Getting a Line on Phishing

We’ve all received e-mails purportedly from our bank, credit card company or other institution asking us to verify our financial information. Although not as well publicized, the practice of “phishing” is an all-too-real threat in the retail world, as well.

The recent purchase of Albertsons made Supervalu the third-largest supermarket chain in the country. Headquartered in Eden Prairie, Minn., the chain deals with a multitude of suppliers on a daily basis. Recently, Supervalu received two e-mails — one purported to be from Frito-Lay, the other from American Greetings. Both claimed the companies wanted to have payments directed to new bank accounts.

Supervalu sent more than $6.5 million to the phony American Greetings account and nearly $3.6 million to the fictitious Frito-Lay account before realizing the e-mails were a form of phishing, according to Associated Press reports. Fortunately, the FBI was able to capture the money before the phishers could grab it.

“Due to our internal controls and processes, we were able to quickly discover and report this to the FBI,” Hayley Meyer, a spokeswoman for Supervalu, said in a statement. “As a result of the quick work of the Boise FBI office and the U.S. Attorney, any funds lost are minimal.”

Frito Lay confirmed it is helping with the investigation; American Greetings declined all comment for this article. Both companies, as well as Supervalu, have laid claims to the wired funds, resulting in litigation.

Where to get help
To help determine how other retailers can avoid a similar incident, STORES consulted government agencies charged with fighting cyber crime and technology experts who develop protective solutions to keep cyber thieves out.

The Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center (NW3C), was established to receive Internet-related criminal complaints and to research, develop and refer these complaints to appropriate branches of law enforcement for investigation.

Retailers and consumers “should always report questionable scams to their local, federal or state authorities, as well as the IC3 at www.IC3.gov,” says Donna Gregory, FBI supervisory management program analyst of the Internet Crime Complaint Center.

“If an e-mail is requesting financial information or changes, a follow-up phone call or e-mail to a known representative would be suggested to validate the e-mail,” Gregory says. Never open attachments or click on links from someone you do not know; always directly enter the link onto your browser. For more tips, visit www.lookstoogoodtobetrue.com.

Agencies such as the Federal Trade Commission have websites and tips for retailers.

“We encourage individuals and businesses to use anti-virus and anti-spyware software,” says Sana Chriss, spam coordinator for the FTC’s division of marketing practices. The FTC encourages businesses to make sure their computer systems are secure as a whole and ensure that employees verify senders of e-mail.

“In our view, companies should take measures to authenticate their own e-mail,” Chriss says. “For example, if a [representative] from Bank A sends an e-mail and asks for your bank account number, e-mail authentication should determine whether the sender is who he purports to be.”

Chriss encourages individuals and businesses that receive spam to forward it to spam@uce.gov and file complaints at www.ftc.gov/spam.

The FTC maintains another website, www.onguardonline.gov, to help consumers and businesses guard against Internet fraud. Partners in the site include the U.S. Department of Justice, Department of Homeland Security and the Securities and Exchange Commission.

“What happened with Supervalu is a concern of retailers and it affects society at large,” says Vicente Silveira, senior manager for the VeriSign Identity Protection (VIP) group. “New technologies have developed so quickly over the past 15 years that we’re still catching up [in terms of] educating people in how to use the technology and in understanding the technologies’ benefits and limitations.”

The attack on Supervalu might have been prevented through the education of associates and technology to protect e-mail communications, he said. For example, if employees learn to verify the authenticity of sites by looking for visual cues — like “green” addresses in the browser bar — some scams can be avoided. More than 1,600 sites currently display this green bar.

Phishing is the most common way for criminals to gain access to company accounts; toolkits are available for criminals to replicate a company’s website complete with logo and logoed e-mail.

Extra layer of security
The basic technology behind e-mail was not designed for the things it is being used for today, Silveira says. To ensure that incoming e-mail is legitimate, retailers can add a layer of security such as a digital certificate or digital identification. “This allows you to exchange secure e-mail,” he says. “More and more businesses are using this type of technology because it is very easy to use and integrates easily with the standard tools we have, such as Microsoft Outlook.”

A digital ID guarantees the origin of the e-mail and the fact that it has not been modified in transit. Encryption of e-mail is also possible with a digital ID so that “eavesdroppers” cannot read the message. VIP also offers a service that monitors all commercial accounts for unusual activity.

The latest offering from VIP is a device that generates a random six-digit number to upgrade authentication of account credentials from the now-antiquated user name and password. This new protection is available in card form, a keychain device and, soon, by mobile phone.