On June 23, 2017, the Jewelers' Security Alliance issued a special alert outlining a widespread scam that's been recently targeted at the jewelry industry. In the security alert, which you can read here, the JSA explains that scammers are profiling retailers and manufacturers in order to pull off the reported telephone scams.
According to the JSA, the telephone scam involves the criminal calling a supplier or a retailer and requesting the shipment of a high-value item. Sometimes that high-value item will be legitimately diverted through the shipper. Shippers like UPS and FedEx allow you to change the shipping address of an item if you have the tracking number.
This scam is made possible because the telephone scammer has a great deal of knowledge about the store they are impersonating that they've gathered through a process known as "social engineering."
What is social engineering?
After hearing the term "social engineering," a few jewelers asked me if they should delete their Facebook accounts, which is why I decided to write this post today. Although social engineering sounds like it has something to do with social networks, the actual definition refers to the "deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes."
You might already be familiar with the word "phishing," which is when you receive a fraudulent email message from a seemingly legitimate company. Those emails usually contain viruses or links to fake websites that closely mimic your bank or other service provider you may use. Often times these phishing sites ask you to update your payment information. Phishing is perhaps the most popular form of social engineering.
According to this FBI public service announcement, scammers are sometimes using phishing to gain access to your computer, email account, and financial information. That PSA explains that the FBI has been tracking such scams since, at least, 2013.
What the JSA explains in their alert doesn't seem to involve phishing, but other types of simple information gathering techniques that fall into the realm of social engineering, yet have nothing to do with social media, so don't delete your Facebook accounts before reading this.
The social engineering process
Once a scammer targets you, they will visit your store, call you multiple times on the telephone, and look up your information online. They gather small bits of information during each step until they are confident enough that they can impersonate you, or an employee, to pull off this scam.
It all starts with a Google search for your company name. Through a simple Google search, you can find a lot of public domain information about your business, including:
- Corporate names and corporate entity type
- Trade names or doing-business-as names
- Company address
- Number of employees
- Estimated yearly sales volume
- Names of officers or corporate owners
- DUNS number
Once the scammer has the names of the owners, they can use Google to research each one of them as well. No matter how hard you try to hide your own personal information, there are several websites where you can purchase background checks on people. Additionally, many states make their traffic and ticket violations publicly available online. All of this information helps the scammer build a personal profile that is sufficient enough to impersonate the small talk you might have during a business call.
According to JSA, there are two popular versions of the scam. In Scenario No. 1 the scammer impersonates a retailer and calls a supplier, and Scenario No. 2 involves chain stores where the scammer calls one of the stores and claims to be an employee of another store.
In Scenario No. 1, the scammer would need to know what suppliers the store orders from. This is easy enough to figure out with a visit to the store in person or by looking at the retailer's website. This fraud has the potential to succeed if the retailer has some type of established payment terms with the supplier. The scammer could request a drop ship to a different address or ask for the order confirmation to be sent to a different email than what the supplier might have on file.
In Scenario No. 2, the scammer would need to know the SKU for a high-value item that is in stock at a different store than the one they are impersonating. This scammer would then request the other store to drop ship to a customer or ask for the shipping confirmation to be sent to a different email than what might seem normal.
Ways to protect yourself from scams
There's no way to prevent information from getting into the hands of the scammers because it's already out there. The only way to prevent the impersonation is to rely upon verified information that would never be public record. Here's a quick list I can think of:
1. Account numbers - Suppliers should require retailers to place orders using the account numbers and reject any attempted telephone order without one. Account numbers are usually never made public and they should not be related to a telephone number, address, corporate tax number, or the public DUNS number. Chain stores should validate who they are talking to and only allow inventory transfers according between authorized employees.
2. Confirm previous order payment method - If account numbers are not an option then suppliers could ask the retailer to provide the last 4 digits of the bank account or the credit card used to pay for the last order.
3. Only ship to billing address - Because suppliers and retailers are selling high value items they should only accept orders that are shipped to the billing address of the company or the credit card. If an order seems suspicious, then the supplier should call the retailer back to confirm the order. Don't use the call back number provided during the order, instead, the supplier should use the callback number they have on file or what's found in Google Maps.
4. Send email confirmations to known email addresses - In this day and age, every supplier should be sending order confirmation emails to their retailers. Suppliers should not allow order confirmations with tracking numbers to be sent to any address other than the email already on file. Additionally, retailers should only use emails associated with their domain name instead of free services like Gmail and Yahoo.
5. Continue with traditional verification methods - Credit card companies have always offered verification services. When taking a telephone order from a new customer, if they are paying by credit card, then ask the customer to provide the customer service number shown on the back of the card. Scammers won't have this information and will likely hang up or give an excuse as to why they can't provide the number.
It seems like simple verification using account numbers is the easiest way to avoid the problem at hand.
An experienced sales person and business owner should also trust their gut feeling when it comes to unusual telephone calls and order that seem too good to be true.
Final thoughts regarding social media usage
These types of scams are well thought out and enacted by skilled con artists that can think on their feet and are good at convincing small talk. It's likely that they will use Facebook to obtain a little bit of their profiling information, but most of the information about you and your company is already online and out of your control.