crime Complaint Center.

“If an e-mail is requesting financial information or changes, a follow-up phone call or e-mail to a known representative would be suggested to validate the e-mail,” Gregory says. Never open attachments or click on links from someone you do not know; always directly enter the link onto your browser. For more tips, visit www.lookstoogoodtobetrue.com.

Agencies such as the Federal Trade Commission have websites and tips for retailers.

“We encourage individuals and businesses to use anti-virus and anti-spyware software,” says Sana Chriss, spam coordinator for the FTC’s division of marketing practices. The FTC encourages businesses to make sure their computer systems are secure as a whole and ensure that employees verify senders of e-mail.

“In our view, companies should take measures to authenticate their own e-mail,” Chriss says. “For example, if a [representative] from Bank A sends an e-mail and asks for your bank account number, e-mail authentication should determine whether the sender is who he purports to be.”

Chriss encourages individuals and businesses that receive spam to forward it to spam@uce.gov and file complaints at www.ftc.gov/spam.

The FTC maintains another website, www.onguardonline.gov, to help consumers and businesses guard against Internet fraud. Partners in the site include the U.S. Department of Justice, Department of Homeland Security and the Securities and Exchange Commission.

“What happened with Supervalu is a concern of retailers and it affects society at large,” says Vicente Silveira, senior manager for the VeriSign Identity Protection (VIP) group. “New technologies have developed so quickly over the past 15 years that we’re still catching up [in terms of] educating people in how to use the technology and in understanding the technologies’ benefits and limitations.”

Next