December 15, 2004 4:00 AM PST

Net stores get ready for Santa cons

A couple of days before Thanksgiving, mom-and-pop e-tailer Tina Koenig's phone kept ringing with calls from people verifying they'd won a laptop.

The only problem: Koenig had no idea what they were talking about.

Cybercriminals had used her online gift store in a "phishing" scam, which set up a fake version of the site to try to extract visitors' credit card information. An e-mail enticed victims to the fake site by telling them they had a prize. The lure was a free Hewlett-Packard laptop computer.

"We got at least 10 to 20 phone calls and e-mails from people wanting to confirm they'd won the computer. It was a situation that could have hurt our brand, reputation and sales, if we didn't return those calls and e-mails," said Koenig, founder of Cybercalifragilistic, a gift site for geeks that generates 80 percent of its annual revenue during the holiday season.

The holiday shopping season, with its boom in traffic and sales, casts a spotlight on concerns over the security of e-commerce. Online fraud is becoming more professional as organized crooks begin to flex their muscle in digital scams. But major retailers and services providers have become more savvy too, bolstering security all year round. That leaves midsized and small Web stores as possible prey of criminals.

Those small businesses have more to lose, in credibility and income, from attacks. "This is the kind of thing you don't want to happen any time of the year--especially (not) during the holidays, when it's the busiest time of the year," Koenig said.

Santa fraud
Online retailers are expected to generate about 30 percent of their overall revenue for 2004 in November and December, according to figures from research firm Jupitermedia. That adds up to about $20 billion in holiday sales.

Phishing lures
Check out this list of recent scams and tips on spotting bogus e-mails.
But the spike in holiday traffic brings a 20 percent rise in the number of attempted security breaches, estimates VeriSign, which provides authentication of Internet transactions.

"Fraud activity increases with the level of volume activity to the site," said Trevor Healy, VeriSign's vice president of payment services. "There's a belief in the fraud community that retailers may not be as vigilant during the holidays because they're busy filling orders and getting their holiday sales out."

That traffic plays a part in one fraud scheme, in which criminals use a large number of stolen credit card numbers to make purchases on one site, to make sure those numbers are valid. The fraudsters then use those cards to buy goods at another e-commerce business. Another credit card scam that is increasingly popular, Healy noted, has corrupt employees issue refunds on numbers that don't exist.

Credit card fraud, phishing and denial-of-service (DoS) attacks linked to extortion are the security threats that have online businesses most worried, security analysts agree.

But larger online stores tend to have more experience in handling fraud, so the increasingly professional fraudsters on the Internet have started to target smaller businesses, said Roy Banks, president of, an online credit-card processing company.

"If you are looking for opportunities to defraud a merchant, you are going to look downwards in order to find those that are susceptible to fraud," Banks said.

Koenig and her small online business are familiar with the dangers of DoS attacks. Back in 1996, Cybercalifragilistic suffered an outage for a couple of days during the holiday spending season after its Internet service provider, WebCom, was hit with a flood of data that swamped its servers.

"It cost our company 20 percent of our holiday sales," she recalled. "This happened during the pioneering days of the Internet, and the attack was to protest commerce on the Internet."

Carrie Johnson, an analyst with Forrester Research, noted that the retailers most likely to lose customers from a DoS attack are those

Page 1 | 2

1 comment

Join the conversation!
Add your comment
Small merchants suffer most---definitely
What really irks me though is that as far as I can tell, the credit card companies (Visa/Mastercard) MAKE money off of fraud. Here's why. Suppose your credit card number is stolen by a criminal. You aren't liable for a cent. The criminal uses your credit card number at 50 merchants. All 50 merchants will not only lose the value of the sale that (plus cost of goods) they sold to the criminal, but they are ALSO slapped with a "chargeback fee" of $25, courtesy of Visa or MasterCard (Amex and Discover don't do this). This happens to us all the time. This means then that if your Visa card was stolen and used at 50 merchants, Visa (or the issuing bank) stands to make a cool $1250 from chargeback fees.

As a small merchant, I am continually outraged that the Visa/MasterCard duopoly can get away with this...instead of actually taking steps to help merchants, who by far suffer the most. How can we expect Visa/MasterCard to attempt to reduce fraud when they plainly benefit at its expense? I'm not making this up---check with any merchant, they'll tell you about the fraud chargeback fees.
Posted by sfpdiaspora (5 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.