At any point in time there are people who take advantage of others; however, during crisis situations where information evolves quickly, it is disseminated even more quickly through potentially untrustworthy sources; and it is all happening in an environment of elevated levels of fear; individuals and organizations may not take the necessary precautions to protect themselves from fraud, fake information and other forms of social engineering.
In light of this we recommend the following basic points as a reminder for individuals and organizations to protect themselves from those that would take advantage of this situation:
- Do not click on any links unless you can clearly see the source of the link (i.e. do not click on shortened URLs), you know the sender and you know they intended to send you the link. Twitter no longer counts URLs in the character length of tweets and the individual or organization who shared the link with you should be able to provide you with a full link in any case. The link may result in you downloading malware.
- Similar to the above, always be aware of links that look similar to real domain names, but are slight variations. It could be something like abc.com.co as opposed to abc.com. This is a clever form of social engineering and is easily missed.
- Do not enter your personal information into any site that you have not verified. For example, just because it looks like a government website, doesn’t mean that it is. This normally is an issue around tax refund-time, but we believe it will be worse when various governments around the world start distributing aid to affected citizens and businesses. It is not to say that governments won’t use their websites to collect information and coordinate payments, we simply suggest that individuals ensure that it is an actual government website and not one that just looks like a government website.
Watch for spelling errors, a lack of a call centre telephone number and overly optimistic promises of rapid payments which are meant to entice you to provide your personal information.
- In general always analyze the source of information you receive. If you don’t know the source of information, particularly if you received it via social media, be skeptical. Upon reflection this is obvious, but everyone from fraudsters who are trying to swindle people trying to buy protective equipment, to purveyors of fake news depend on people not paying attention. In this environment people may have a sense of urgency that they don’t normally have, which may mean they may not approach things with the same sense of skepticism they might normally use.
- Businesses should watch for card-not-present fraud. Many businesses, particularly small businesses, are going to extraordinary lengths to serve their customers. They offer to either deliver products to a person’s home or walk purchases out to an individual’s car in order to protect their customers and their staff. It is mandated in certain jurisdictions that restaurants can only serve takeout or delivery.
Where a business is processing credit card transactions over the phone (rather than through a secure online portal or with the cardholder present at the terminal) be aware of fraudsters using stolen credit card details. Consider asking the “customer” for additional details such as their phone number and address, and checking those against the customer profile your business already has. Watch for purchases that are irregular for that customer. Ensure the delivery address matches the address you have on file, and if it doesn’t ask about it. There may be a legitimate reason for any anomalies (these are strange times), but there is nothing wrong with a secondary inquiry.
If you are delivering the product to the person and they are a new customer, ask to see photo identification and the credit card used to do the purchase, and see if they match before handing over the purchase. You may also consider using mobile debit/credit card processing machines or apps that can be attached to the delivery person’s phone that can process the transaction rather than taking the credit card information over the telephone. There are many ways to still serve your customers during this challenging time, while ensuring that your small business is not a victim.
The majority of the stories that one reads online are of people helping each other and businesses going out of there way to ensure that their customers get the products they need. However, from experience we know that crisis situations can result in people and organizations not exercising the diligence that they might normally. Taking a pause, and considering these basic risk mitigation procedures can go a long way to ensuring that neither you nor your organization are a victim of fraud.