When customers are attacked in your name

“How dare you take my money and not deliver my product?!” – a statement heard by companies all over the world, only to find that their customer placed an order on a fake website, paid a scammer a bunch of money, and never received the product they paid for.  They blame you for this, yet you had nothing to do it.

To understand the issue, we have to do a break down of the risk scenario.  At a high level, there may be nothing wrong on your network.  All your processes are working correctly, controls are operating, yet when the attacker is successful, it is your customer that is left out of pocket.

While the direct impact is on your customer, there is an indirect impact on your organization that needs to be recognised.  The first, is a loss of revenue.  It is highly unlikely that the customer (who just lost a sum of money on a fake website) would be spending more money on your site for the product he actually wanted in the first place.

The second, while not your fault, could related to reputational damage.  You could argue that it is not your site that was defaced, and while it is true, social media has a way of spreading misinformation like wildfire, and the damage caused by the mere rumour of misconduct on behalf of your organization could be catastrophic.  That being said – we cannot ignore this threat.

Consider the following risk scenarios.

  • A misspelled website, or a site that looks very similar to your own, pretends to sell your product, and accepts money from customers.  The site can also steal credentials.
  • Utilizing social engineering, a fake salesman can call unsuspecting victims, claiming to be from your company, only to have customers hand over logon credentials, or convince them to purchase a fake product.
  • A scammer may conduct email campaigns (spam or phishing attacks), claiming to be from your organization to spread malware, steal money, or credentials.

While there may be more risk scenarios, there is one thing all of them have in common – it is completely outside of your control.  None of the systems or data resides within your scope, you don’t have the access, you have nothing.  All you have, is the name of your organization being used for purposes it was never designed for.

Do you think this risk applies to your organization?  If not, then thanks for reading, but if you think that it does, let’s continue…

We need to consider a number of strategies for dealing with risks like these, and a number of suggested controls can be considered, and it is important for your organization to select the most appropriate control for the risk you’re trying to mitigate.

Register common misspellings of your organization name

Even when you visit gogle.com, you’ll get the search engine.  Registering the misspelled domain names is a good approach, however it is not very effective.  Chances are you will not be able to register every possible misspelling, not to mention the countless different TLD (top level domains) that exist on the internet.

Monitor your brand name

Utilize a social media monitoring service that would scan the internet for keywords that are relevant to your organization.  By engaging such a service, you’d be notified of any potential copyright (or trademark) breaches of your name on any unauthorised service.

Engage with your legal department

It is imperative that your legal department is prepared to deal with any type of fake website.  In the event that you are notified of a fake website, your legal department must be aware of the process to go through to for website takedown, and how to claim for a trademark infringement.

Better website design

Website backend systems get more complex as more functionality is added.  When the site is expanding, the user experience does not have to change.  Where possible, limit the number of URLs to only the single FQDN, like www.example.com.  With a load balancer on your data center, or an SSL Concentrator, there is no need to explicitly have different hosts on the internet.

Customer awareness

Through user campaigns, you can educate your users that they should only ever access your site on your specific URL, and that anything else should be considered suspicious.  Provided you’ve designed a single URL for the system, the customer awareness campaign should be easy to achieve.

Extended SSL Certificate

It is a bit more pricey, but having the green bar at the top of the browser does create an added sense of security.  For  a scammer to obtain the extended SSL certificate is in most cases too expensive, but would also be difficult to obtain, since they do not own your brand name, can would not be able to proof that they own your domain.

Improved end-to-end processes

Your business may decide that SMS or email is an appropriate way to communicate with customers, and while it may be true, scammers can also use those same tools.  I have seen some communications from my bank, where they regularly advise me that they will never ask for my password (as it should be).  It is communicated to me via email, via mail, even when I log onto my internet banking.  While this may link to customer awareness aspect, the key control is to ensure that your end-to-end process does not have any potential weakness that would allow a social engineering attack.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *