Safe Online Shopping this Christmas
An Garda Síochána in association with the Banking & Payments Federation of Ireland and Retail Excellence are launching the S.O.S. (Safe Online Shopping) campaign. In advance of Cyber Monday, 27th November 2017, the public and retailers are reminded to shop and sell on line safely, making every effort to protect their financial and personal details.
Sergeant Kelvin Courtney of the Garda Crime Prevention National Centre of Excellence said "Cyber Monday and the run up to Christmas is a time when increased numbers of consumers go online to get the last minute deal. Shopping on line is safe so long as we use our Credit/Debit cards correctly. We are asking people to take greater precautions when shopping online then they would if purchasing in the shops.”
Advice for Online Consumers
Detective Superintendent Michael Gubbins, Garda National Cyber Crime Bureau, said "An Garda Síochána and its partners in Europol are actively targeting cybercrimes such as online fraud. The public need to be aware that the proceeds from these fraudulent activities go to fund organised criminal gangs.”
He advised online consumers to follow the 12 Golden Rules of Safe Online Shopping
- Only buy from trusted sources, shops or brands that you are familiar with
- Use credit cards when purchasing things online
- Make sure the data transfer is appropriately protected. Look for the padlock symbol Think twice before allowing e-merchant stores to store your payment details
- Be aware how to control the recurring charge if paying for a continuous service online
- Always save all documents related to your online purchases
• If you are not buying a specific product or service, don’t submit your card details
• Avoid doing your online shopping at sites that don’t use full authentication
• Never send your Card number, PIN or any other card information to anyone by email
• When purchasing something online from another person, do not send money up front
• Never send your card details in an unencrypted email
• Don’t send money to anyone you don’t know online
- Regularly check statements and transactions for any frauds or suspicious activity
- If you have a suspicion about an online transaction check your account online to ascertain if the payment was made to the genuine retailer.
- Report suspicious transactions to your local Garda station and to your bank or card processor.
Online Card Fraud
The Internet provides a safe and convenient forum for people to shop and communicate with friends and family. A recent CSO household survey found that 79% of people who made purchases on line did not experience any problems, while just 2% reported fraudulent activity.
Market research suggests that more and more people are conducting their shopping online with 30% of consumers expecting to use their mobile phone as their main shopping tool in the future. December 2016 saw an increase of 15.4% in online purchases with over 50% of Irish people shopping online, most of whom purchased or sold goods and services with no difficulty. However, in a small number of cases, difficulties do arise and fraud results in users losing money or having their credit/debit card details being compromised.
Overall fraud on card payments is relatively low, but of the fraud that occurs, since the introduction of Chip and PIN, card not present fraud has accounted for the bulk of card fraud. The most common methods for criminals to steal card data are by skimming, email (phishing) scams or phone (vishing or smishing) scams. (see notes below)
In 2016, €41 billion was spent on debit and credit cards issued in Ireland. €13.2 billion or 32% of this was spent online. There is a clear downward trend in card fraud, when the first six months of 2016 and 2017 are compared, with €20.8 million in card fraud in 2016 versus €16.6 million gross card fraud in 2017.
Detective Garda Jim O’Meara of the Garda National Economic Crime Bureau, said: "We had noticed a sharp rise in the level of Card Not Present fraud activity from 2015 to 2016, thankfully a downward trend in this type of fraud is noticeable for the first six months of this year. We would caution people to protect their personal and financial details online. If purchasing online only trust your own Wi-Fi networks as opposed to public Wi-Fi where you could be vulnerable to having your payment card details compromised and then sold on the dark web. Here, they can be accessed by criminals who go on to use the compromised payment card details either online, over the phone, or even through mail order transactions.”
Niamh Davenport, Fraud Awareness and Payments Manager, Banking & Payments Federation Ireland, advised consumers and businesses, "that it is often a simple or easy measure that people can take to protect against fraud and it is important that consumers know these to avoid being vulnerable to fraudsters. FraudSMART.ie top tips include - Never give your personal details or banking security details such as full banking password, codes /logon details, or PIN to anyone. - Be wary of unexpected emails, calls or texts. Always independently check the person is who they say they are before engaging with them and as always - If it looks too good to be true, it probably is.”
Advice for Online Retailers
Retailers can also be the target of online frauds when it comes to purchases of goods online. Compromised credit cards of requests to pay for goods and services using money transfer services can result in significant losses for online sellers. To avoid those losses, some basic steps should be kept in mind by online retailers and private sellers.
• Beware of any purchases of bulk items or large quantities of the items or random goods
• Check any purchases of high-value goods or goods that can easily be resold
• Be cautious with purchases using credit/debit cards issues overseas or in a different name than the purchaser
• Check that delivery and billing addresses are the same.
• Check addresses and usernames online using Google to see if any reports or complaints.
• Require postcodes with addresses. Use Google maps to make sure the address is correct
• Be cautious of bulk purchases of gift cards and guest logins rather than users creating accounts
• Small cost purchases followed by larger purchases by the same user could indicate someone testing a compromised card
• If you capture IP addresses check them online to see where they are registered. If the billing/delivery address is in a different country, this could indicate a problem
• Don’t hesitate to contact the customer by phone and ask them to confirm their payment details such as card number, bank name, card expiry date etc. Genuine customers will usually know these details immediately.
Retail Excellence spokesperson Lorraine Higgins said ‘Our retailers want to ensure consumers can shop online safe in the knowledge that their personal and financial details are safe, as Irelands largest retail representative body, we wholeheartedly support initiatives like this SOS campaign. We would advise retailers to be vigilant, particularly at this busy festive period and if you suspect something is not as it seems then do not hesitate to contact An Garda Síochána’.
The following are the most common by which criminals can obtain payment card details
Skimming usually occurs at ATM machines and happens when criminals place a device on or into the card slot of the ATM machine. This device has been made to read the details contained on the magnetic strip on the rear of the payment card. In addition to this a covert camera is concealed on the outside of the ATM and is positioned to record the ATM user inputting their PIN number on the PIN pad of the ATM. Although this is the most common method of skimming it should be noted that skimming can occur anywhere there is a device to read a payment card, i.e. ticket vending machines, and petrol pumps. In addition, payment cards can also be skimmed using small handheld card readers.
Phishing is where criminals send unsolicited emails to individuals which purport to have been sent from genuine businesses or individuals. The purpose of these emails is to induce the individuals to reveal personal information such as payment card details, bank account numbers and personal security data. Phishing emails usually appear to have been sent from financial institutions and instruct the recipient to follow a link to a fraudulent website which requests personal and financial information be inputted.
Vishing or Voice Phishing is the criminal practice of using social engineering techniques over the phone in order to obtain the personal, financial or security data from individuals. Social engineering can be described as human to human interaction which attempts to exploit vulnerabilities in human nature in an attempt to obtain personal information.
Smishing or SMS Phishing is a phishing attack whereby a mobile phone user receives an SMS (text) message which purports to have been sent from a genuine business or individual. This message attempts to induce the recipient to follow a link to a website which appears to be legitimate but in under the control of the criminal organisation. This website then requests personal and financial information to be inputted.