Black Friday and Cyber Monday have come and gone, and the holiday shopping season is now in full swing. Unfortunately, the seasonal increase in e-commerce brings an increase in online scams and cybercrime. The holiday season is one of the most lucrative times of the year for Internet scammers, due to the increased volume in transactions and shoppers eager to take advantage of sales. In the least damaging of these scams, online shoppers are diverted from a company’s website to that of a competitor. In too many cases, however, the fraud involved can seriously damage a company’s reputation and impose a financial loss on tricked consumers.
Online scams run the gamut from fraudulent “charities” and bogus shopping sites, to so-called “phishing” schemes. In phishing, the user is tricked into visiting a replica website under the control of a scammer and unwittingly entering sensitive private information.
One common phishing attack relies on “typosquatting,” where the scammer registers a website domain name very similar to that of a legitimate company, often differing only in a common misspelling or transposing of letters. When a user misspells the website name of the legitimate company, the user is directed to the scammer’s website, which is designed to mimic that of a real company. The user might then unwittingly provide to the fake site the user’s credit card information or login credentials for the real site, or actually use the fake site to ostensibly place orders and make payments.
Another form of phishing attack involves sending consumers emails that masquerade as solicitations from a legitimate company. These emails often contain links to fraudulent websites or might download “malware” to the user’s computer, which records keystrokes to learn information for identity theft or encrypts the user’s hard drive and decrypts it only after the user has paid a ransom. In other phishing scams, company employees are sent emails that masquerade as an accounting employee's request for a wire transfer. If employees are not alert to these requests, large sums of money can be lost in short order.
Legal tools exist to end these scams once they are detected. The Digital Millennium Copyright Act (DMCA) provides an expedited takedown procedure by which the illegitimate website's host or Internet service provider would be notified that the website is infringing upon the copyrights of the legitimate company. To avoid potential liability for copyright infringement, ISPs are required to remove the offending content promptly, but they may restore it if the alleged infringer disputes the takedown claim, with the issue ultimately decided in court.
For fraudulent domain name registrations, domain name registrars (the companies that reserve web site names) are required to investigate reports of abusive use of a domain name and take appropriate action in response, which can include promptly disabling the domain name. Unfortunately, many registrars do not promptly respond to such requests, in which case the Uniform Domain Name Dispute Resolution Procedure (UDRP) may be used to acquire control over the domain name. The UDRP is a mandatory arbitration proceeding that all domain name owners must agree to when registering their domain names. However, the UDRP requires that the offending domain name infringe a trademark right, and the process takes several months to complete, by which time much damage may be done.
When you become aware of an Internet scam, you should notify the appropriate authorities. Although this does not necessarily ensure relief, the report could save others from a similar fate. The FBI maintains an Internet Crime Complaint Center (IC3) here, which accepts online Internet crime complaints from either actual victims or third parties. Also, the Federal Trade Commission maintains its Consumer Sentinel Network, which makes consumer complaints accessible to law enforcement.
These procedures are only partial solutions. Scammers can easily and inexpensively shift their operations to new hosts, new service providers, and new domain name registrars. Companies often find themselves playing an online game of “whack-a-mole” – just as one scam is shut down, two more pop up.
Prevention is the best medicine. Security experts encourage companies to develop internal policies to minimize the chance of fraud and to educate their employees and customers on how to spot phishing scams and other fraud. For example, many companies require two-factor authentication for transfers or payments above a certain threshold amount. In addition to education, there are proactive measures that can frustrate scammers. For example, companies may preemptively register domain names similar to their company name or trademarks, to prevent them from being used in fraud. Additionally, a number of companies offer trademark and domain name monitoring services, which scan the Internet for potentially fraudulent domain names or websites and assist in managing brands online.