Holiday hackers

The holidays are a time for giving, among other pleasures. Sadly, however, they are also seen by fraudsters as a time for taking as much as they can get away with.

In March, retail giant Target Corp. agreed to a US$10-million settlement in the United States District Court in Minnesota that resulted from an online attack involving confidential customer data during the 2013 holiday season. Bloomberg Businessweek described it as the biggest retail hack in US history.

At the time its data was breached, “Target acknowledged that hackers had stolen credit and debit card information for 40 million of its customers,” The New York Times reported. “Early last year, the company revealed that additional personal information, like email and mailing addresses, had been stolen from 70 million to 110 million people and said there may have been overlap between those groups.”

The settlement provides affected customers with up to US$10,000 each in damages, and includes a form to complete, on a dedicated website, to prove their eligibility. Victims will have to demonstrate, among other criteria, that unauthorized charges were made to their credit cards. “They must also show,” the Times said, “that they invested time in addressing the fraudulent charges and incurred costs from correcting their credit report because of higher interest rates or fees, from replacing driver’s licenses or other forms of identification, or from hiring identity protection companies or lawyers.”

Target has said it is aware of only low levels of fraud linked to the breach. Litigation experts told the newspaper that customers would have a difficult time proving the requirements for a payment. “It’s difficult to figure out how your card was compromised and if it was directly tied to a particular data breach,” said Matthew Esworthy, a partner at Baltimore firm Shapiro Sher Guinot & Sandler. “People are buying more online and using their cards so frequently, making fraudulent charges so commonplace.”


No matter how many claims Target ends up paying, it has already suffered serious consequences: the extensive and embarrassing bad publicity; the immediate hit to its stock price (it dropped 1.7% the day after the news was made public); a drop in profit (according to Businessweek, its profit for the holiday shopping period fell 46% from the same quarter the year before and the number of transactions suffered the biggest decline since the retailer began reporting the statistic in 2008); the cost of investigating the attack (a reported US$61 million by February 2014); and the resources involved in reaching a settlement. This is a high price to pay for being hacked during what was the retailer’s busiest time of the year.

The timing of the hack was not arbitrary. The perpetrators, according to Businessweek, installed malware in Target’s security and payments system just prior to US Thanksgiving 2013. It was programmed to steal every credit card number used at the company’s 1,797 US stores. “At the critical moment — when the Christmas gifts had been scanned and bagged and the cashier asked for a swipe — the malware would step in, capture the shopper’s credit card number, and store it on a Target server commandeered by the hackers,” the magazine reported.


The holiday season has many traditions, and an increase in fraud, unfortunately, is one of the negative annual rites. The Association of Certified Fraud Examiners (ACFE), which bills itself as the world’s largest antifraud organization, released a study in 2012 that noted “fraud takes an estimated 20% uptick during the US holiday season.” It said its survey shed a light on this previously under-studied and under-reported area of fraud.

Major hacking attacks, such as the one aimed at Target, are not the most common type of holiday fraud, by any means.

According to 56% of the ACFE members surveyed, “employee embezzlement is the type of fraud most likely to increase during this period.” Half also reported that fraud by unrelated third parties (identity theft, con schemes) would increase. Nearly a quarter (24%) said that frauds by vendors would increase, while bribery (11%) and financial statement fraud (9%) were also expected to increase. The ACFE noted that multiple answers were allowed for this survey question.


Interestingly, fewer than 7% of respondents said their organizations (or their clients’ organizations) increase their level of resources committed to fraud prevention or detection during the holidays. Most said that the level remains the same (56.7%), while more than 9% said that the level actually decreases.

Why the dramatic increase in fraud during the holiday season? “Increased financial pressure is the leading reason,” according to the survey.

Some companies, especially retailers, increase staff to meet the increased demands of the holidays. That’s understandable. What is perhaps less reasonable is that many employers, likely for financial and timing reasons, take on new hires without conducting sufficient due diligence, as with normal hiring procedures.

At minimum, new employees should undergo reference and criminal checks and other employee-screening basics. At the same time, new employees should be given training in fraud detection and prevention, especially considering the increased number of customers who will likely frequent the stores. Equally important is to make all new hires aware of the company’s code of conduct and ethics policies, and its intention to prosecute anyone found guilty of breaking the law.

Eric Feldman, senior vice-president and managing director, corporate ethics and compliance programs for Affiliated Monitors Inc. of Boston, warns that the holiday season “is not the time to lighten up on internal controls.” Feldman, who spent 32 years with the Central Intelligence Agency in inspector general oversight and federal auditing, notes that even normally honest employees can be tempted to engage in unethical behaviour if they see greater opportunities to commit fraud.


But not all holiday season fraud is committed by new hires or existing employees. The Target attack, for example, is believed to have been the work of organized crime. Internet security expert Claudiu Popa, CEO of Informatica, the California software development company, told CBC TV’s The Lang & O’Leary Exchange that “the very scale of the scheme argues the cyber criminals are innovative, possibly organized crime and working on a global scale.”

Criminal groups (as well as individuals) are also heavily involved in one of the most costly scams experienced by retailers over the holiday season: return fraud, the process by which a stolen or otherwise unpaid-for item is returned for a cash or store credit refund. Some scammers deliberately damage an item so it can be returned as defective.

In 2014, the National Retail Federation (NRF), based in Washington, DC, published the findings of a survey on return fraud that estimated the retail industry would lose US$3.8 billion to the scheme during that year’s holiday season. In a January article, Canadian Security said that “organized criminal gangs in particular [were] seeking to pass themselves off as genuine returners to extract money from retailers.”  

The NRF concurs: “Many of these return fraud instances are a direct result of larger, more experienced crime rings that continue to pose serious threats to retailers’ operations and their bottom lines.”

There are numerous actions a retailer can take to reduce return fraud, Canadian Security says. They include the obvious: careful scrutiny of receipts, paying particular attention to whether the product code matches the receipt. The magazine also suggests applying “code-laced liquids to valuable products, which will only show up with ultraviolet light. This can verify the authenticity of a purchase and whether it was the same item purchased.”


Consumers, of course, are not immune from being defrauded. One common scam involves gift cards, which, in 2014, were “the most requested gift for the holiday season for the eighth consecutive year,” according to the NRF. It’s an industry that’s worth “hundreds of billions a year,” notes

The website tells the story of a Chicago man who purchased a US$500 airline gift card for his mother from a grocery store. At home he discovered the PIN area on the back of the card had been scratched off, a common tactic of fraudsters. Pete Kledaras, chief risk officer at CashStar, a gift card platform that works with major retail brands, explained to that thieves often steal the gift card number and PIN and leave the physical gift card. In this case, thieves will typically use the balance themselves. “Once cards are stolen, there are any number of ways that thieves can turn that into money for themselves,” Kledaras says. “They can resell them on the secondary market, or they can go into the store and purchase physical goods that they can sell.”

Gift card purchasers should check for signs of tampering. They should also consider dealing only with credible retailers, some of whom register the cards and protect the balance in case the card is ever lost or stolen, the website suggests.

The holidays are a time for giving, among other pleasures. Sadly, however, they are also seen by fraudsters as a time for taking as much as they can get away with.