Consumers Losing Confidence in Online Security
By George Anderson
An increase in phishing attacks and breaches of security of online sites has made consumers increasingly wary about conducting personal business online.
According to the results of a survey of 5,000 adult users on the Internet conducted by Gartner, phishing email attacks were up 28 percent in the last year and most say the frequency
with which they receive these email scams has picked up of late.
According to the Gartner report, Increased Phishing and Online Attacks Cause Dip in Consumer Confidence, 2.4 million consumers lost money in phishing scams over the past
year.
Gartner analysts said concerns about becoming a victim of a phishing attack has meant that even legitimate email is not being read. Eighty-five percent of consumers delete email
they are suspicious of before reading it.
“This figure has serious implications for banks and other companies that want to use the e-mail channel to communicate more cost-effectively with their customer base,” said Avivah
Litan, vice president and research director at Gartner. “For example, a bill sent electronically costs about half of what a bill costs when sent through regular mail.”
According to Gartner, left unchecked, the erosion of consumer confidence in online security will inhibit e-commerce growth rates by one to three percent over the next three years.
“In general, consumers expect companies they do business with to provide secure online communications and to protect consumer data from thieves at no additional cost to consumers,”
Ms. Litan said. “They want guarantees – authentication – from merchants and other businesses that their Web sites are genuine. Consumers want this reaffirmed every time they go
online.”
Moderator’s Comment: Are phishing attacks and security breaches beginning to have a negative impact on e-commerce activity? How can legitimate merchants
fend off the crooks? –
George Anderson – Moderator
I agree with both Al and Gene, with one difference: increasingly, people shopping bricks and mortar have to be on the alert. With the increased use of camera phones and debit cards, people are having their card numbers and PINs stolen while shopping. (Scammers pretend to be on the phone and film customers entering their cards and PIN numbers.) This has happened to two people I know in the last month.
Robbers are clever. Customers need to be alert and aware of the ways in which their information can be stolen as we move further toward a cashless society.
As a very regular Internet user, I’m amazed at the increasing amount of spam, viruses, and phishing that makes its way to my inbox every day. Imagine if consumers shopping in brick and mortar stores or visiting their local bank branch had to constantly be on guard for someone out to steal their wallet or purse, or worse, while they were on the premises. That’s how the Internet appears to most people. While there are plenty of safeguards, you have to be fairly savvy to protect yourself. Consumers need to know that companies doing business with them on the Internet are being proactive in protecting their information.
Phishing continues because, as is attributed to Phineas Barnum, “There’s a sucker born every minute.” More probably, ol’ P.T. said, “The people like to be humbugged.”
And don’t they ever! With enough bait in the water, even the most amateurish phisherman hooks a sucker from time to time and, after all, bait’s cheap. Two days ago, I finally received my first Ugandan email asking me to pretend to be next of kin at a local funeral so that certain funds wouldn’t be “lost to the government.” Of course, a nice fee would be transferred to my bank account and some personal data was required. I was beginning to feel left out, having read many, many warnings of this type of scam but never being invited to the phishing party. Yet, with all those warnings out there, some will get hooked.
We’re not finding any adverse reactions to our e-commerce emails, but that time could come eventually. To make sure we’re not bugging any customers who’ve opted into our email program, we frequently ask for feedback and highlight an “unsubscribe” option in our correspondence. So far we’ve been lucky.
Al makes a valid point: what if people in brick and mortar stores had to constantly be on guard against people stealing their wallet or purse? How long would they endure such a shopping environment? Possibly, not very long. Merchants and other firms who use the Internet to conduct their business activities must devise ways to get in front of the increasing scams and chicanery now targeting consumers if they are to sustain consumer confidence and the commercial growth of Internet retailing.
Phishing is a huge problem, especially for internet-based companies that rely on email for their customer contact. In case you haven’t received phishing emails yourself, here’s a taste…something I got the other day under the guise of a PayPal security warning. Imagine the (legitimate) person at PayPal that now has to figure out how to word future email notices. They’re effectively shut down from using email to communicate with me now. Here’s the fake message. (At least I’m pretty sure it was fake):
“PayPal® is committed to maintaining a safe environment for its community of
“Recently, our Account Review Team identified some unusual activity in your
buyers and sellers. To protect the security of your account, PayPal employs
account. In accordance with PayPal’s User Agreement and to ensure that your
account has not been compromised, access to your account was limited. Your
account access will remain limited until this issue has been resolved. This
is a fraud prevention measure meant to ensure that your account is not
compromised.
“In order to secure your account and quickly restore full access, we may
require some specific information from you for the following reason:
“We would like to ensure that your account was not accessed by an
unauthorized third party. Because protecting the security of your account
is our primary concern, we have limited access to sensitive PayPal account
features. We understand that this may be an inconvenience but please
understand that this temporary limitation is for your protection.”
It goes on to provide an official looking “case ID number” and a link (with a PayPal.com address) to a web page where I am told, I must update my personal account information or risk losing my authorization to use PayPal. Scary stuff and (as in our other discussion today), an interesting exercise in perception vs. reality.
I got that PayPal one also and, like a rube, clicked on the link. I immediately recognized I had made a mistake, and closed the site rather than clicking on anything else. I notified PayPal, and then proceeded to change my passwords on every financial site I use (at least a half dozen). Everything seems to be fine – it’s like I knocked away the hand of the pick-pocket just in time.
I will say that some on-line retailers definitely should NOT be in this space. I won’t name the major national electronic chain that was spoofed on a phishing expedition with me. When I alerted the retailer about how their customers were being targeted with this scam, after a series of about a dozen emails, I gave up trying to reach anyone on the subject. I was stuck in an endless customer satisfaction loop.
I consider it the responsibility of the on-line merchants I deal with to actively seek out and stop the miscreants. If the merchant takes the attitude that it’s my responsibility to detect and not respond to a theft of the merchants identity (spoofing and phishing), then we consumers will take the attitude that it is the merchant’s responsibility to detect and not respond to a theft of our identities. Merchants may have more lobbying dollars, but we (the consumers) have more votes.
I’m pretty sure in a destructive competition of this nature that consumers will “win” in the long run. But the real winners will be the scam artists if consumers and merchants don’t ally against this, the real enemy. (BTW, life in prison would not be a bit too harsh for these scammers. Apart from habeas corpus, they are virtual kidnappers – taking people to places they do not want to go.)
There are countless scams and thieves outside the electronic environment as well. If you do business with a brand you don’t know or trust, you are suspect in both environments. The largest cases of lost and/or stolen data has been around hard copies being misplaced in transit. The professional thief is looking for mass quantities of data to conduct simultaneous transactions from a disposable location.
It seems to me people are just now waking up to identity theft. I know three people who have had fraudulent credit card activity and, in each case, it was from illegal activity outside the internet. When someone fraudulently uses a credit card online, they are generating an electronic trail so the casual thief will more than likely get caught (online). If you think about it, all credit card transactions are essentially conducted electronically. It is a matter of trusting who you give that information to in person, online or through the US mail.
Phishing and unsolicited emails are the electronic version of junk mail. Does anyone read and respond to every piece of junk mail they get from the USPS? There are probably more solicitations for information to conduct scams through the USPS than the internet. Customer databases are being shared for targeted marketing campaigns in both channels. Advertisers have to deal with the disinterested or overwhelmed consumer in both communication channels.
The internet will actually be a safer place to conduct business transactions once law enforcement (and IS security) is as “smart” as the criminal and both entities have made great gains in that respect over the last couple years.
Doing business using e-commerce is like going shopping in the French Quarter of New Orleans. About every 50 feet someone tries to “guess where you got your shoes,” panhandles a dollar, dances for you, or has a pretty women (who isn’t a woman) entice you to come inside their establishment. After a couple of days, you learn what is real and what isn’t. You learn why all homeless people there have a dog. The internet is the same thing. I know that I have not had a security breach on the bank account that does not exist anyway. I know that the rich government official in Uganda is not going to put millions of dollars in my bank account for helping him. I know that ebay and PayPal do not need my personal IDs sent to them, especially when they request it in broken English. Whether you are on Bourbon Street or E-Street, don’t talk to strangers. Does this affect e-commerce? I don’t think so. Just like Bourbon Street, the party still goes on.
Starting from the top, do neither Al or Gene believe that you have to protect your wallet in a bricks and mortar store? Sounds a bit naive to me or perhaps there are fewer pickpockets in the US of A than in Europe where there are frequently signs up warning shoppers (and tube passengers, tourists etc) that there are thieves about. Having seen Karen’s message further down, and read about people who simply look over others’ shoulders when they are keying in their PIN – which is done increasingly now with the intention of REDUCING theft – I don’t feel any more secure in the real world than in cyberspace. Not to even mention thieves who go through the garbage trying to find unshredded bills and statements to steal.
Next, Rick’s experience with Paypal. Paypal and its subsidiary eBay (which I have never used and who therefore cannot possibly have any information on me that needs to be updated) are virtually the only organisations from whom I have received phishing emails. I agree, they look legitimate and are scary and threatening. But I am cynical and would never reply to them. As this happens so frequently, Paypal has links for reporting suspicious emails which they then, allegedly, check so they can stop them. Every time this has happened to me, I’ve passed it to Paypal who send me an automated message confirming that it is fraudulent and claiming that they will investigate. It also gives details of who to contact if I have actually fallen for it and revealed confidential information. I have no idea whether they investigate or not as I continue (albeit rarely) to get similar fake messages.
What puzzles me about people losing money is why anyone ever reveals any of their details. There has been so much publicity about phishing that people confirming private information must be living with their heads in the sand. I even refused, the other day, to give my password to my telephone company when I called them – they should have asked for random letters, not the entire password. This particular brand of paranoia seems, to me, to be simple common sense and not the least bit excessive. If people use that common sense, there is no reason why online retailing should suffer (as indeed it isn’t according to the most recent information published by www.imrg.org).
The ubiquitous presence of the Internet has its advantages and disadvantages. While you have the flexibility to browse, compare and shop in the convenience of your home, you open yourself to scamsters at the same time. Credit card companies and merchants definitely need to be more responsible and accountable to credit card fraud and theft of card data. However, it is important that consumers come to the realization that it is incumbent upon them to ensure that their identity and payment information is secure. There is no simple answer to this problem. Even if legislation were to become more stringent, there will be new mechanisms of fraud that we will need to keep our eyes open to.